Prioritize Continuous Vendor Risk Monitoring

Before you can begin monitoring vendor risk, you'll need to identify the types and amounts of risk in the relationship. In other words, what kinds of risks does this vendor pose to your organization and how severe are those risks? 

Initial Vendor Risk Identification 

• Inherent risk assessment – The first step you must complete before selecting and onboarding the vendor to your organization. Inherent risks naturally occur within a product or service, and don’t yet consider any future controls you might apply. The results of an inherent risk assessment should include a rating, usually on a scale of low, moderate, and high. The vendor's criticality will also need to be considered, which means you must determine the impact on your organization if the vendor fails or goes out of business.
• Due diligence – Once you've completed the initial risk assessment, you'll use that information to scope your risk-based due diligence. Your organization should collect and/or review certain vendor information, such as legal name, address, tax ID number, and liability insurance. Critical vendors or those with high inherent risk will require additional, more robust due diligence. Some items to review might include audited financial statements and a list of your vendor's critical subcontractors.

Importance of Continuously Monitoring Vendors

Periodic re-assessments are an important step to officially document risk at pre-determined intervals. Generally, this varies between every year for critical and high-risk vendors and every two to three years for low-risk vendors. However, it's important to continuously monitor vendor risk to protect your organization from new and changing risks. Failure to monitor risk can leave you unnecessarily exposed until your next re-assessment. 

Here are some criteria that should be considered in your continuous monitoring activities:

• Consistency – A consistent, point-in-time view of a risk profile can be a valuable comparison tool between two or more vendors that provide the same product or service.
• Holistic – In addition to monitoring each risk domain individually, it may be beneficial to take a holistic view of the entire vendor risk profile. This enables your risk committees, board and senior management to make better vendor product and service decisions. 
• Purposeful – You may not always know what vendor risk monitoring will reveal. Still, the information you gain should always be used for a purpose. The data might be used to drive more due diligence or highlight any risk domains that should have an increased focus. Vendor risk monitoring can also help save time by reaffirming that certain risk domains can be excluded from due diligence or further monitoring activities.  

If you don’t have unlimited resources, consider how you can streamline the process of identifying and monitoring risks. Doing so will help ensure that your vendor risk profiles remain accurate with up-to-date information.