Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

10 Types of Vendor Risks to Monitor

7 min read
Featured Image

The term "vendor risk" covers a wide range of risks your organization and customers face due to outsourced relationships with vendors and the products or services they provide. Understanding the nature of these risks and identifying them is an essential component of effective vendor risk management.

This blog will review 10 types of vendor risks your organization should recognize and monitor, some of which are common, while others are lesser known. We’ll also cover four basic approaches to managing these vendor risks.

10 Common Types of Vendor Risks 

10 types vendor risk to monitor

The following types of vendor risks are typically what your organization will see in vendor risk management:

  1. Strategic risk
    What it is: The risk that occurs when a prospective or current vendor's decisions and actions are incompatible with your organization's strategic objectives.

    Examples: The vendor is reluctant to invest time, money, or other resources to ensure they can provide your process, product, or service within budget, on time, and with sufficient quality. For example, a vendor that fails to invest in newer software might prevent your organization from achieving its strategic objectives, such as improving its service delivery time or developing a new product.
  2. Operational risk

    What it is: This risk occurs when a vendor’s product or service is necessary to maintain your daily operations. Your organization would be impacted if the vendor’s internal processes, people, controls, or systems failed or were ineffective.

    Examples: The vendor fails to resolve issues promptly, doesn't monitor quality or address quality failures, or doesn't sufficiently train employees. For example, an IT managed service provider that has outages or unplanned downtime could significantly impact your organization’s operations. 
  3. Business continuity risk
    What it is: This is a risk that occurs when an outside event negatively impacts a third-party vendor's ability to conduct business and impacts your organization as a result. This risk can happen when a vendor fails to test business continuity and disaster recovery plans and is unprepared for technology outages and failures. Business continuity risk is especially relevant to critical third-party vendors (those your organization depends on for essential products and services). 

    Examples: Natural disasters, severe weather events, fires, utility outages, civil unrest, cyberattacks, pandemics, military actions, or acts of terrorism can all affect the vendor’s abilities to perform business activities. For example, an outsourced data center located in an area prone to wildfires hasn’t tested its business continuity plan in over two years. This vendor would expose you to business continuity risk because it cannot verify whether its plans are still effective.   
  4. Compliance and regulatory risk
    What it is: This risk arises from a third-party vendor's failure to comply with laws and regulations governing the products and services to its customers.

    Examples: The vendor operates in a way that’s inconsistent with your organization's policy, program, and procedures. Additionally, the vendor participates in, or encourages, deceptive marketing practices and violates laws protecting consumer rights. For example, a vendor that delivers healthcare records to your customers must comply with HIPAA standards to keep information secure and private. This vendor could expose your organization to regulatory risk if it violated those standards.
  5. Information security risk
    What it is: This encompasses both cyber and physical security risk. Information security risk exists from a third-party vendor’s missing or ineffective controls. Cyberattacks and data breaches are two of the most common consequences that can occur from unmitigated cyber risk. 

    Examples: Vendors may pose this risk if they process, transmit, or store your organization's or your customers' data. Your organization also faces risk if the vendor utilizes sensitive information in an unauthorized manner or doesn’t have third-party audits or certifications to evaluate their controls. For example, a data destruction vendor could expose your organization to cybersecurity risk if it failed to implement the proper controls around storage. Data that is improperly stored before destruction could be vulnerable to a breach.
  6. Financial and credit risk
    What it is: This risk directly relates to the financial condition of the third party itself and its inability to meet contractual obligations and provide products and services to your organization.

    Examples: The vendor has decreasing revenue due to canceled orders, loss of a major customer, more liabilities than assets, or a poor credit rating. Other examples might include insufficient investor funding, cash, or credit available to meet their contractual obligations. For example, if your vendor recently lost a major customer, there’s a possibility they’d have to reduce their budget in some areas like research or IT. Additionally, declining vendor financial health may result in the vendor not being able to meet their contractual requirements due to insufficient staffing or other resources. This could negatively impact your organization through increased strategic, operational, compliance, or cybersecurity risk
  7.  Reputation risk
    What it is: This risk covers a variety of ways in which your third-party vendor could directly or indirectly damage your reputation, brand, or name.

    Examples: This harm could result from their actions, poor service, lawsuits, outages, fraud, or data breaches. Your reputation could also be damaged if a third-party vendor misrepresents their relationship with you directly or through the use of your logos or company name. For example, a vendor that provides IT support for your customers has been getting complaints of poor service quality. Your customers associate the poor service with your organization, which could damage your reputation.

Keep in mind that risks can overlap in one or more categories. Let's say your vendor manages customer service information through a call center, and an employee uses customer information to commit fraud. That mishandling of data represents compliance and regulatory, operational, information security, and reputational risks.

3 Other Vendor Risk Types

There are other risk categories that you might consider as you identify and assess vendor risk.  Similar to the more common vendor risk types, there is often overlap. These other types of risks include:

  1. Concentration risk
    What it is: This risk is closely related to business continuity risk, both of which are becoming a bigger focus area for regulators who see the significance of operational resiliency. It usually occurs when one vendor provides too many high-risk or critical services or when only one vendor in the marketplace provides critical products and services. This is also known as a single point of failure risk. Another definition of concentration risk is when a significant portion of your vendors' subcontractors are located in the same geographic area. The close proximity of vendors could cause additional business continuity risks if there were a natural disaster or another external event. 

    Example: One of your vendors provides 90% of your critical products and services and there’s no alternative in the marketplace that can serve your organization. This situation would create concentration risk because your organization would be significantly impacted if the vendor were to suddenly shut down. 
  2. Geopolitical risk
    What it is: This risk can occur when your vendor is located in a country or region vulnerable to political unrest, corruption, or human rights violations. The vendor's location could also be at risk of lax privacy and information security laws or other situations that could be harmful.

    Example: Potent political unrest may develop in a region where your vendor is located, causing them to be unable to sustain operations. As a result, the vendor faces a risk of business continuity due to the country's unstable government.
  3. ESG (environmental, social, and governance) risks
    What it is: These risks occur when vendors violate environmental laws, treat people unfairly, or display poor corporate governance and behavior.

    Example: The vendor fails to identify and adequately prevent human rights violations in its supply chains. This neglect could potentially present your organization with compliance risk.

How to Manage Vendor Risks

Identifying risks is the first step, followed by determining how to handle them. There are four basic risk-handling techniques:

  1. Avoid: Don't perform the activity that presents the risk.
  2. Mitigate: Identity, implement, and test controls that can effectively reduce the risk's occurrence, likelihood or severity.
  3. Transfer: You can transfer the financial impact of the risk through insurance policies or indemnification language in your contract. It’s important to note that even through you can transfer some of the financial impact, your organization is always responsible for the risk. 
  4. Accept: It isn't possible to eliminate all risks. In some situations, the potential benefits outweigh the risks, and all organizations have to take on some level of risk.

Your organization must decide for itself which risk-handling technique is most appropriate. This will depend on a variety of factors including your organization’s risk appetite and strategic goals, and whether the vendor’s controls are considered effective. Deciding how to manage risk is generally a collaborative process between different stakeholders such as senior management, third-party risk teams, and subject matter experts. Whatever you decide, it’s important to validate and document your reasoning for future audits or exams.

In summary, identifying your vendor risks by type is a helpful method to determine what treatment of the risk might be necessary and what levels of risks are not acceptable. Remember that vendor risk profiles may change over time, so monitoring the vendor and reviewing their risk levels and types periodically is essential to determine whether you need to implement a different technique further down the road. 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo