As the year begins to wind down, our thoughts turn to the holidays, the time-honored traditions, and delicious recipes used in our celebrations. But, when it comes to third-party risk management, we should also be thinking about our annual critical vendor risk reviews.
As with holiday preparations, critical vendor risk reviews require proper planning, preparation, and tools. After all, without these reviews, your organization increases its vulnerability to financial, operational, and reputational damage.
So, what is the secret to effective annual vendor reviews, especially for annual critical vendors? What ingredients and tools should you use? How do you get the best results? If you’re asking any of these questions, we've prepared a foolproof recipe for your annual critical vendor risk reviews.
Recipe: Critical Vendor Annual Risk Review
Yield: Effective vendor risk assessment
Prep time: 1–2 weeks
Review time: Varies depending on the vendor and subject matter expert availability; plan for at least 1-2 hours at a minimum per risk domain.
Estimated Total Time: 1–4 weeks
Necessary Tools and Supplies
- Experienced subject matter experts (SMEs) for each identified risk domain
- Comprehensive vendor risk questionnaire
- Centralized document repository (TPRM system) for vendors and subject matter experts
- Current vendor contract
- Vendor performance against SLAs
- Documented vendor services issues or downtime and impacts (if any)
- Open vendor issues and required remediations
- Your notes documenting vendor conversations regarding performance, issues updates, etc., for the past year.
- Information on any new products, services, or updates that the vendor has rolled out over the last 12 months
- Stakeholder feedback regarding the vendor
1 updated vendor risk assessment questionnaire
1 set of vendor business continuity and disaster recovery plans and test results
1 set of audited vendor financials or their most recent financial reports
1 set of third-party audit reports, such as a SOC 2 Type II
1 large bunch of assorted information security protection information and documents such as penetration tests, network diagrams, patching schedules, access management, etc. (specific documents are determined based on the type of sensitive data and how it is accessed, processed, transmitted, or stored by the vendor)
1 list of vendor's critical third parties
1 collection of vendor policies and procedures covering compliance, information security, privacy, human resources, third-party risk management, etc.
Ingredient Notes: When it comes to these ingredients, freshness matters! Ensure you have the most current version of all your vendor's documents and information. Be wary of vendor documents that haven’t been updated (or at least reviewed) in the last year. If your vendor's SOC reports are expired, you should request a bridge letter stating they’re in the process of updating the SOC, the date a new version is expected, and attestation that the controls are still valid.
Using old and stale ingredients can cause your review to collapse in the middle, requiring you to start over.
Mise en place (French pronunciation: [mi zɑ̃ ˈplas]) is a French culinary phrase which means "putting in place" or "gather,” and is often used in professional kitchens to refer to the organizing and arranging of tools and ingredients that must take place before cooking.
This concept is wholly appropriate for your annual vendor risk review. Ensuring that you have everything you need before you start your review is a best practice that reduces the time it takes for the review. In the case of an annual vendor risk review, applying “mise en place” shows respect for your subject matter expert’s time and makes the most of your other resources.
- Begin by notifying the vendor of the annual review.
- Instruct the vendor to review or update the vendor risk questionnaire and submit it to you through your TPRM system or another specific data repository.
- Provide the vendor with the complete list of due diligence documents or other information your SMEs will need to validate the sufficiency of the vendor's controls. Request they gather and return this information by a specific date. Set your timer! (Usually 5-10 business days)
- While you’re waiting for your vendor to respond, review the contract and the vendor's performance against service level agreements. Did they meet all necessary SLAs? If not, why? Document any findings.
- Review your vendor's performance overall. Were there any missed key performance indicators (KPIs)? How well and how often does the vendor communicate? If there were any issues, how did the vendor resolve them? Was remediation timely and thorough?
- Examine any changes to the vendor's product or services, management structure, or industry over the last year. Check thoroughly for new and emerging issues.
- Remember to summarize your findings and document them. Risk reviews aren't just for validating controls. They’re also for identifying any risk or performance issues that might be present in the relationship.
- Once your vendor has responded to your request, you should have all your ingredients prepped and organized. If the vendor can’t provide all the ingredients, consult your SME about acceptable substitutions.
- Confirm the receipt of materials to the vendor and alert the SME that the documents are ready for review.
- It’s time to let your SMEs work their magic. At this point, they’ll take the vendor risk questionnaire and due diligence documents for review.
Although enjoying a well-deserved coffee at this point is fun, it’s important to remain aware and be available if SMEs need additional information from the vendor or have questions.
- Keep your eye on the time, and check in with the SME if the review is taking longer than anticipated to "bake." Cooking times will vary depending on the number and complexity of risks and controls to be reviewed.
- At the conclusion of the SME review, you should have a report detailing the risks and controls reviewed, the sufficiency of the controls, and any issues or findings that were discovered in the process. Combine that report with your summary information to determine the safety and soundness of your critical vendor. If all is well, you can package your finished masterpiece to present in your next risk committee meeting and include it in board reporting.
Troubleshooting: If material issues were discovered during the risk review process, there are some important steps for you to complete.
- Inform senior leadership and the board; they need to know if it is a critical vendor
- Determine if issue remediation is possible. If so, document the plan and timing for completing the remediation
- Review your critical vendor's exit strategy and plan to ensure it’s current and actionable in case a vendor termination becomes necessary
- Amend the contract by adding language (if possible) stating the required remediation actions and date
- Monitor progress
Conducting an effective annual risk review for your critical vendor is like making your favorite holiday treats. It takes preparation, the right tools, ingredients, hard work, and patience. Still, your efforts pay off when you and your organization can confirm your critical vendors are still safe and sound partners.