There’s no way around it. Risk assessments are work. There are a lot of moving parts and a lot of pieces of information to take into consideration. Like much of life today, it’s good to take a step back and understand the full scope of the endeavor. It can be helpful to take a phased approach to the vendor risk assessment process.
The purpose of this blog is to help you find a starting place in the vendor risk assessment process while also reviewing the phases to help create stronger risk assessments for your organization. Let’s discuss the six phases further.
Phase 1: Develop a specific list of requirements for the outsourced product or service under review
The first phase I always recommend in any assessment of risk for a vendor begins with the lines of business and the vendor management team, working together to develop a set of requirements for the product or service they would like to onboard. You wouldn’t believe how many times organizations are attracted to the shiny new thing and forget to ask if the proposed product or service will meet the line of business’ needs. In some cases, we may find they already have a product that fulfills the need.
For the vast majority of small to medium-sized organizations in the world, a simple list of requirements will suffice if you’re in the vendor selection phase. This isn’t a time to seek perfection. Analysis paralysis will kill you here. You’re shooting for “good” not “great” with your list of requirements at this point. Connect with your lines of business and focus on 10 to 25 general requirements. These will be items such as the ability to maintain document storage and the ability host your document imaging cold storage.
Tip: Make sure to send out a Request for Information (RFI) to your list of potential vendors. Send your Request for Proposal (RFP) once you know which vendors can perform all the requirements on your list. Once you have your potential vendors information, send them a preliminary questionnaire to determine if they’re what they represent themselves to be.
Phase 2: Determine the vendor’s criticality (business impact risk) and if they’re high risk from a regulatory risk standpoint
You don’t want to fall into the trap of trying to assess the risks at the highest level for 100% of your vendors. That is a waste of resources for most organizations. Quickly assess whether the vendor is critical or high risk. Part of this process requires an understanding around what information and data the vendor will have access to and whether the vendor will have access to proprietary or non-public personal information (NPI).
You may have a vendor who provides a critical service but would be categorized as having a low-risk level, such as a phone company. A critical vendor won’t always be high risk. They CAN be moderate or low risk.
These questions should guide you through this portion of the process:
- Will the sudden loss of this vendor cause a significant disruption to our business? If yes, this is a critical vendor.
- Will the sudden loss impact our customers? If yes, this is a critical vendor.
- Will this vendor have access to proprietary information? This refers to any customer information (or any form of non-public personal information or health care information). If yes, then this is at least a high-risk vendor.
Phase 3: Assess vendor risk(s) in multiple areas
If you’re in a regulated industry (practically speaking, we’re all in regulated industries) you’ll need to assess any additional risk from the proposed vendor not meeting regulatory requirements. This is where you begin to bring in the long list of risks that fall into the categories of strategic, operational, reputational, credit, financial, regulatory risk and more.
Tip: Some of the best resources for more information around this topic can be found in guidance such as FDIC FIL 44-2008 or OCC Bulletin 2013-29.
Phase 4: Assess the project risks
At this point, you’ll want to narrow your list of potential vendors down to no less than three and no more than five. Send these vendors on your “short-list” a Request for Proposal with more questions. When you have all the RFPs back, cull your list down to two or three vendors. Remember, no more than three!
When you have RFPs from the vendors on your short list, determine the project risks posed by working with the vendor. Until you have a proposed solution in your hands, you cannot evaluate the project’s risks. You may hear people on the vendor side say they’ve done this 1,000 times and been successful every time. Talk is cheap. Your line or lines of business that will be onboarding and using the chosen vendor must help you determine your organization’s risk level in this phase.
To do this, determine the vendor’s level of inherent risk, assign a level of risk and then work to mitigate the inherent risk. You’ll also need to determine the inherent risk at the vendor level and product/service level. To reiterate (because really, it’s that important) this means you’ll have two assessments – one on the vendor as an entity and one of the product/service being provided.
Once you’ve identified your critical and non-critical vendors and assigned a level of risk, you can now look at ways to reduce the inherent (initial) risk and determine the residual risk. You can do this by monitoring those high and moderate-risk vendors a bit more closely, or even requesting additional due diligence in certain areas of a vendor’s contract. This is called “mitigating risk” and ultimately, it’s this process which leaves you with the residual risk for your vendor(s). Ultimately, during your review of potential vendors, you must get to a point where you’d feel comfortable with the risk posed to your organization by outsourcing a product or service to them.
Phase 5: Document Your Process
As the vendor risk assessment process draws to an end, don’t forget to document along the way. Make sure to include details around your risk categories, inherent and residual risk shifts as well as any steps taken to help reduce risk. You’ll also want to track your results and create an easy-to-read risk assessment report for all your current third-party vendors. Remember the audit adage – “If it isn’t documented; it didn’t happen.”
Phase 6: Ongoing Updates
Last but certainly never least, reassess risk periodically, collect and update due diligence information, and make sure you’re continually reviewing your vendors. Work with the line of business that owns the vendor relationships (and any other lines of business that have workflow or data-flow touch points with the vendor) to help you review your initial risk assessment of the product or service, and create an updated risk assessment. If it’s a critical of high-risk vendor, you should reassess at least annually. And, certainly, if a significant event occurs, such as policy change or new regulation, get in there and reassess the risk. There are always new regulations, and part of a solid risk assessment program is staying abreast of important changes to regulatory guidelines.
Remember, our goal in assessing risks is to identify the potential risks, determine ways to mitigate the risks we’ve identified and then determine the residual risk after mitigation. Once we’ve accomplished all of this: rinse and repeat (at least annually).
Dive deeper into risk assessments and additional factors you should know. Download the infographic.