How to implement vendor risk management

Last updated: 2024-03-09

How do you implement a vendor risk management program? 

Implementation of a VRM program is highly dependent on the size of your organization and scale of your vendor management program. With that said, many program implementations follow a common methodology.  

Step 1: Select software 

Understand your use case and software requirements

Step 2: Train your team 

Review key functionality and understand how the software can meet your goals. 

Step 3: Build your vendor inventory 

Import an existing vendor list (if you have one) and configure the attributes you’d like to track for each vendor. If you don’t have an existing vendor list, there are a few methods you can use to identify and onboard vendors, such as conducting vendor discovery assessments or leveraging a self-service portal for business users.  

Step 4: Classify your vendors 

With dozens, hundreds, or even thousands of vendors, it’s difficult to know which ones matter most. Many vendor risk teams solve this problem by classifying their vendors into different tiers. The most commonly applied tiers are: 

  • Tier 3 vendors: Low risk, low criticality 
  • Tier 2 vendors: Medium risk, medium criticality 
  • Tier 1 vendors: High risk, high criticality 

Step 5: Choose your assessment framework 

There are many assessment standards or frameworks to choose from. There is no “right” assessment that works for everyone. However, there is likely a “right” assessment framework that works for your company and industry. Common industry assessment standards, include: 

There are also standards for specific industries, including: 

We’ll explore these standards and frameworks in more detail later on. 

Step 6: Develop your assessment methodology

  • When developing your assessment processes, it’s important to consider the following questions: 
  • How do you know when a new vendor assessment is required? 
  • Who should have the ability to launch a vendor assessment? 
  • Who reviews the assessments? 
  • How much effort do you want to put into validating assessment answers? 
  • Which assessment questions generate risks? 
  • How are flagged risks aggregated and reported on? 
  • Are follow-up assessments needed based on initial assessment responses? 
  • How often do you need to reassess your vendors? 
  • Will you conduct assessments yourself, or would an assessment exchange work for you? 

When considering how you want to validate assessment answers, it is important to understand your options. For low-risk vendors, many companies will accept a vendor self-attestation (in which the vendor “attests” to the accuracy of their answers). For medium to high-risk vendors, companies will take a more intensive validation approach, such as an onsite audit. However, as digital transformation continues full speed ahead and work from home has become a part of day-to-day business, many organizations are opting for remote audits instead of going onsite. It’s important for your business to be prepared for both types of audits.  

Step 7: Define your risk methodology and control framework 

Every VRM program needs a way to calculate risks. Your risk methodology, along with your chosen control framework, must be defined internally by your organization. Many companies use a risk matrix with impact and probability as the axis. 

Alternative methodologies can be as simple as flagging risks as high, medium, or low.

Step 8: Create automation workflows & triggers 

As you outline different VRM workflows, consider where you can apply automation to save time. Many vendor management professionals add automation when: 

  • Adding and onboarding new vendors
  • Measuring inherent risk and tiering vendors. 
  • Assigning risk owners and delegating required mitigation actions. 
  • Triggering vendor performance or renewal reviews. 
  • Triggering yearly vendor reassessments. 
  • Sending notifications to key stakeholders. 
  • Scheduling, running and sharing reports. 

Every business has unique vendor risk management workflows. To streamline these workflows, focus on identifying the most repeatable processes and tasks. Then, begin configuring automation for these specific aspects of your workflows. As each smaller automation is added, efficiency will compound, and your team will reap the time-saving rewards.

Step 9: Build your reports & dashboards 

Every third-party risk professional has a wish list of reports and analytics they’d like to have access to. There’s no better time to make this data accessible than during a VRM program implementation.  

So, ask yourself, what are your current reporting requirements? What information would be helpful to display in a dashboard? 

The most straightforward metrics often tracked include: 

  • Total number of vendors 
  • Vendors by risk score or level 
  • Status on all vendor risk assessments 
  • Number of expiring or expired vendor contracts 
  • Risks grouped by level (high, medium, low) 
  • Risks by stage within the risk remediation workflow 
  • Risks to your parent organization and risks to your subsidiaries 
  • Risk history over time 

Step 10: Refine your program over time 

Vendor risk management is not a static discipline. New threats and requirements are constantly emerging, which is why it’s so important to take a step back from time to time to determine if your program is still hitting the mark. If not, why and what can you do about it? 

What is the vendor risk management lifecycle? 

The vendor risk management lifecycle is how a vendor relationship progresses over time. In some cases, VRM is actually referred to as “vendor relationship management,” which describes the ongoing engagements that businesses have with their vendors. The VRM lifecycle consists of the following stages: 

  • Vendor identification 
  • Evaluation & selection 
  • Risk assessment 
  • Risk mitigation 
  • Contracting and procurement 
  • Reporting and recordkeeping 
  • Ongoing monitoring 
  • Vendor offboarding 

 The vendor risk management lifecycle is sometimes referred to as the “third-party risk management lifecycle,” which we break down in much greater detail here.  

How do I conduct better vendor risk assessments? 

A vendor risk assessment, or third-party risk assessment, is a questionnaire that companies use to “assess” and vet their current and future vendors. 

The risk assessment process is designed to identify and evaluate the potential risks of working with a vendor. This is done by assessing a vendor’s security controls, values, goals, policies, procedures, and other contributing factors. In doing so, businesses are able to determine if the rewards outweigh the risks of working with the third party. 

Conducting thorough risk assessments is critical to the success of your vendor risk management program. So, what best practices can you put in place to improve your probability of risk assessment success? Below are 5 tips to help improve your assessment process. 

Tip 1: Determine which risks you care about 

Prior to assessing your vendors, it’s important to take a step back and think about which risks matter most to your organization. These risks can come in many forms and can include: 

  • Strategic Risk (how does the vendor’s strategy align with yours?) 
  • Cybersecurity Risk 
  • Financial Risk 
  • Compliance Risk 
  • Geographic Risk 
  • 4th-Party Risk 
  • Replacement Risk (how difficult is it to replace the vendor?) 
  • Operational Risk 
  • Privacy Risk 
  • Reputational Risk 
  • Business Continuity Risk 
  • Performance Risk 
  • Environmental Risk 
  • Concentration Risk (How reliant are you on an individual vendor?) 

The specific risks you decide to track will depend on your organization and your VRM program goals. Many companies do not track all of the risks listed above. Most will select the top 4-5 risk categories that matter most to their business. Measuring too many types of risks can become overwhelming. That said, the most mature VRM programs can get very granular with the types of risks they track, and in doing so, will have a greater understanding of their company’s overall risk exposure as it relates to third parties. 

 Tip 2: Assess your vendors’ products and services 

Most of the vendors you work with have a number of different products or services. Each of these individual products or services can have different security measures in place, making the risks they pose unique (even if it’s the same vendor). 

As a hypothetical, Salesforce CRM and Salesforce Pardot are two separate products sold by Salesforce. In this case, the vendor is Salesforce, however, the products (CRM vs. Pardot) each have their own separate compliance certifications and a different set of implemented security controls. 

What’s more, how you use one service may be totally different than how you use another. For example, you may use Amazon to order supplies for your business. In this case, Amazon could be considered a low-risk vendor. On the other hand, you may also rely on Amazon Web Services to host your cloud-based application, which would present a much greater risk. 

Tip 3: Automate your vendor assessment process 

Like any repeatable process, you can automate the actions involved in conducting assessments. Review internal procedures to identify areas in your assessment workflow that can be done automatically. Automation examples include auto-flagging risks, assigning risk owners, and triggering reassessments based on a newly identified risk or an expiring contract. 

Tip 4: Make responding to assessments easy for your vendors 

Getting a vendor to answer an assessment can be a painstaking process. Consider how you can make the process easier for your vendors. For example, enable them with free questionnaire response automation tools, or encourage them to participate in a risk exchange. 

Tip 5: Monitor vendors for reassessment 

Risks can change over time. So, what risk-inducing events might require a reassessment of a vendor? New risks often arise from the following events: 

  • Mergers, acquisitions, or divestitures 
  • Internal process modifications 
  • Negative news or unethical actions 
  • Natural disasters and other business continuity triggering events 
  • Product updates 
  • New regulations 
  • Employee reductions 

 

What are risk exchanges and how can they help me with my vendor risk assessments? 

A risk exchange (or Third-Party Risk Exchange) helps facilitate the “exchange” of vendor risk assessments, as well as other documentation and evidence. 

With an exchange, you can access a vendor’s pre-completed risk assessments. These assessments are typically based on an industry standard, such as NISTISO, or SIG Lite

A risk exchange can improve your VRM program by enabling you to get your vendor assessments done faster, as well as eliminating the time-consuming, assessment-related work that ties up your team and takes resources away from other strategic projects. 

For your vendors, risk exchanges save them significant time by enabling them to re-use their completed questionnaires over and over again. Through the exchange, they can share the same assessment with dozens of companies at the same time. 

Ultimately, risk exchanges enable you and your vendors to work together to collectively make the vendor risk assessment process better for everyone involved. 

What are the benefits of vendor risk management software? 

VRM software helps organizations build and automate their vendor risk management program. Ultimately, vendor risk software helps you onboard third parties, evaluate them, identify and mitigate their risks, monitor vendor changes over time, and offboard third parties when necessary – all while maintaining adequate records to demonstrate compliance. When leveraging VRM software, automation can provide a rapid return on investment (ROI). Additional benefits of vendor risk management software, include: 

  • Increased security 
  • Increased consumer trust 
  • Greater time and cost savings 
  • Reduced repetitive work 
  • Better vendor visibility 
  • Streamlined vendor evaluation and onboarding 
  • Faster risk assessments 
  • Improved reporting and analytics 
  • Simplified recordkeeping 
  • Reduced risks associated with vendors 
  • Improved vendor relationships and performance 
  • Less time spent in spreadsheets 

 

How can OneTrust help?

The OneTrust platform leverages expertise in GRC, specializing in Third-Party Risk Management, Privacy, Incident Management and many other categories to deliver an immersive security and privacy management experience. Reduce your vendor, supplier, and third-party risks with OneTrust Third-Party Management software and Third-Party Risk Exchange The software enables you to run compliance checks and screen vendors. Additionally, our software empowers organizations to conduct vendor risk assessments and mitigate risks through highly customizable workflow automation. The OneTrust Third-Party Risk Exchange enables businesses to access to risk analytics and control gap reports on vendors, and provides vendors with an opportunity to centralize their compliance details and promote them to thousands of OneTrust customers to easily share.