The 5 “W’s” of Vendor Risk Management

November 23rd, 2020 Kimberley Allan Reading Time: 6 minutes
5 “W’s” of Vendor Risk Management

In today’s dynamic operating environment – where significant new challenges

In today’s dynamic operating environment, where significant new challenges emerge frequently, vendor risk monitoring is getting more attention than ever from regulators, senior management, and the board of directors. In recent years, vendor risk events have disrupted supply chains, caused IT meltdowns, resulted in data privacy breaches, and impacted organizations in many other ways.

In short, poor vendor risk management (VRM) can–and regularly does–prevent organizations from achieving their strategic goals, including delivering business value.

This blog explores the 5 “W’s” of vendor risk management and monitoring to provide a richer understanding of the benefits of vendor risk management for organizations. It’s necessary to articulate these 5 “W’s” clearly so that stakeholders across the enterprise engage proactively with vendor risk management and support that team’s work.

1. Why Is Vendor Risk Management Important?

Vendor risk management specifically focuses on managing the risks the organization faces in its vendors’ relationships.

Third-party risk management takes the discipline of vendor risk management and applies it more broadly. Third-party risk management encompasses all of the third parties an organization engages with, including direct and indirect suppliers, partners, agents, consultants, and government agencies.

Therefore, vendor risk management is often thought of as a subset of third-party risk management. In today’s digital environment, vendor risk management could be considered a critical element of third-party risk management.

A comprehensive and effective risk management strategy is essential for minimizing reputation risk. It establishes an organization’s trustworthiness, an essential factor in business success, and reduces the potential impact of risk events on the organization’s goals and operational continuity.

Along with those achievements, an effective vendor risk management program allows organizations to identify and react to new risks, hold vendors to contracts, reduce spending by identifying redundant third parties, comply with industry requirements and global compliance, and more.

Vendor Risk Management Examples

Vendor risk management is essential to ensuring business continuity. A recent study conducted by Ponemon Institute found that 54% of organizations reported experiencing a data breach caused by one of their third parties in the last 12 months.

There are endless real-world and recent examples that showcase the importance of vendor risk management, such as:

Events such as these separated organizations with proper vendor risk management strategies from those without. Those with a proper VRM program can reduce disruptive events’ impact and the company’s overall risk exposure.

2. Who Is Responsible for Vendor Risk Management?

Everyone related to risk management functions is responsible for vendor risk management, from those who work day-to-day with the vendor and directly manage the vendor relationship to those in compliance, risk, and audit, all the way up to senior management and the board.

Aravo’s Meeting Expectations Of The Board eBook explores the important role that this governance body plays in setting the strategic direction for the vendor risk management program and monitoring its ongoing effectiveness.

How Do You Assess a Vendor’s Risk?

Risk exposures are inherent across all business levels, from multinational corporations to nonprofits and small businesses. Each of these entities, regardless of size or sector, faces the potential for significant losses or penalties if they fail to comply with relevant regulations.

Consequently, implementing a comprehensive vendor risk assessment process is beneficial and necessary for tracking and managing your company’s risk exposure.

Here are some steps one could take to assess a vendor’s risk:

  1. Catalog vendors: Well-managed companies have a comprehensive catalog of all their vendors, third parties, and fourth parties with information about what services they provide and which departments they serve.
  2. Profile to determine inherent risk: Classify vendors based on inherent risk by evaluating factors like location, the criticality of their services, and the extent of confidential information they handle, including access to your computer network.
  3. Provide a self-assessment questionnaire: Requiring vendors to fill out a self-assessment questionnaire is standard. Use it to prove a vendor’s policies, processes, and procedures to help determine the company’s residual risk.
  4. Engage in dialogue to set expectations and promote cohesive communication: Have your experts review your gathered information and compare it against your company’s risk tolerance. Open a productive conversation that allows you to express concerns and allows vendors to provide solutions.

3. What Does a Mature Vendor Risk Management Program Look Like?

Vendor risk management programs go through developmental stages. The least mature programs are Ad-hoc, where there are no defined processes, roles and responsibilities, and a reliance on manual processes, through Fragmented, Defined, and then to the more mature stages of Integrated and Agile.

At the Integrated stage, organizations will have a framework with policies and processes for managing risk and compliance within third-party relationships that the organization adheres to across teams and departments.

The organization’s approach to vendor risk management will be fully integrated with day-to-day business-as-usual (BAU) activities. At the Agile stage, organizations can connect, understand, analyze, and monitor interrelationships and underlying performance, risk, and compliance patterns across their vendor relationships under a single governance framework.

What Are the Requirements for Vendor Risk Management?

Organizations must be able to identify, understand, analyze, and monitor interrelationships and underlying patterns of vendor performance, risk, and compliance across their vendor relationships under a single governance framework.

In other words, organizations need a reliable and effective method to understand and monitor risks.

Follow these five steps to get started:

  1. Identify risks.
  2. Analyze the risks.
  3. Prioritize risks based on business objectives.
  4. Respond to the risks.
  5. Monitor and review the results of your risk management process.

4. Where Are Emerging Risks Hidden In Your Vendor Management Program?

The elements of a good program, including vendor due diligence and vendor risk monitoring, enable an organization to detect and manage emerging risks as they evolve. The International Risk Governance Council (IRGC) defines emerging risks as “new risks or familiar risks that become apparent in new or unfamiliar conditions.”

COVID-19 presented ‘new and unfamiliar’ conditions for all businesses across the globe, meaning emerging risks are an increased threat to many organizations.

Financial Risk

According to RapidRatings research, corporate financial health was declining even before the pandemic hit, and the expectation is that COVID-19 has significantly and negatively impacted many organizations’ financial health.

Now, more than ever before, it’s important for organizations to understand the financial health of their third parties–especially their critical providers.

A danger is that organizations struggling financially may start to cut back on compliance and security-related costs, putting your business at increased risk.

Information Security

Information security and cybersecurity risks are familiar risks that programs should be monitoring that have been exacerbated under COVID-19, leading to an increased risk of data breaches in the years since then.

With much of the world’s workforce transitioning to work-from-home conditions as lockdowns were enforced, the controls organizations had for third parties’ information security and data privacy risk assessments could be void in the new remote working conditions.

Organizations must ensure that the risk assessments and due diligence they apply to the third parties they work with are revised to consider this. Organizations should ask what extra steps third parties take to manage cyber risks in remote working conditions.

Companies should also ask their third parties how cyber risk and information security training is being conducted for their employees.

Data Privacy

There’s a growing inventory of data privacy laws that organizations and any third parties that touch their PII data must comply with. As these regulations come into effect, the additional risk of non-compliance can emerge.

Organizations must understand what regulations impact them and ensure their policies and processes reflect emerging requirements. They also need to understand if their vendors are also in compliance with data privacy laws such as the Portability and Accountability Act (HIPAA), GDPR, CCPA, New York SHIELD Act, etc.

Three important questions to consider:

  1. Does the vendor have the policies and processes to meet existing regulatory requirements and industry standards the organization must adhere to?
  2. How robust is that compliance?
  3. What controls are in place, and what is the remediation process if an event, such as a breach, occurs?

Supply Chain Resilience

An increased focus on regulators and organizations, operational resilience, and supply chain resilience programs should ensure that a business service can recover from an adverse event, minimizing the impact on customers and the industry.

What is the operational resilience of a vendor like? What plans does an organization have in place should a vendor suddenly not be able to meet the terms of its contract?

5. When Should You Consider Evaluating Vendor Risk Management Software?

Vendor risk management software makes sense when an organization reaches its evolution, where it would benefit from automating the vendor risk management lifecycle, starting with vendor onboarding and vendor due diligence.

A software solution should also support ongoing vendor monitoring, the vendor performance management process, and potential vendor offboarding.

Automation through software will help vendor risk management programs at the Ad-hoc and Fragmented maturity levels increase their efficiency and ability to deliver business value.

These 5 “W’s” can be a useful way to frame conversations with stakeholders such as the business, senior management, and the board, particularly when organizations are at the early stages of development for their vendor risk management program.

Kimberley Allan

Vice President of Marketing at Bidgely

Kimberley is currently the Vice President of Marketing at Bidgely. Prior to this, she served as Chief Marketing Officer at Aravo bringing more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs.

Vice President of Marketing at Bidgely

Kimberley is currently the Vice President of Marketing at Bidgely. Prior to this, she served as Chief Marketing Officer at Aravo bringing more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs.

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management