It’s important to assess vendors to accurately determine the risks of doing business with your third-party partners. At the minimum, most businesses will assess their vendors on an annual basis. In a 2018 report by Opus that surveyed over 1,000 CISOs, CIOs and other professionals in cyber security, 59% reported a data breach caused by a third party. This is an alarming statistic that highlights the vulnerabilities a vendor can create for your organization.
Some of the risks created by vendors that need to be assessed include:
Compliance Risk – Measure and enforce regulatory requirements, standards, and policies.
Cybersecurity Risk – Measure cyber controls and processes to prevent breaches and other types of cyber attacks.
Cloud Risk – Identify weak encryption, data protection controls, and uptime.
Reputational Risk – Monitoring and reporting on customer facing products and services.
Transactional Risk – Assess SLA’s, disaster recovery, and business continuity plans.
Credit Risk – Measure a vendor’s financial strength and ability to stay in business.
Operational Risk –Identify risk where processes, people, or products fail.
With so many areas of risk, it’s crucial to know what areas are problematic for your vendors. Vendor risk assessments will look at each of these areas, highlight any problems, and initiate solutions. Whether it is sensible to allow your vendor time to mitigate their risks or immediately search for a different vendor is something you will determine once the assessment process is complete.
While the responsibility of risk management should fall on each organization, it isn’t always so simple. It would be great if every vendor would monitor themselves and reduce risk to an appropriate level, but the problem is that not every vendor is this responsible. Even more, a thorough risk management program does not eliminate risk or guarantee protection. As a result, this means you should assume at least some level of risk from each third party.
Knowing this fact, the responsibility for vendor assessments falls on your organization. Your vendor can have a risk management program in place, but ultimately you are responsible for monitoring your own risk, which entails assessing all third-parties that you choose to do business with.
For example, are you aware of all the information your vendors have access to? According to Optiv, 74% of companies do not know all of the third parties that handle their data and personally identifiable information. Sharing any information increases the likelihood that you will have a data breach if your vendor creates a vulnerability, even more so when you don’t know which data is vulnerable. In the instance of a breach, your company is held responsible in the eyes of the law and you can be fined for regulatory violations. In the case of you being a customer facing organization, such as a wholesaler or retailer, you will also be seen responsible in the eyes of the public who does business with you. This can cause irreparable damage to your brand.
Within your organization, responsibilities may vary. You may have a dedicated team or even a vendor manager, and the role generally depends on the size of your organization and the resources you have available. Ultimately, responsibility falls on the board who should be directing personnel to manage risk, and how they choose to do so is at their discretion.
How to Perform a Vendor Assessment
In a traditional assessment process, you would begin with determining the regulatory requirements, standards, or best practices you’re going to be assessing against your selected vendor(s). You would also determine which tools and processes you would use. For example, in a manual process you might upload all of this content into a spreadsheet. Using assessment software, such as RiskWatch, you would upload or select the content for your assessment in the application.
Next, you’ll identify who will be participating in gathering the assessment data, whether that is a hired consultant, someone from your own organization, or perhaps an employee selected by the vendor. This individual or individuals will send emails or meet with necessary personnel to gather the required data. That data will the then be analyzed.
After analyzing the assessment data, you’ll gain valuable insight into your vendor’s risk and your own risk. Develop and draft corrective actions to mitigate risk and set requirements for your vendor. Track corrective actions and ensure risk is reducing and compliance is improving over time.
Vendor Assessment Automation
Using a vendor assessment platform, such as RiskWatch, will greatly reduce the effort required to monitor your vendors. This is thanks to our lean process flow, provided content , and subject matter expertise, which all contribute to your success.
Our platform enables your vendor to submit their own data through a custom portal – just send them a link and they can submit all required information within a set timeframe. If your vendor does not submit the requested information by set dates, escalation automatically occurs in the system, sending reminders to relevant personnel. From there, the platform automatically analyzes data collected, giving a real time risk and compliance score, and suggesting tasks to mitigate risk. Automatic reports are also generated with any selected data, making your findings ready to present at a moments notice.