Josh specializes in developing, implementing, and maturing vendor management programs. He has worked with organizations of all sizes – in industries ranging from NGOs to financial services to healthcare to nonprofits – helping them take a more informed and disciplined approach to vendor management.Vendor risk assessments are an integral part of the vendor management lifecycle. You perform them initially for new vendors and on an ongoing basis for existing vendor relationships. There were times when sending a simple questionnaire to your vendors may have cut it, but times have changed, risks have evolved, and the vendor risk assessment process needs to be much more than a one-and-done questionnaire exercise.
Let’s take a look at five best practices for performing successful vendor risk assessments:
1. Scope Your Vendor Risk Assessments by Identifying Inherent Risks
Your inherent risk assessment process is what should kick off the vendor risk assessment process. It allows you to “scope” your vendor risk assessment to ensure that only relevant topics are evaluated. Scoping means that your assessment process is dynamic. Gone are the days of sending one, all-encompassing due diligence questionnaire to your vendors.
For example, if your vendor will not require access to any confidential data or access to your corporate network/systems, you may not need to perform an Information Security Assessment on the vendor. Likewise, if a vendor will provide a business-critical service to your organization, you will want to assess their business continuity and disaster recovery framework (whereas you would not perform this type of assessment on a non-critical vendor, such as your office supply vendor).
2. Define Your Standards
You’ve created your own due diligence questionnaire/vendor risk assessment (or you have decided to use an existing framework such as SIG or NIST). Great! Now what?
Having the appropriate question set is only half the battle. In order for the vendor risk assessment process to be as efficient as possible, your organization should create standards that “set a tone from the top” in order to identify how vendors should answer your questionnaires. Think of this process as essentially pre-defining the correct answer for each question, allowing you to easily identify when vendors don’t answer the way you were anticipating they would, therefore streamlining the identification of risks and/or areas where vendor follow-up may be needed.
3. Define Suggested Remediation Items
Take your vendor risk assessment process to the next level by not only identifying how vendors should answer your assessments (#2 above), but also by maintaining a predefined list of suggested remediation items (tied to specific risks) in order to directly address how risks should be resolved. This takes the guesswork out of the risk remediation process by referencing guidance (created by your organization’s subject matter experts) rather than determining the appropriate remediation activities from scratch each time a risk is identified.
4. Don’t Rely Solely on Point-in-Time Assessments
Due diligence questionnaires are a great tool to have in your vendor risk arsenal – and they are what this blog has primarily focused on so far – but they aren’t the only tool. Due diligence questionnaires/vendor risk assessments utilize an inside-out approach, relying on the vendor to self-report the effectiveness of their controls. These types of assessments are also sometimes referred to as “point in time” because you are only assessing the effectiveness (or existence) of controls as of the time the vendor completes your assessment. What about 6 months from now? Do your vendor’s answers still apply, or are they already stale?
This is where the outside-in (or continuous monitoring) approach comes in. Using software (such as Prevalent or Argos Risk) you can access real-time data on your vendor’s business/financial health, cybersecurity posture, and compliance issues, to name a few. As a best practice, consider using a combination of inside-out AND outside-in assessment strategies to get the full picture when assessing your vendors.
5. Utilize Technology to Support the Process
Spreadsheets just don’t cut it in the world of vendor risk management. In order to have a scalable, effective vendor management program, you need to use a system dedicated to the practice of managing vendor inventories, vendor contracts, assessments, risks, issues and much more. With regard to vendor risk assessments specifically, technology supports this process by managing the distribution of assessments, collection of vendor responses, automation of risk identification and remediation strategies, and the management of any remaining residual risks.
There seem to be an increasing number of systems showing up on the market with vendor management capabilities. Take a look at our software page to see some of our most trusted partners in this space, and also check out this blog which identifies 7 elements you should consider when looking for a vendor management system.
The most important thing to consider when creating (or revising/updating) your vendor risk assessment process is to make sure it is right-sized for your organization. Don’t feel like you need to tackle everything on day 1. Get the fundamental components of your assessment process up and running, then focus on the rest. If you don’t know where to start, or just need a little help, know that Vendor Centric offers a comprehensive set of solutions aimed at helping you manage the vendor risk assessment process.
