Assessing the risk your vendors and other third parties may expose your organization to is a critical step in the third-party management process. In fact, assessing inherent risk drives many other vendor management activities. For example, the level of due diligence that is needed or the type and frequency of ongoing monitoring activities all depend on the vendor’s inherent risk level.
The third-party risk assessment process can seem overwhelming – How many questions do we ask? Who completes the assessment? What risk tiers do we use?
As with many aspects of third-party risk management, there isn’t a one-size-fits all approach. There are, however, some tips you can follow to make sure your risk assessments are performed as accurately and efficiently as possible. Let’s take a look at them:
Understand the difference between “Inherent” and “Residual” risk
Inherent Risk: The risk that exists in a third-party relationship BEFORE their mitigating factors have been evaluated. It is the risk that exists in the absence of controls (i.e. when you perform a “risk assessment” you are assessing inherent risk).
Residual Risk: The risk that exists in a third-party relationship AFTER the consideration and evaluation of the Supplier’s mitigating controls. It is the risk that remains after controls are accounted for (i.e. after you’ve had subject matter experts perform the appropriate level of due diligence, you’ll know your resulting residual risk).
Use a standard form
Your risk assessment should not be something that is left to interpretation each time it is completed. Your Vendor Management Office (VMO) should establish a standard risk assessment form that is used each time a risk assessment is completed, and it should assess (at a minimum):
- Information security risk – Will your vendor have access to your (or your customer’s) non-public information (NPI)?
- Physical security risk – Will your vendor have access to your building/offices?
- Reputational risk – Do the services your vendor provides have the ability to cause reputational harm to your organization?
- Financial risk – Do you rely on the vendor for revenue generation, or will there be hefty costs if a contract is terminated early?
- Operational risk – Do you rely on the vendor to effectively run a critical business function?
- Compliance risk – Is the vendor an integral part in your compliance with certain regulations or laws?
- Fourth party risk – Will your vendor be using other vendors (i.e. your 4th parties) to provide you with the goods/services you need?
Set standard risk levels
Your inherent risk assessment doesn’t mean much if it doesn’t provide you with standard results. It’s important to configure your third-party risk assessment process so that completed assessments result in a certain, consistent set of risk levels.
It does not matter what you call your risk levels. I’ve seen everything from “Level 1/Level 2/Level 3” to “High/Medium/Low” to “Tier 1/Tier 2/Tier 3.” The important thing is that you have a standard methodology to segment your vendors by their level of inherent risk. This risk level will drive a number of other activities, including the type of due diligence you perform, and how often you perform ongoing monitoring of your third parties.
Automate the process
Excel works if you have a few vendors, but when you have 50 or 200 or upwards of 1,000 vendors you need something that helps to automate the third-party risk assessment process. That’s where vendor management systems come into play. Vendor management systems allow you to create risk assessments that can be completed online, configure scoring (utilizing weighted points or even automatic triggers for certain risk levels) and even set up the appropriate workflows for approvals and other subsequent activities.
Make sure Relationship Managers complete the risk assessment
Someone at your organization “owns” the relationship with the vendor (i.e. the person who is responsible for the deliverables the vendor was hired to provide). This role is sometimes referred to as the ‘Vendor Relationship Manager’ or the ‘Vendor Owner,’ and they should be the ones who complete the risk assessment. You don’t want the risk assessment process to be a “check the box” activity that could be completed by anyone.
In order to ensure you accurately assess risks, it’s important to make sure that the person who knows the vendor best (and is intimately familiar with the services they provide) is the one who completes the assessment. It’s also important to note that it’s absolutely fine for Subject Matter Experts (SMEs) to get involved if the Relationship Manager is not sure about a particular risk category. For instance, a Relationship Manager may need assistance from you Information Security team to figure out what type of access the vendor will have to your organization’s data.
Reassess third party risks on a regular basis
The third-party risk assessment process is not a one-time activity. Risks constantly evolve, and you need to stay ahead of them. While there isn’t a “correct” frequency to reassess your vendors and third-parties, it’s generally accepted that an inherent risk re-assessment schedule would look something like the following:
- High Risk – Every year
- Medium Risk – Every two years
- Low Risk – Every three years
It’s also important to note that a schedule, such as the one above, is not the only time risks should be reassessed. A critical time to reassess risk is when a scope change occurs with your vendor. For example, let’s say a vendor was hired to perform some relatively simple consulting services, but now you need to engage them to perform more complex services that will require you to provide them with access to non-public information (NPI). The risk assessment you performed initially no longer captures the true inherent risk of the vendor.
The risk assessment process may seem complex, but it certainly doesn’t need to be. We’ve helped organizations of all sizes create, re-build or update their third-party risk assessment processes. If you need help, feel free to reach out to us!
Download this free tool to review areas of potential exposure with your vendors, and determine whether those risks can be properly mitigated and managed before it’s too late.