Risk assessments are a critical step to vetting vendors and other third parties, and to provide ongoing monitoring of relationships to identify changes to your risk exposure. A proper risk assessment gives you a clear understanding of the inherent risk posed by each vendor relationship. It also enables you to perform risk-based due diligence on the vendor’s policies, processes and controls so that you can get a final picture of the residual risk you’ll be accepting with that vendor relationship.
In a nutshell, you have to get the vendor risk assessment right to get the due diligence right. Period. So with that in mind, here are eight best practices you should always include in your vendor risk assessment process.
8 Best Practices for Vendor Risk Assessments
- Be Clear on the Risks You are Assessing. Your vendor risk assessment questionnaire should align directly with the risks you are managing through your third-party risk management program. Risk assessment questions should cover key risks related to operations, information, financial transactions, strategy, reputation and regulations.
- Make Relationship Owners Primarily Responsible. The people that negotiate the contracts and work with the vendors every day are the ones that understand the relationship the best. They should be the ones responsible for capturing data and answering the risk assessment questions. However…
- Get Subject Matter Experts Involved. Relationship Owners rarely have all of the subject matter expertise needed to assess all inherent risks. Subject Matter Experts (SMEs) need to be brought into the risk assessment process when appropriate. Are you exchanging data? Get the CISO involved. Will the vendor be processing financial transactions? Make sure to involve the finance team. Pull in the right people at the right times.
- Have the VMO Coordinate the Process. You need to ensure there is consistency in your risk assessment process, and that all stakeholders are coordinated. Don’t leave this to the Relationship Owners. They want the process to be as speedy as possible, which may mean they’re willing to overlook some risks just to move things through the process. The Vendor Management Office (VMO) should be coordinating all stakeholders and ensuring a timely, quality risk assessment process.
- Make Sure Someone Reads the Draft Contract. This sounds basic, but I can tell you from experience stuff gets missed. I hear a lot of “We aren’t sharing any confidential information” only to read the contract and see an entire clause about data sharing. I always recommend to have someone independent -like the VMO – be responsible for reading the contract to ensure all of the inherent risks have been identified.
- Ask about Fourth Parties. Just like you, your vendors have their own vendors (i.e. fourth parties). And some of those fourth parties are critical to the services you’ll be receiving from your vendor. Make sure to understand who those fourth parties are, and identify the risks they bring to your relationship.
- Automate the Process. The easier you make the vendor risk assessment process, the more compliance you will get. There are literally dozens of risk assessment tools on the marketplace. If you aren’t using one already, you should be.
- Don’t Stop After the Contract is Signed. Many companies view the vendor risk assessment process as one-and-done. Once you’ve vetted a vendor during the initial contracting process, you are good to go. That couldn’t be further from the truth. Relationships with vendors change over time, so you need to ensure you re-assess risk periodically over the duration of your relationship. Look for triggers that could lead to a change in your relationship such as contract modifications, module additions (for software) or new types of data you may be exposing to the vendor or their software.
The vendor risk assessment is a crucial part of your vendor management program. Implementing these best practices will ensure yours is operating at peak performance.