Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.As vendors and other third parties become more intertwined in day-to-day operations, vendor risk assessments are growing in adoption. Doing a proper third party risk assessment allows you to understand the level of risk you assume in each vendor relationship, and make informed decisions about how to mitigate and manage those risks. Or in some cases, avoid an unnecessarily risky vendor relationship before it’s too late.
Here’s a four-step process for conducting vendor and other third-party risk assessments that can scale to companies of different sizes and industries.
1. Develop Vendor Risk Criteria
Before you can do a risk assessment, you must first define the criteria on which you want to evaluate risk. There are lots of potential criteria to consider, and many industries have vendor risks that are important to them. For example, vendors who collect or store personal health information (PHI) present a very high risk in the healthcare industry. So it’s important that you view your risk criteria through your own, unique lens.
With that said, there are several vendor risks that are common across many industries.
- Operational Risk. How important is the vendor’s work to your organization’s business activities and operations?
- Data/Privacy Risk. Will the vendor be collecting or storing any data on your customers, members, donors or employees?
- Transactional Risk. Will the vendor be processing any of your financial transactions?
- Replacement Risk. If the vendor were to go out of business due to financial insolvency or other issues, could you replace them quickly to avoid disruption to operations?
- Downstream Risk. Will the vendor be using their own vendors (i.e. fourth and fifth parties) who play a role in the delivery of your products or services?
- Compliance Risk. Are there vendor-related regulatory issues with which you must comply?
- Geographic Risk. Is the vendor located in a region or country in which it is inherently risky to do business?
2. Create a Preliminary Vendor Risk Profile
Once your risk criteria are identified, you will use them as the basis for a formalized risk assessment. In your assessment you should evaluate the risks of a new vendor relationship based on your risk criteria, and establish a preliminary risk profile of the vendor. This allows you to understand where your inherent risks lie with the vendor and assign an appropriate level of due diligence.
When doing this, most companies create different tiers for their risk profiles. The most common are high, medium and low tiers of risk, but the number of tiers is up to you. The higher the risk tier, the more due diligence you will need to perform to evaluate each of the risks and how well they can be mitigated and managed.
3. Perform Due Diligence Based on Risk Profile
Once the risk profile is established, the next step is to perform vendor due diligence to assess the risks you’ve identified. The riskier vendors will require more upfront due diligence and if you end up contracting with them, a higher level of ongoing oversight too.
Good vendor due diligence allows you to collect the right (and right amount) of information based on the vendor’s risk profile. Most companies collect information through the use of due diligence questionnaires and supplement those with other documents such as audited financials, SOC 2 reports, and disaster recovery plans.
Once the information is collected, you’ll need the right subject matter experts to help analyze it. This may require involving IT, security, finance, compliance or other experts to evaluate responses and reports. Some organizations also establish committees to help manage this process.
There are unique challenges to performing vendor due diligence when working with smaller companies; especially those that are privately held. Many won’t have audited financials or SOC 2 reports, so you’ll need to be flexible in how you assess those areas.
On the flip side, larger vendors may have an abundance of information but may require a more expansive due diligence process. This can include triangulating their responses with information from other data services (like Dun & Bradstreet Supplier Risk Manager). They may also require you to perform on-site visits to walk through and test processes.
Just remember that you don’t need to apply the same level of due diligence to every vendor. Align your activities with your vendor risk profiles to be both efficient and effective in this process.
4. Address the Risks You’ve Uncovered
The final step in the process is to actually take what you’ve learned and determine what to do with the information you’ve collected. Does the vendor have adequate systems and controls in place to mitigate the identified risks? Are there additional steps you need to take to further evaluate processes? Or is there simply too much risk to do business with that vendor?
Know that the goal of the vendor risk assessment process is not to eliminate all risks, but to use real data to understand what those risks are and determine how you’re going to mitigate and manage them.
Two of the most common ways to manage vendor risk are through well-designed contracts and ongoing vendor oversight activities. So it’s important to coordinate with legal during contracting, and the actual business units post-contract to ensure there is an appropriate level of ongoing vendor management.
The reality is that the “problem” of vendor risk isn’t going away. Business relationships are becoming more complex, and vendor risk assessments have transitioned from a ‘nice-to-have’ to a ‘requirement’.
Make sure you have a good process in place to know who your riskiest vendors are, and proactively manage those risks throughout the lifecycle of the vendor relationship.
