Guide to Third-Party Vendor Risk Management

Published/Updated September 29, 2022

Introduction

Doing business in the digital age means outsourcing. There’s just no way that most enterprises can do it all in-house: provide the technology and the conveniences that customers demand while delivering goods and services at a price they can afford. Third-party relationships are a must-but they can increase your organization’s information security risk.

Third-party vendors may not always have the cybersecurity safeguards you need to comply with regulations and industry standards. Regulators are increasingly applying the same scrutiny to your supply chain as they are to your organization. If you haven’t done your due diligence before, during, and after signing third-party contracts, your enterprise could lose essential certifications.

Vendor risk management (VRM) can help you avoid risk and compliance pitfalls that contractors, service providers, vendors, and others in your business ecosystem can incur. Also known as third-party risk management, VRM involves a complex set of risk management processes throughout the vendor lifecycle, from risk assessment to monitoring and mitigation.

This guide to developing and implementing a third-party risk management program will walk you through the vendor management process.

Intended for use by your chief compliance officer or chief risk officer, it contains a trove of up-to-date information on vendor risk and how to identify and resolve the challenges vendor risk management might bring to your company.

To use this guide, feel free to read from beginning to end or skip to the sections you most need. Along the way, click on the links sprinkled throughout for more detailed insights into various topics. And if you feel overwhelmed by the third-party risk management process, take heart: there’s a tool for that.

What Is Vendor Risk Management?

Vendor Risk Management (VRM), a part of vendor management, is the process of identifying, analyzing, monitoring, and, where necessary, mitigating risks that third-party vendors might pose. Such risks could affect your business’s cybersecurity, regulatory compliance, business continuity, or organizational reputation.

As with any risk management program, third-party risk management begins with due diligence before signing a contract. It also involves a risk assessment for each contractor, vendor, supplier, and service provider with which your company works. A growing number of enterprises either have a vendor risk management program or are starting one.

Concerns over information security and data privacy are driving this change, but so are laws, including the European Union’s General Data Protection Regulation (GDPR), that require organizations to understand how the third parties with whom they do business manage their risks and mandate third-party compliance as a condition of certification.

Is There a Difference Between "Vendor," "Supplier," and "Third Party"?

There are differences between “vendor,” “supplier,” and “third party,” but they can be subtle. And many professionals across industries use the terms interchangeably, so next time your boss uses the wrong word, be kind if you correct him.

A supplier is typically considered the initial link in the supply chain. They solely engage in business-to-business interactions and deliver items to manufacturers in sizable quantities. Suppliers provide raw materials or raw material components.

A vendor is an external entity that supplies goods or services to an organization. Examples are:

  • Cloud service provider
  • Law firm
  • Accountant/auditor
  • Consultant
  • Software Developer
  • Website host
  • Payment processor

Third-party relationships encompass all these entities but also include others with whom your organization does business, such as:

  • Business partners
  • Venture capitalists
  • Regulatory agencies
  • Nonprofits receiving your donations
  • Customers

While many companies have vendor risk management (VPM) programs, others have broader third-party risk management (TPRM) programs.

Why Is it Important to Manage Vendor Risks?

When businesses work with third parties, they run several risks. Vendors who handle sensitive, proprietary, private, or otherwise dangerous information on your behalf carry a higher risk. No matter how effective your internal security measures are, if your third-party providers have bad security practices, they might still be a significant danger.

It is insufficient to concentrate on operational risk variables like performance, quality standards, key performance indicators (KPIs), and service level agreements (SLAs). The most significant risks associated with third-party providers are now more often reputational and monetary threats, like data breaches.

Giving suppliers access to only the data they need to complete their jobs is one of the most effective ways to lower risk.

Companies must have an overarching risk management plan approach that ensures suppliers are consistently assessed for all potential risks. Having subject matter experts, such as supply chain professionals, manage vendor risk is insufficient.

Organizational-wide procedures are imperative to ensure risk management programs are comprehensive. Otherwise, departments can choose their own metrics and ad hoc standards, which may lead them to miss types of vendor risks that are off their radar. Any area of your company could experience a data breach.

By securing sensitive data, personally identifiable information (PII), protected health information (PHI), intellectual property, and assuring business continuity, a VRM program lowers the incidence and severity of data breaches, data leaks, and cyber assaults involving third and fourth parties.

Senior management and the board of directors are ultimately responsible for managing vendor risk. Each person who interacts with a vendor significantly contributes to the process.

VRM vs. TPRM

The vendor risk management process involves due diligence activities before contracting with a vendor, often using surveys or questionnaires that prospective vendors answer.

This step helps ensure the vendor complies with necessary regulations and industry standards and has a robust information security program.

Risk assessments are also a part of vendor risk management. You may request evidence of the vendor’s risk management, information security, and regulatory compliance efforts. For example, evidence may include compliance certifications, penetration test reports, financial information, and on-site audits.

Vendor risk management continues with monitoring and oversight throughout the lifecycle of the vendor relationship and even after the contract has ended.

Third-party risk management may entail all the above steps, but with one caveat: While you choose your vendors, you cannot always select your third-party relationships, such as with customers and regulatory agencies. This means that you may not have as much control over the risk incurred by non-vendor third parties.

What Is a Vendor Risk Management Program?

To effectively manage the risks posed by the use of third-party vendors, contractors, and service providers, your organization would do well to implement a comprehensive vendor risk management program.

From vendor selection to vendor onboarding to vendor termination-and beyond-a vendor risk management program will enable you to identify the risks your third-party relationships pose to your enterprise. Then you can work with vendors to remedy those risks and continuously monitor for changes in your vendors’ risk posture that could affect your business.

How do I develop a vendor risk management program?

A successful Vendor Risk Management program involves careful planning by a dedicated team, continual oversight, and commitment to the process at every stage.

Here are steps to take:

  1. Draw up formal policy and procedure documents. These are essential to your program’s success. The policy should explain how vendor risk will be managed at a high level. Procedure documents should detail roles and responsibilities, including those of senior management and your business lines.
  2. Establish a vendor selection due diligence process. Vetting your vendors before signing contracts with them is critical. Ask to see Security Operation Center (SOC) reports, conduct a risk assessment that includes penetration testing results, and make site visits where necessary.
  3. Mind your vendor contracts. Templates are fine but should be amended for each vendor to account for each party’s roles, responsibilities, and compliance requirements. Set contract standards that establish uniform negotiation, review, approval, monitoring, and contract storage processes. Your contracts should also address service level agreements (SLA), proper issue escalation, vendor termination, and security documentation.
  4. Conduct ongoing vendor monitoring.
    • Review the vendor’s financial statements.
    • Ask to see their IT diagrams, so you know how you’re affected if they have a cyberattack or business disruption.
    • Conduct vendor audits.
    • Periodically request and evaluate their SOC reports, business continuity and disaster recovery plans, and security documentation.
    • Annually perform vendor risk assessments, performance assessments, and information security assessments.
  5. Perform internal audits of your organization, including vendor relationships and risks. Then, when examiners arrive to test your compliance, you’ll pass with ease, and you’ll feel secure in knowing that your organization’s systems and data are adequately protected.

What Types of Risks Do Third-Party Vendors Pose?

Not every vendor brings risky business to an enterprise. But many things can go wrong when you’re dealing with an entity that is, for the most part, unknown.

These are common third-party vendor risks:

  • Reputation risk: If one of your vendors has a business disruption that affects your customers, your company’s reputation could suffer.
  • Operational risk: Every third party with which you do business increases the complexity of your business operations and the risks to them.
  • Transactional risk: Financial institutions are familiar with these. Disruptions at any point along the chain of payment transactions, including third-party payment processing, can cost your enterprise business and customers.
  • Credit risk: If your financial institution uses third parties for loan origination, business solicitation, or underwriting, there’s a risk that they might default on their obligations, agreements, or payments to you.
  • Compliance risk: A steady proliferation of regulations and rules makes it more difficult for everyone to comply. Regulatory risk means that regulators will hold you responsible for your vendors’ compliance with their requirements and your own.
  • Strategic risk: What would happen if a vendor failed to meet the terms of a contract with you or your customers or didn’t provide the expected return on investment?
  • Country risk: If any of your third-party service providers are located in a foreign country, you face risks caused by that country’s economic, social and political situation.
  • Legal risk: A vendor could expose your enterprise to lawsuits or legal expenses.
  • Vendor concentration risk: Relying on one or a small number of vendors for a service or function increases the risk that the service or function will not be provided.
  • IT/Cybersecurity risk: A vendor could provide a portal to your enterprise for hackers.
  • Cloud risk: Placing data or services on the cloud presents an added risk that they will be compromised.

Different risks prevail among other industries. To help determine which risks apply to your enterprise and to classify these risks in order of severity, try a risk management software tool, such as ZenRisk.

What Risks Should Vendors Be Responsible for?

The short answer: All of them.

Third-party vendors, project contractors, and service providers are responsible for financial stability, financial reporting, IT/cybersecurity, regulatory compliance, legal standing, and overall operational soundness.

But when the regulatory rubber meets the road, you, the contracting entity, will shoulder the blame should one of your vendors fall out of compliance, experience service disruption, or get hacked.

Every third party you engage poses strategic and other risks to your organization. Exercising due diligence when choosing, hiring, onboarding, and monitoring your vendors helps prevent risks from becoming threats. But, also be sure to include language in vendor contracts requiring them to comply with all regulations, laws, and industry standards your company must meet.

How Do I Analyze Third-Party Risk?

To help you perform the best possible third-party risk assessments, we’ll start before the beginning to help you design your vendor management policy.

Your vendor management policy should establish business goals and guide you through your assessments of third-party security risk throughout the third-party-risk lifecycle: vendor selection, contract negotiation, onboarding, monitoring, termination, and beyond.

Questions you should ask-and answer-at this stage:

  • How many personnel should we devote to managing third-party cyber risk?
  • Which security frameworks should our contracts require vendors to comply with?
  • Which methods should we use to assess third-party risk?
  • Which documents should we require for vendor risk assessments?
  • Who completes the documentation of third-party security risk assessments, and who signs off?
  • How often should we reassess our vendors? What key performance indicators (KPIs) should we use?
  • How much third-party risk can our business withstand?
  • Who decides how to manage any vendor risks we find-whether to accept them or impose mitigating controls?
  • How do we manage third-party risk in real-time when vendor circumstances change?

The answers to all these questions will depend on your use of third parties: the number of contractors, vendors, service providers, and other third parties with which your organization does business, how frequently you engage them, and how you use them.

The type of business you conduct with third parties will also determine your vendor management policies and procedures. For instance, a financial institution using third parties to process sensitive customer data may have more stringent guidelines than a retail store purchasing goods from a vendor to resell.

How to Conduct a Vendor Risk Assessment

Conducting a vendor risk assessment is a complex task with many steps, especially if you do the job manually. Emerging technology can perform most of these tasks for you-but more on that later.

Here are ten essential steps for successful vendor risk assessment:

  1. Risk identification. Identify all your third-party risks.
    • Process risks
    • Cybersecurity risks, including malware and ransomware threats
    • Political risks
    • Contract risks
    • Legal and regulatory non-compliance risks
    • Business continuity risks
  2. Vendor classification. Categorize your suppliers and contractors according to the information that they can access.
    • Network access
    • System Access
    • Authorization access
    • Data access
    • Proprietary information
  3. Suppliers and contractors with access to your information and systems will need a higher level of risk management than those without it.
    • Define vendor performance metrics. Establish service level agreements (SLAs) with each vendor, and monitor to ensure that they meet the criteria on an ongoing basis.
    • Determine regulatory compliance risks. Federal laws require third-party vendors and contractors with financial institutions and healthcare providers to comply with specific frameworks, as stipulated in the Federal Financial Institutions Examination Council (FFIEC) guidebook for examiners and the Health Insurance Portability and Accountability Act (HIPAA). At the minimum, however, reporting on SOC 2 compliance should be required.
    • Assess the risk of individual vendors. Consider each vendor’s location, how vital to your business its products or services are, the sensitivity of the information it will handle, and whether it will have access to your digital network.
    • Query vendors with a vendor risk management questionnaire. Vendor risk assessment questionnaire examples include:
      • Cloud Security Alliance – Consensus Assessments Initiative Questionnaire (CAIQ)
      • Center for Internet Security – CIS Critical Security Controls (CIS First 5 / CIS Top 20)
      • The National Institute of Standards and Technology – NIST (800-171)
      • Shared Assessments Group – Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
      • Vendor Security Alliance – VSA Questionnaire (VSAQ)

You’ll also want to ask each vendor for its security policy, program documents, and penetration testing results.

  1. Create clear vendor contracts. Specify service level agreements, compliance requirements, and roles and responsibilities in the event of a security breach. Consult subject matter experts, internally and externally, for input.
  2. Direct communication. Establish a clear line of communication between your vendors, management, and board to stay abreast of and manage issues, and solicit and respond to your vendor risk management program feedback.
  3. Conduct on-site audits. Where feasible and warranted by answers to the questionnaire, send your auditing team to vendor sites for in-person audits. Repeat these audits annually.
  4. Continuously monitor your vendors. Stay abreast of vendor changes, organization changes, regulations, and standards updates.

If you need help

As you can see, vendor risk management is an extensive program requiring adequate staffing and budget. Your enterprise can cut costs and time by using risk management software. Automation can perform many tasks, including generating and sorting questionnaires, staying on top of compliance requirements, and continuously monitoring third-party vendors.

The Difference Between Enterprise Risk Management (ERM) and Vendor Risk Management (VRM)

There are differences between enterprise risk management (ERM) and vendor risk management (VRM). So, having an ERM program doesn’t preclude you from needing VRM.

For your VRM to function as it should, your organization will want to have both-and your management, executive team, and board of directors should all be involved.

Enterprise risk management considers operational, reputational, credit, legal, regulatory compliance, cybersecurity, and all other areas of risk an organization might face, including vendor and third-party risk.

The ERM process entails creating risk policy standards, determining the enterprise’s risk appetite (how much the enterprise can stand to lose), and conducting an organization-wide risk assessment. Companies typically use an ERM framework to guide them through the ERM process, such as COSO’s Enterprise Risk Management – Integrated Framework.

Vendor risk management focuses on managing third-party vendors’ risks to an enterprise. It entails:

  • Identifying vendors (and, for third-party risk management, all third parties with which your organization does business, including suppliers, service providers, and customers)
  • Performing due diligence and risk assessments to ensure that each vendor’s information security and other operations fall within the risk appetite established in your ERM analysis
  • Continuously monitoring vendor risk posture in the light of new regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and updates to existing laws such as the Health Information Portability and Accountability Act (HIPAA), all of which require third parties to comply.

How Do Third-Party Vendor Management Audits Work?

There are two kinds of third-party vendor management audits:

  • Internal, in which an internal auditor evaluates the contracting organization’s own vendor risk assessment process and control activities
  • External, in which an organization’s auditors analyze a third-party vendor’s risk and compliance with regulatory expectations and standards

Chief Risk Officers who manage third-party risks tend to oversee these audits.

An external audit will often include a request for documentation, interviews with the vendor, possibly an on-site review, and a report to management on vendor controls, efforts to mitigate control weaknesses, recommendations for ongoing monitoring, and more.

Internal audits check all the contracting organization’s internal processes in the scope of its vendor risk management program, including due diligence, contracts (including a contractual right to audit), vendor categorization, communications, and vendor performance.

Create a Vendor Risk Management Workflow

Vendor risk management (VRM) is increasingly important and complex as more organizations migrate their data and services to the cloud and manage applications. Creating a VRM process flow can simplify this critical job and help ensure success.

As you define workflows for VRM, include these steps:

  1. Vendor selection. Choose vendors that meet your organization’s requirements. Perform due diligence during the selection process, asking to see proof of compliance with applicable regulations and frameworks. Have the necessary forms for the data collection on hand to send with your requests.
  2. Contract approval. Make sure that your vendor contracts require regulatory compliance, assign roles and responsibilities in the event of a security breach, and ensure you have the right to audit their controls.
  3. Onboarding. Have approved processes and procedures for handling purchase orders and payment requests. Upon onboarding, assign permissions and access to your systems, networks, and data based on the vendor’s needs for access to do its job.
  4. Monitoring. Send vendor questionnaires periodically asking about risk management, security, and compliance. Use software to monitor your vendors for changes in their risk posture continuously.
  5. Termination. Have a well-defined process for offboarding, including terminating vendor access to your systems and returning any equipment you have supplied to them.

Vendor Risk Management by Framework

Several regulations and industry standards require third-party vendors to comply and may serve as frameworks for managing vendor risk.

  • The Health Insurance Portability and Accountability Act (HIPAA): Third-party risk management is addressed explicitly in this federal law. Under HIPAA, electronically stored protected health information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against threats, hazards, and unauthorized use or disclosure. Under HIPAA, vendor contracts must contain privacy and security assurances.
  • System and Organization Controls for Service Organizations 2 (SOC 2): Third-party validation of adequate risk and security controls is increasingly required by contracting organizations in the form of SOC 2 certification.
  • The Payment Card Industry Data Security Standard (PCI DSS): Third-party risk management is integral to this industry standard. PCI DSS requires compliance from “third-party service providers,” defined as any vendor that stores, processes, or transmits cardholder data on behalf of a client organization and any vendor that could affect the security of the cardholder data environment.
  • The Federal Risk and Authorization Management Program (FedRAMP): Third-party assessment organizations are included in this federal program requiring strict security management from national government cloud providers, which are third-party service providers.
  • The General Data Protection Regulation (GDPR): Third-party risk management is required under this European Union law that applies to all entities that collect, process, store, sell, or share data belonging to EU residents. It states that organizations must take necessary steps to protect citizens’ data, including information shared with third parties (known as data processors). Third parties must also save that data and comply with all aspects of the GDPR.
  • Control Objectives for Information and Related Technologies (COBIT). Vendor risk management using COBIT is spelled out in subsection DS2, from identification to monitoring and measuring.
  • The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework. Many organizations use COSO to mitigate third-party risk. The framework helps organizations minimize risk overall with processes and improved controls, and it addresses third-party risk throughout the document.

ZenRisk Is Your Vendor Risk Management Solution

You’ll need vendor risk management software to automate your vendor risk management. A comprehensive governance, risk, and compliance (GRC) software with VRM capabilities will serve quite well.

Why should you automate? Simply put, it’s the smart thing to do.

Doing due diligence reviews of third-party vendors and their security risks can take much time, effort, and expense-if you’re using spreadsheets.

Once a vendor is onboarded, the task of keeping tabs on their security is only just beginning. You must send self-assessment questionnaires, obtain penetration testing results, update your vendor data, and more.

And you need to always be on top of changes in real-time. Otherwise, your own organization’s security and compliance could suffer.

Using Reciprocity ZenRisk to manage your third-party vendors takes the hassle and the worry out of vendor risk management. Its continuous monitoring features ensure you’re always on top of your third parties’ compliance hygiene.

In addition, it streamlines workflows, so you don’t have to do everything yourself-even sending out those dreaded questionnaires and tallying the results for you as they come in.

Zen keeps track of vendors’ compliance with multiple frameworks and provides continuous auditing in a few clicks with its internal audit feature. In addition, its user-friendly dashboards show you at a glance who’s compliant and who isn’t.

With ZenRisk automating your vendor risk management tasks, you and your team can focus on other, more critical tasks. Liberated from the tyranny of spreadsheets, your business will rise above the risks.

Why not speak with a Reciprocity expert today to schedule a demo?

How to Build a
Risk Management Plan

GET FREE GUIDE