10 Best Practices of Successful Vendor Risk Assessments

Assessing vendor risk is an essential practice for organizations to safeguard themselves and their customers from a wide array of potential threats. Vendor risks encompass operational challenges, cybersecurity vulnerabilities, compliance issues, damage to reputation, and financial hazards, among others. Every vendor engagement carries at least some inherent risks, making it imperative for organizations to diligently identify and evaluate the specific types and levels of risks associated with the goods or services provided by their vendors.

A vendor risk assessment considers vendors’ inherent risks and ensures vendors have robust risk management practices and controls in place to effectively mitigate potential threats. 

What a Vendor Risk Assessment Is

Vendor risk assessments are typically part of an organization’s due diligence efforts both at the start of the vendor relationship and periodically thereafter. A vendor risk assessment involves using various tools and methods to systematically verify the vendor's business standing and reputation, gather details about the vendor's risk management controls and practices, and obtain documented evidence of these controls to be reviewed and evaluated. The vendor risk assessment process also helps identify any gaps and weaknesses that need to be addressed.

Vendor risk assessments ultimately enable your organization to confirm how effectively a vendor responds to and mitigates the current risk environment. Vendor risk assessments are not just best practice, but for many industries they’re a regulatory requirement. It’s always important to remember that while an organization can outsource products and services to be provided by a vendor, they can never outsource the risk. This means that vendor risk assessments are foundational to effective risk management. Without them, your organization might overlook significant issues, have ineffective, outdated, or missing vendor risk management controls, or miss other problems that can lead to regulatory enforcement, legal action, financial loss, and reputational damage. To ensure your vendor risk assessments are as effective as possible, let’s review 10 best practices.

10 Best Practices for Successful Vendor Risk Assessments

1. Make sure you haven't overlooked any vendors. To ensure you have a complete and accurate vendor inventory, it's important to compare your own vendor list with the one provided by your accounts payable department. This will help you identify any discrepancies or missing vendors and ensure all vendors are properly accounted for in your records.
2. Organize your actively managed vendors into groups. Sort the vendors into different groups based on product or service (e.g., processors, marketing agencies, cloud storage providers). Every product or service type will carry unique risks and vendors within the same category will often share the same risks. Organizing your vendor inventory this way ensures vendors within the same category are evaluated against common standards in your vendor risk assessment. As the risk landscape evolves, those standards can be updated. This reduces the likelihood of inconsistent vendor risk assessments or possibly overlooking a vendor’s need for new or updated controls.
3. Assess the inherent risks in each product or service. To properly evaluate all risks in a vendor relationship, you'll need to first risk rate each product and service provided by the vendor and then vendor as an entity. This is achieved through an inherent vendor risk assessment, which is always an internal process. By conducting this assessment, you can avoid making any assumptions about the types and levels of risks for any vendor and determine the level of vendor due diligence and risk assessment required. Every vendor relationship and product or service must be assigned a risk rating, typically on a scale of low, moderate, or high risk.
4. Identify the criticality of each engagement and vendor relationship. Criticality is all about impact, and critical vendors are those that can cause significant negative impacts to your operations or customers should the vendor fail. To determine your vendor’s criticality, ask the following questions:
   
   • Would a sudden loss of this vendor cause a disruption to our organization?
   • Would that disruption impact our customers?
   • If the time for the vendor to recover operations exceeded 24 hours, would there be a negative impact to our organization?
     
     If you answer yes to any of those questions, you are probably dealing with a critical product or service and vendor relationship. Every engagement should be identified as critical or non-critical. 
5. Risk rate each of your vendors. While each vendor engagement should carry its own risk rating, the vendor relationship as a whole should be assigned a risk level. The risk rating for the vendor relationship should default to the highest risk rating of the provided products and services. For example, a vendor provides two low-risk products, and one high-risk product. In this case, the vendor risk rating should default to high risk.
6. Determine the scope of necessary vendor due diligence. Due diligence is a multipart process that typically requires a vendor to complete a questionnaire about their delivery of the product or service and the risk management controls and practices to remediate the risks identified in the inherent risk assessment. It’s also necessary to collect documentation to evidence the vendors controls. All information and documentation gathered should be reviewed by qualified subject matter experts that have professional credentials and expertise in their specific risk domains. 
   
   Due diligence should always be risk-based and reflect both the criticality of the product or service and the level of risk. For example, in cases involving critical or elevated-risk vendors, more extensive due diligence is necessary. Vendor risk assessments should consider the following:
   
   • Strategic risk: Do the vendor’s actions and business decisions align with your organization’s goals?
   • Reputation risk: Is the vendor linked to negative news because of events like data breaches or consumer law violations?
   • Operational risk: Will the vendor be prepared for internal or external operational failures?
   • Transaction risk: Will the vendor process or accept payments on behalf of your organization?
   • Financial and credit risk: Does the vendor have poor financial health that can affect its ability to provide products or services to your organization?
   • Compliance risk: Are the vendor’s products or services governed by any laws or regulations?
   • Information security and cyber risk: Does the vendor store, transmit, or access your organization’s sensitive data? Does the vendor have a robust information security program in place to protect against cyberattacks and data breaches?
   • Concentration risk: Do you have multiple vendors in the same geographic location? Are your critical products or services concentrated within a single vendor?
7. Keep a disciplined approach. An effective vendor risk assessment process needs to be consistent in form and content and must be repeatable and reportable.
8. Always complete vendor due diligence before you sign or renew a contract. Before signing a contract, ensure all risks have been identified and the vendor's controls have been verified. Failing to do so may mean the vendor is under no obligation to address any issues discovered in the vendor risk assessment. Use your contract to legally obligate the vendor to mitigate identified issues within a specific time frame.
9. Keep current with regulations. Numerous regulations, such as the Interagency Guidance on Third-Party Relationships, the EU's General Data Protection Regulation (GDPR), and the Health Insurance Portability and Protection Act (HIPAA), along with various state privacy laws, mandate vendor risk assessments. Regulatory bodies expect organizations to understand the risks posed by their vendor relationships and confirm vendors are capable of performing activities as expected, adhering to the organization's policies, complying with all applicable laws and regulations, and conducting activities in a safe and secure manner. As new regulations are introduced or existing ones are updated, it’s essential to make sure you understand the requirements for vendor risk assessments to ensure compliance.
10. Keep senior management and the board informed. The third-party risk management team should provide regular updates to senior management and the board. This includes informing the board of the results of vendor risk assessments for new critical vendor relationships, as well as part of periodic vendor risk assessments for existing critical relationships.

Additional Considerations for Vendor Risk Assessments

Ensuring you’ve completed initial due diligence and vendor risk assessment before executing the vendor contract is essential. It’s important to also keep in mind that vendor risks and risk management practices can change over time. For this reason, a vendor risk assessment is never just a one-and-done activity. You’ll need to periodically re-assess the risks in the vendor engagement, refresh due diligence (including documentation), and validate vendor controls throughout the lifetime of the vendor relationship. How often you do this should depend on the risk level and criticality of the vendor engagement.

Here are the recommended intervals for vendor risk assessments:

• All critical and high-risk engagements should be re-assessed and evaluated at least on an annual basis.
• Moderate-risk engagements should be re-assessed and evaluated every 18 months to two years depending on the product and service.
• Low-risk engagements do not typically require extensive due diligence but should be re-assessed every two to three years or before any contract renewal.

Keep in mind that more frequent vendor risk re-assessments and evaluations may be necessary when a vendor experiences issues such as a data breach or declining performance. Your organization may determine the frequency and rigor of vendor risk assessments, but it’s important to ensure your practices reflect regulatory expectations, are always documented, and are executed consistently.

Managing vendor risks is a critical aspect of building a successful organization. As a result, vendor risk assessments have become an essential component of effective third-party risk management programs. Through the vendor risk assessment process, you can identify potential vulnerabilities in your vendor's risk management practices and controls and ensure they’re adequately mitigating known risks. Ultimately, implementing a robust vendor risk assessment process can help safeguard your organization against existing and potential threats.