What Is a Low-Risk Vendor? Key Questions You Should Ask

There are a couple good reasons why we risk rate vendors. First and foremost, we want to offer senior leaders and executives quantified and easily digestible risk metrics which allow for them to make informed business decisions. Another reason is to triage due diligence, and assure we’re prioritizing the more critical and inherently high-risk engagements first.

In third-party risk management, we spend a lot of time contemplating all the things we need to do for high-risk and critical vendors. Naturally, we want to be sure our organization is protected from the most egregious circumstances. Much like an emergency triage in the medical world, a timely and tactical assessment is done to evaluate the condition of each patient. By identifying the not-so-time-sensitive cases, resources can be allocated to life-and-death situations first. The key word here, though, is first.

Just because a vendor poses a lower amount of risk, does not mean there is no risk. Much like keeping a little cut clean so it doesn’t get infected, low-risk vendor engagements can often be mitigated by standard maintenance, internal controls or general good hygiene.

What Is an Inherently Low-Risk Vendor?

Subjectively speaking, low risk would mean that the engagement with that vendor is fairly innocuous. They don’t have access to sensitive data, they don’t interact with your customers, they aren’t overly expensive, their services are nothing outside the “norm” of standard business practices and there isn’t a significant reliance on the vendor for operational or regulatory success.

Here are a few examples of inherently low-risk vendors:

• Landscapers
• Office supply providers
• Print companies (that don’t receive any sensitive information)
• Various commercial-off-the-shelf (COTS) software companies
• Promotional engagements

Keep in mind, the specific criteria for what may qualify a vendor to be inherently low-risk will vary in detail from organization to organization and industry to industry. Furthermore, any of these examples could potentially have a more elevated risk depending on the details of the relationship. The best thing you can do to determine whether a vendor is low or high risk is to consider risk factors, as opposed to the type of vendor it is.

Why Does “Inherent” Risk Matter?

Inherent risk is the amount of inevitable risk a vendor poses simply based on the nature of the relationship. From there we take controls into consideration and determine the residual risk. If I were to ask, “does the vendor have adequate insurance coverage?” what we’re really calling into question are the controls in place to reduce the amount of risk a vendor could expose us to. I make this distinction because it is very important to understand the isolated, inherent risks of a relationship, not just the residual metrics (and, at the end of the day, this is what you want to report to the board).

Let’s go back to the medical example:

If someone has a cut, they may need a band aid. If they have an infection, perhaps antibiotics. If they’re hungover, they might just need a nap. None of these ailments are inherently very bad. If I have a lot of patients to treat, it would not be practical to hook all of them up to an IV, splint their arms and pump them with penicillin. I also don’t want to ignore a cut, because all it takes is a good rinse to prevent something much worse from happening down the line.

9 Important Questions to Ask to Determine the Inherent Risk

The following questions will help determine whether a vendor is low risk for your organization:

1. Does this product or service in any way impact clients and/or customers?
2. Does the vendor have direct access to clients and/or customers?
3. Is sensitive data being accessed by this vendor? If so, will they host it?
4. Does vendor have unescorted physical access to our facilities?
5. Does the vendor process financial transactions on our behalf?
6. Do we rely on this product or service in order to maintain compliance with any regulatory guidance?
7. Will any services provided by vendor be supported by any location outside the continental United States?
8. Is this a significant expense for our organization?
9. Does the vendor have access to our network?

All of these questions are what I like to call “inherent risk questions,” because their answers have direct implications for the amount of risk a vendor would inherently pose. A low-risk vendor would be one where most of the answers are, “no.” Again, the specific methodologies and quantification of risk based on these questions is up to you.

As with third-party risk, a little triage goes a long way. Understand where your risks are, and to what level you need to mitigate them. Utilize the inherent risk data to allocate your resources effectively. Low-risk vendors are simply the ones that don’t need as much mitigation as the others. But remember: low risk does not mean no risk, and some simple TLC can be all it takes to ensure a little risk doesn’t take a bad turn.  

Do you need more help determining your vendor's risk rating? Download this infographic to help.