.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
5 min read
Every vendor relationship comes with some risk. Sometimes, it can feel overwhelming to identify and assess those vendor risks correctly. However, it doesn't have to be. Learning and understanding the primary types of vendor risk is an excellent way to begin. Let's get started with the basics.
2 Fundamental Vendor Risk Criteria to Know
An initial vendor risk assessment will help you identify and quantify the two essential elements of vendor risk – criticality and inherent risk:
- Criticality - In third-party risk management, criticality refers to processes, products and services that are vital to your operations, revenue stream and customers. In other words, your business would be materially impacted if these activities weren’t performed as expected. By default, any third-party vendor performing a critical activity is, in fact, a critical vendor. To determine if a vendor is critical or not, you can ask these three questions:
- Would a sudden and unexpected loss of this vendor cause a material disruption to your organization?
- Would that loss impact your organization's customers?
- Would the recovery time be longer than one business day or 24 hours (timing could vary based on service provided)?
- Inherent Risk - Inherent risk is the risk associated with a specific product or service. It doesn't consider any existing or future controls (processes or tools) that could lessen the risk. Inherent risk considers the different types and amounts of risk present in an activity (product or service).
Tailor Risk to the Vendor
Inherent risk considers the different risk types and amounts associated with the product or service. Vendors have their own unique risk profiles. For example, an outsourced call center would raise different concerns than your organization’s shredding company. It’s essential to understand each of the different types of risks. Let's look at the risk most identified during the inherent risk assessment.
- Strategic Risk: Occurs when a prospective or current third-party vendor's decisions and actions are incompatible with your organization's strategic objectives.
Ask the question:
- Is this vendor going to operate in a manner consistent with our organization's practices and strategic objectives?
- Operational Risk: Broadly defined as the risk of loss resulting from a third-party vendor's ineffective or failed internal processes, people, controls or systems. Internal operational risk is directly influenced by people (e.g., mistakes or failures due to the management and employees' direct actions or decisions).
Ask these questions:
- Does the vendor have suitable policies and processes?
- Do they properly train their employees?
- Business Continuity Risk: Occurs when an adverse event affects your third-party vendor's ability to conduct business and impacts your organization as a result. These events could include natural disasters, severe weather events, fires, utility outages, civil unrest, cyberattacks, pandemics, military actions or acts of terrorism. These events are usually beyond the third-party vendor's control; however, the third-party vendor should anticipate and document a plan for if and when these events occur.
Ask the question:
- Does the vendor have a documented and tested business continuity and disaster recovery plan?
- Compliance and Regulatory Risk: Arises from a third-party vendor's failure to comply with laws and regulations governing the products or services provided to your organization or its customers. Compliance can also occur when your third-party vendor doesn't follow your internal policies, procedures, business standards, or codes of conduct.
Ask these questions:
- Does the vendor have a sound set of policies and procedures?
- How has the vendor performed in recent exams or audits?
- Information Security and Privacy Risk: Information security risk stems from third-party vendor information security vulnerabilities and can happen when your vendor has access to your organization's or its customer data, networks or even physical facilities. Cyberattacks and data breaches are two of the most common information security risks resulting from missing or ineffective controls. Your vendors must be able to safeguard the data entrusted to them. Privacy risk is closely related to information security risk but can also occur when a vendor uses or accesses sensitive or confidential data in a way not consistent with the intended and permissible use.
Ask these questions:
- Does the vendor have an independent third-party audit report or certificate (SOC, ISO or other)?
- Has the vendor experienced any breaches or other information security or privacy events in the last three years?
- Does the vendor have an aggressive and proactive process to detect or prevent information security issues?
- Does the vendor have a documented privacy policy?
- Reputation Risk: Reputation risk incorporates the various ways your third-party vendor could directly or indirectly damage your reputation, brand, or company name. This harm could result from their actions, poor service, lawsuits, outages, fraud or data breaches. Your reputation could also be damaged if a third-party vendor misrepresents their relationship with you directly or by using your logo or organization name.
Ask these questions:
- Does this vendor have a history of unresolved customer complaints?
- Has this vendor had negative news and media attention?
- Are there any ethical concerns regarding this organization or its owners or parent company?
- Financial and Credit Risk: Financial and credit risk are directly related to the vendor's financial condition. Suppose the vendor has insufficient investor funding, cash or credit available to meet their contractual obligations. In that case, there’s a risk they won't be able to provide products and services to your organization.
Ask these questions:
- Does the vendor have a robust financial outlook?
- Does the vendor have enough operating funds to service your organization for the contract duration?
3 Other Risk Types
The risks listed above are the most common risk types. However, other risks may need consideration depending on your vendor and the products or service they provide. Here are some examples of other vendor risks.
- Concentration Risk: This usually occurs when your organization has too many high-risk or critical services provided by a single vendor. This is also known as a single point of failure risk. Another definition of concentration risk is when a significant portion of your vendors are in the same geographic area. The proximity of vendors could cause additional business continuity risk if there were a natural disaster or another external event.
- Geo-Political Risk: Your vendor is in a country or location vulnerable to political unrest, corruption, violation of human rights, lax privacy and information security laws or other situations that could be harmful to your organization or its customers.
- Transaction Risk: Refers to the adverse effect of exchange rate fluctuations on a transaction before settlement. Your organization may be especially vulnerable to transaction risk when using nearshore or offshore vendors and are utilizing foreign currency.
Using a standardized and objective inherent risk assessment is best to identify which vendor risks are present in your vendor relationship. Once the risks are identified and assessed, you can assign an inherent risk rating or score to each vendor relationship. That rating should inform your vendor risk management activities and help you prioritize the relationships that present the highest risk to the organization.
eBook
Inherent and residual vendor risks are interconnected but do have differences you should be aware of. Learn their differences and how they can affect your organization in this eBook.
Related Posts
10 Types of Vendor Risks to Monitor
The term "vendor risk" covers a wide range of risks your organization and customers face due to...
Third-Party Risk Examples
Most business leaders can probably agree that their organizations need third-party vendors to...
What Is Inherent Third-Party Risk?
One of the primary functions of the third-party risk management lifecycle is to identify a vendor’s...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.