Vendor risk management (VRM) is a practice that identifies, mitigates, and manages the threats within an organization’s vendor relationships. Other common terms for vendor risk management include vendor management and third-party risk management (TPRM), which is the variation used in the gold standard of third-party regulations – the Interagency Guidance on Third-Party Relationships: Risk Management.
The terms “risk” and “threat” can understandably be concerning, but the reality is that every vendor relationship, regardless of how valuable or essential, will pose at least some level of risk to an organization. What’s important to do is identify these risks and understand how to manage them so your organization can safely engage with its vendors. Some vendors might provide products and services directly to your organization, while others could interact directly with your customers, like an outsourced call center. While vendor risk management is a regulatory requirement for many organizations, it should be considered a best practice for all because of its financial, reputational, strategic, and operational benefits.
To better understand this practice of vendor risk management, it’s important to cover some core topics. First, we’ll explore some of the reasons why vendor risk management is necessary. Then, we’ll review the concept of the vendor risk management lifecycle and how you can follow it within your organization. If you’re new to vendor risk management, these processes can seem overwhelming, but we’ll provide some best practices that will help put you on the right path.
Why Is Vendor Risk Management Necessary?
Before beginning a new vendor risk management strategy or making improvements on an existing one, it’s usually important to understand the “why.” Communicating some of these reasons for vendor risk management will help align goals and expectations throughout your organization, while also ensuring you receive the support and collaboration you need.
Here are 5 reasons why vendor risk management is necessary:
- It’s a regulatory expectation for many industries. Several regulators, including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Consumer Financial Protection Bureau (CFPB), National Credit Union Association (NCUA), and United States Department of Health and Human Services (HHS), have issued guidance related to vendor risk management. These regulators often look to each other for best practices that can be beneficial to almost every organization, across all industries. Even if you’re not in a regulated industry, it’s best practice to follow these expectations.
- It helps your organization remain prepared to protect itself from cybersecurity incidents. If your vendors have access to your customers’ sensitive data, how can you be certain they’re protecting it? Vendor risk management includes processes that help ensure your vendors are protecting sensitive data and notifying your organization if there’s a breach.
- It promotes consistent quality. When your organization outsources a product or service to a vendor, it’s not always easy to ensure the quality is consistently meeting your expectations. Certain elements of vendor risk management like contractual service level agreements (SLAs) and regular performance monitoring can help promote consistent quality in your vendor relationships.
- It can help reduce costs. Vendor risk management can offer cost-savings benefits in a few different ways. On one hand, it can help avoid costly legal fees and regulatory fines that can arise out of a vendor’s actions. If your vendor violates consumer laws or suffers a data breach, there’s a chance your organization can be found liable. Vendor risk management can also reduce costs with regards to contract renewals. Some organizations fail to have a contract management process in place and miss the renewal period which can include unexpected price increases. Contract management is a core component of vendor risk management, which can help avoid these situations.
- It helps prevent operational disruptions. Many organizations rely on certain vendors to sustain their operations. Consider some examples like IT service providers, core processors, or cloud providers and then think about how your organization might be unable to function if these vendors suffered an extended outage. Assessing a vendor’s business continuity and disaster recovery planning is an important activity in vendor risk management, which can help you avoid disruptions to your operations.
How to Follow the Vendor Risk Management Lifecycle
An easy way to keep track of all the activities you must perform in a vendor relationship is to follow the vendor risk management lifecycle.
Here’s a brief overview of the stages and activities that you can implement into your organization:
Onboarding Stage of the Vendor Risk Management Lifecycle
Before you decide to partner with a vendor, it’s essential to do some planning and research to determine whether it’s the right choice. And before you sign the vendor contract, it’s important to review and understand the vendor’s risk and determine the controls your organization will need to put in place.
Vendor onboarding generally involves these steps:
- Planning & Risk Assessment – In vendor planning, you’ll designate a vendor owner, which is the individual within your organization who will manage the vendor relationship and communicate with the vendor regarding document requests. You’ll also need to identify your organization’s exit strategy for the end of the vendor relationship. An exit strategy might be switching to another vendor, bringing the outsourced activity in-house, or discontinuing the activity altogether.
Then, you’ll conduct an inherent risk assessment to determine the types and levels of risks associated with the vendor’s product or service. Inherent risk is the amount of risk present in the vendor relationship, product, or service before any controls are applied. We often see it measured on a scale of low, moderate, and high. Different risks may include strategic, operational, compliance, information security, financial, and reputational.
This step also involves determining whether a vendor is critical or non-critical to your operations. A vendor is typically deemed critical if it were to have a significant impact on your organization or customers if it failed to perform as expected. - Due Diligence – Collect and review vendor information based on the vendor’s inherent risk and criticality. This information might include financial statements, SOC reports, business continuity plans, and more, in addition to standard business records like the vendor’s tax ID and OFAC check. Certain information like financial statements and SOC reports should always be reviewed by qualified subject matter experts (SMEs) who can provide an opinion on the vendor’s controls.
For example: A CPA would be qualified to review a vendor’s financial statements and give an opinion on the vendor’s financial health. - Contracting – After selecting a vendor, it’s time to negotiate and sign the contract. Keep in mind that the vendor is only liable to the terms of the signed contract, so it’s important to work closely with your legal team to ensure that the contract is written well.
You may want to negotiate certain contract provisions such as:
- Service level agreements
- Insurance requirements
- Regulatory compliance standards
- Cybersecurity and data privacy protection processes
- Right to audit clause
Ongoing Stage of the Vendor Risk Management Lifecycle
This is perhaps one of the most overlooked stages in vendor risk management because some organizations assume they’re “safe” and nothing will change after the contract is signed. These activities can help identify any changes in your vendor’s risk and performance that can negatively impact your organization:
- Re-Assessments – The vendor owner should perform a risk re-assessment to verify whether anything has changed. Perhaps a new regulation was released that has affected your vendor’s product or your organization recently outsourced a new service to this vendor. Both scenarios should be reflected in the inherent risk assessment.
Critical and high-risk vendors should be re-assessed at least annually, or more frequently if the vendor is experiencing issues like security incidents or declining performance. Moderate-risk vendors should be re-assessed every 18-24 months, and low-risk vendors can generally be re-assessed every three years or during contract renewal. - Monitoring & Performance – For vendor monitoring, consider using vendor risk alert services to stay updated on any changes to your vendor’s credit rating, cybersecurity posture, and more. These services can be timelier and more relevant than ordinary online search alerts.
You should also regularly review and monitor your vendor’s performance to identify any changes or issues. Maybe your vendor is exceeding your performance expectations, which entitles them to a bonus payment. Or perhaps your critical vendor’s performance has been steadily declining, which warrants a discussion with the board and senior management about potentially terminating the relationship. - Renewals – Review your vendor contract mid-term, which gives sufficient time to negotiate any changes before the renewal period. In addition to a mid-term review, contracts should be regularly managed to ensure the vendor is delivering products or services as expected.
- Due Diligence – Due diligence actually appears twice in the lifecycle. It’s crucial to collect and review vendor due diligence throughout the relationship, especially when there are changes to the inherent risk assessment. Due diligence should still be refreshed periodically, even if the inherent risk hasn’t changed. SOC reports and insurance certificates can expire, so it’s important to track these documents and ensure they remain current. Formal due diligence reviews can usually follow the same schedule as risk re-assessments.
Offboarding Stage of the Vendor Risk Management Lifecycle
Last but not least, it’s important to consider the offboarding stage of a vendor relationship. The reasons for offboarding can vary between the expected end of the contract term or an early termination because of performance issues. Whether offboarding occurs after six months with a vendor or six years, your organization must consider the following activities for every relationship:
- Termination – Thoroughly read through your contract to understand the termination requirements, including details about timing and costs. You can then formally notify your vendor that the contract won’t be renewed or that you’re choosing to terminate early.
- Exit Plan Execution – Follow your exit plan, which should include details about both parties’ tasks and responsibilities. The exit plan is essentially how you’ll execute the exit strategy, which was determined during the onboarding stage. While executing the exit plan, your vendor may need to return or destroy any sensitive data, while your organization might need to review or approve certain processes.
- TPRM Closure – Complete any final steps to close the vendor relationship and end the TPRM process. This might include updating the vendor’s status in your vendor risk management and accounts payable systems and archiving the vendor’s documents for future audits or exams.
Vendor Risk Management Best Practices
In addition to following the vendor risk management lifecycle, there are several best practices to keep in mind that will help ensure your time and efforts are well spent. Many organizations have limited resources when it comes to vendor risk management, so it’s important to understand how to create efficiencies by implementing the following best practices:
- Understand your industry’s regulations. Your organization is ultimately responsible for complying with all relevant laws and industry regulations. It’s important to stay informed of any changes and ensure both your organization and vendors are compliant.
- Establish governance documents. Most vendor risk management programs have a policy, program, and procedures.
- The policy is the foundational document of vendor risk management and should clearly outline the rules, regulatory requirements, roles and responsibilities, and oversight and governance. It’s typically reviewed and approved by the board of directors and senior management at least annually.
- The program document is recommended to provide a more in-depth look at the concepts defined in the policy. It informs senior management and other stakeholders about the necessary processes, workflows, and activities that will meet the policy requirements.
- The procedures are step-by-step instructions that inform the user on how to perform a certain vendor risk management process such as requesting a due diligence document from a vendor or completing an inherent risk questionnaire.
- Define roles and responsibilities. Vendor risk management involves many processes across different business departments, such as finance, legal, information security, and more. It’s best to define roles and responsibilities and document them in your policy so stakeholders have a clear understanding of what they’re expected to perform.
- Identify your vendors. Begin by reaching out to your accounts payable department for a vendor list. This should include any vendor or third party with whom you have a business relationship, whether they provide products and services to your organization or your customers. It’s also important to identify which products and services they provide.
- Determine the scope of the program. Not every third party will need to be in scope for vendor risk management. Public utilities, sponsorships, and industry memberships will generally not need to go through vendor risk management because there might not be an alternative in the market. Your organization must make this determination, but keep in mind that regulators will expect you to articulate and defend your reason for excluding certain third parties.
- Keep the board and senior management informed. Reporting to your board and senior management helps set the tone-from-the-top so they can make strategic decisions on vendor activity. Vendor risk management reporting should be consistent and simple, with a clear goal of informing your stakeholders and driving action.
- Look for opportunities to continuously improve. Vendor risk management is continuously evolving and there will always be opportunities to improve your processes. New risks can emerge, and regulations can be revised, so it’s important to review your program at least annually to identify any areas of improvement.
As you continue to partner with vendors that provide value to your organization, remember that vendor risk management is a necessary business practice that will support safer vendor relationships.
Related Posts
What Is Third-Party Risk Management?
Third-party risk management is the process and practice of identifying, assessing, managing, and...
Vendor Risk Management Requirements of NERC CIP-013-1
Energy organizations rely on complex supply chains worldwide, which can expose them to third-party...
Vendor Risk Management in the Pharmaceutical Industry
The pharmaceutical industry is a trillion-dollar global sector that comprises an incredible range...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.