First, let’s start with the question, “why do I need to manage all vendors?”
We get asked this question all the time. If you have a vendor risk management program, then it’s likely you aren’t managing all your vendors (just the high-risk ones, or even a subset of those). The logic of focusing on the vendors that really matter seems rational, but here are some potential issues that arise with it:
- How are you deciding which ones to manage?
- Are you accounting for all the ways your vendors can impact you?
- Are you just managing the handful of vendors that you directly share confidential data with?
- Is there a specific trigger you use to pick vendors to manage? (sharing PHI for example)
From both a vendor risk and a defensibility standpoint, all those methods fall short. If you are using a manual process to manage VRM, this may be all you can accomplish given resource constraints and other priorities.
But, what happens if a breach happens within a different vendor that has access to information but hasn’t hit your radar? Or, what happens if the relationship with a vendor changes but you don’t know it changed?
There are many reasons to manage all vendors consistently. Here are a few:
- You are accounting for more risk.
- You can catch relationship changes and act accordingly.
- You can show that you have a consistent process.
All the above reasons make you more defensible should something bad happen. And let’s be honest, you have hundreds of vendors- some of them have been breached, and some of them may be actively breached right now.
SecurityStudio makes it really easy to manage all vendors, as any good software should. Something that is basically impossible to do with a manual/spreadsheet process can be made very simple with a decent software solution.
Let’s make sure we clarify that I’m NOT saying all vendors go through the same end-to-end process. I’m saying account for them all, and once they are classified let their classification bucket (low, medium, or high risk) determine their path.
So where do you get the full list? Finance is the best place. You should be able to request a list of every vendor you have paid in the last 6 or 12 months from finance. This can be a large list. In our experience, 75% of those vendors will be low risk, which is ok. With SecurityStudio, each low risk vendor can be processed in 2 minutes per year.
So enlist finance to help. They can export a csv or xls file. Any good software, including SecurityStudio, should be able to import your vendor list. In this way, you can go from your current process to a mature VRM program basically overnight.
To get your easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!