Historical Use of Vendors Over Time

Before we address the purpose of vendor risk management we need to spend a few moments to understand how we got here. Looking back 20 years ago third-party vendors were used differently and not used as much. We did not perform any sort of vendor risk management. Considerations to use a vendor would be primarily based on cost. Today is a much different picture. We can easily create an entirely new business with a laptop, internet connection and a credit card. Software solutions can be purchased and used within organizations without getting IT involved; therefore, skipping the chance to properly evaluate the potential risk. The threat landscape has changed vastly and continues to evolve seemingly faster all the time.

Shift Control from Internal to Third Party

I reminisce about my first job coming out of college. The large company I worked for didn’t have internet access, we didn’t have email and we didn’t exchange data or allow others to access our data. All the control was in our hands. If we suffered some sort of incident it was up to us to fix it and get back on track. Today we outsource to third-party vendors for strategic reasons (increased efficiencies, new services, focus on core business objectives, etc.). Risky vendors will then increase our risk if not properly evaluated and managed. The control is shifted from us to the vendor. How much data are we giving to the vendor? Does a disruption in the vendor’s ability to provide services create an unaccepted situation? Does the vendor have a formal approach to securing your data? Do they have a risk management program that’s formally mandated and supported by their executive management? Do they treat your data with the same standards as you do?

Purpose of Vendor Risk Management

A lack of a complete and effective vendor risk management puts organizations at risk. Regulated industries like Finance, Healthcare and Public Utilities all require ongoing risk assessments. The use of third-party vendors needs to be incorporated into the risk assessment. A thorough and efficient vendor risk management program can make a difficult process run more smoothly.

Another reason you should consider a formal vendor risk management approach is to address the business impact risk that’s introduced by utilizing third party vendors. Your reputation could be tarnished by the actions of a vendor you use. Your organization could suffer unacceptable downtime or lack of service due to a vendor’s internal (or lack of) business practices. You could also be affected by a third-party vendor’s financial situation. If a vendor provides a critical or unique service that is not easily replaced, it’s in your best interest that their finances are in good order. Can they keep their lights on and provide you with the critical services you pay them for?

In a simple form, the purpose of vendor risk management is ensuring the use of third-party vendors and making sure they do not introduce a negative impact, business disruption or damage your reputation. It also puts you in a defensible position by showing you’re practicing proper due care and due diligence regarding information security and vendor risk management.

Vendor Risk Management Process

The vendor risk management process comprises of four steps. Once the initial process is started, new vendor and annual vendor reviews will be much faster and simpler to manage.

Identify your vendors – Any individual or company who provides you paid services. Working with Accounts Payable will cast the biggest net. Don’t forget about services purchased on a credit card – so check those statements!
Classify your vendors – Now you have the master vendor list you need to classify the vendor into high, medium and low risk categories. Department managers are typically the best to determine this since they have an idea of the types and amount of data the vendor has access to as well as how the vendor is used and what impact the vendor has on the business. This can sometimes be difficult at first because some managers might not understand their role in the vendor risk management process.
Assess vendor risk – A risk assessment should be performed on all high and medium risk vendors. The risk assessment should be the same criteria for all classes of vendors. Higher risk vendors will be under the microscope a bit more than the medium risk vendors. Low-risk vendors simply need to be evaluated for risk and documented. It’s important to show you’ve evaluated and classified ALL vendors, not just the ones you feel are important.
Risk treatment – Once risks are identified you need to determine if the risk is acceptable or if you will ask\require the vendor to mitigate identified risks. Remediation efforts by the vendor should be monitored and assurance made to you by the vendor that they did indeed address the risks identified. This might come in the form of policy developed, audit results or verified risk assessment performed certified information security expert.

The entire process is repeated on a regular basis, preferably annually. The initial startup of a vendor risk management program can be daunting but with the correct tools, it doesn’t have to be.

Who Do We Work For?

We all work for someone. Our industries might be vastly different but the common item we all have is we work for people. People entrust us with their finances, healthcare data, personal data, retirement funds, school grades, etc., the list goes on and on. Behind all that data are mothers, fathers, grandparents, aunts, uncles, nieces, nephews, sons, daughters, friends and neighbors. We owe it to them to do everything we can to protect their data as if it were our own. This is the REAL purpose of vendor risk management.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!