Article
Vendor risk assessment guide
A vendor risk assessment, also referred to as vendor risk review, is the process of reviewing, measuring, and prioritizing a vendor’s operations and products against a set of cybersecurity threat criteria to measure their risk level. Whether a vendor falls within acceptable risk limits is usually based on more than a simple score.
Part of the vendor risk assessment process is determining if the risk is within the organization’s acceptable limits and if the rewards of the relationship (i.e., the value of the product or service) outweigh the risk.
A vendor risk assessment should be performed at various stages of the relationship to ensure that the balance between risk and reward still aligns with the organization’s standards. Stages during the vendor management lifecycle, when a vendor risk assessment is usually performed, include:
- During sourcing and selection, a final list of vendors for consideration should be created based on their risk level.
- Before a vendor is onboarded, a final round of due diligence should performed to confirm that the risk they pose makes them eligible to access systems and data.
- Throughout the relationship, a vendor risk assessment should be done to evaluate performance and adherence with the contracted (SLAs) and to meet audit requirements.
- At the end of a relationship, a final vendor risk assessment should be completed to make sure that all access has been removed and any sensitive information has been returned or destroyed.
- Following an incident, any associated or potentially associated vendors should be reviewed to identify their involvement.
For these third-party risk assessments, a vendor includes nearly any organization or individual. These can include:
- Manufacturers and suppliers (i.e., providers of anything from software and building materials to cleaning supplies and cafeteria food)
- Service providers (i.e., public relations consultants and financial advisors to repair and janitorial services)
- Short-term and long-term contractors (i.e., construction teams and specialists to technical developers and graphic designers)
Why are vendor risk assessments important?
Conducting a vendor risk management assessment is important when bringing any new vendor on board to be sure that they fit within the acceptable risk parameters for the organization. If risks are identified, but considered acceptable, processes can be put into place to monitor them and take action if risk levels change. Organizations should also have a plan for performing periodic vendor risk assessments to ensure that standards continue to be met and no new risks have been introduced.
The most important reason for a vendor risk assessment is to protect sensitive information and systems to meet internal security standards as well as regulatory compliance requirements. If a vendor is given access to any networks, data, or applications, a vendor risk assessment is critical to ensure that they do not become an exploited cyber vulnerability.
In addition to identifying cyber risks, a vendor risk assessment can also determine if there are other risks, such as financial, operational, reputational, or compliance risks.
Types of vendor risk
To accurately assess vendor risk, it is important to understand the types of risk they can present. The following are several of the largest areas of risk that organizations consider during assessments. Vendor risk assessments should take into account the likelihood of the risk, potential impact, and availability and efficacy of mitigation measures.
- Compliance risk
Legal or regulatory penalties that an organization is subject to if they fail to meet requirements - Cybersecurity risk
Potential exposure or loss resulting from a cyber attack, data breach, or other security incident, as well as the quality and track record of IT and data management processes and infrastructure - Downstream risk
Limitations of smaller suppliers that provide parts or materials for the contracting organization (e.g., restricted resources to produce the products, significant backlog, or inability to sustain the business in an economic downturn) - Financial risk
Has or makes enough money to continue their operations to meet the contracting organization’s needs - Fraud and theft risk
Breadth and quality of security controls in place to identify and respond to theft or fraud (e.g., billing schemes to create false payments, bribery, check tampering, or extortion) - Geographic risk
Located in regions prone to hurricanes, earthquakes, or other natural disasters - Geopolitical risk
Located in areas subject to conflict, unstable governments, or nationalization of assets - Operational risk
Uncertainties and hazards, such as financial losses, loss of key personnel, faulty systems or procedures, or external events - Replacement risk
Options for substitution in the event that the vendor will not or cannot adhere to the contract terms and conditions - Reputational risk
Any reputational damage that can come from working with a vendor (e.g., past incidents, controversial positions or activities, or issues facing someone on the management team) - Strategic risk
Potential that the vendor could pose a strategic risk (e.g., developing a competing product or service, adverse effects of foreign exchange rates, or transportation issues) - Subsequential risk
Fourth-party vendors who do not meet risk standards - Upstream risk
Sufficient inventory of material inputs needed for production to meet current and future needs
Evaluating vendor risks
When evaluating vendor risk, the following risk categories should be considered.
Criticality
Vendors should be classified according to their criticality—critical to non-critical levels.
The vendor risk assessment should identify whether and the degree to which vendors could cause negative effects on an organization if they experience business disruption or termination.
Inherent risk
A vendor risk assessment should score vendors’ inherent (i.e., low to high) in various categories, including:
- Compliance risk
- Cybersecurity and data privacy
- Financial risk
- Geopolitical
- Reputational
Selection process evaluations
Vendors should be screened early in the selection process to identify red flags that should put them outside of the organization’s acceptable risk threshold. These red flags include:
- No disaster recovery plan
- Failure to have their own risk protocols and management systems in place
- Low reputational rating
- Lack of systems, processes, and policies to adequately protect data
- Lack of sufficient evidence to support financial viability
- Required licenses and permits are expired or nonexistent
Steps in vendor risk assessment
A vendor risk assessment should follow several core steps to ensure that critical information is not overlooked and all parts are properly documented for future audits.
- Step 1: Know the applicable types of vendor risk.
Before conducting a vendor risk assessment, it is necessary to understand which types of risks are applicable to the organization. - Step 2: Determine risk criteria and thresholds.
Risk criteria are based on the organization. It should include specific details to be assessed as well as guidance on acceptable thresholds and exceptions. - Step 3: Build a vendor risk assessment process
Develop standardized requirements, controls, and roles and responsibilities for each part of the process. - Step 4: Select the type of assessment questionnaire and draft questions.
Choose the type of questionnaire to be used, an industry-standard questionnaire or proprietary questionnaire, and draft the questions. For some industries, there are standardized questionnaires available, such as the H-ISAC questionnaire for healthcare organizations. - Step 5: Send the vendor risk assessment questionnaire to third parties.
Send the questionnaire to all vendors. Be sure to include a due date and to outline the subsequent review process and timeline. - Step 6: Evaluate and score vendor risk assessment questionnaires.
Use a standardized rating system to score and rank each vendor by category and risk level. - Step 7: Create a vendor inventory.
All selected, or retained, vendors should be cataloged according to type (i.e., criticality) and risk level (i.e., inherent risk). Details about them are listed in a vendor inventory that includes the vendor risk assessment and any supporting materials. - Step 8: Continuously monitor.
For critical and high-risk vendors, implement systems and processes to monitor them on an ongoing basis to ensure compliance with risk and security standards. - Step 9: Conduct regular follow-up vendor risk assessments.
After the initial assessment, a plan and schedule should be established to re-assess vendors on a regular basis (e.g., annually).
Beginning a vendor risk assessment program
There are many established best practices for vendor risk assessments. Take advantage of this proven guidance when beginning a vendor risk assessment program.
- Catalogue cybersecurity risks that vendors could bring to the organization.
- Create scalable processes to run vendor risk assessments, leveraging technology, repeatable processes, and automation wherever possible.
- Develop a quantitative system for assessing vendors.
- Establish rules for how exceptions are made if a critical vendor falls below the acceptable risk threshold.
- Establish the organization’s risk appetite and measure vendor assessments against it.
- Create a team and assign specific roles and responsibilities.
- Take inventory of vendors that work with the organization.
Vendor risk management checklist
Vendor risk management checklists are used in two ways.
- Provide a framework for the process. Core steps include:
- Collect information about the vendors.
A vendor risk assessment includes a checklist that helps vendors capture quantifiable information during the process. Each enterprise has a checklist with specific questions unique to their group, but there are many overlaps across organizations. - Determine the risks that are most significant to the organization.
- Select a framework to help assess and manage vendor risks.
- Create a vendor inventory.
- Classify vendors according to criticality.
- Conduct risk assessments on all vendors and implement controls as necessary to keep risks at acceptable levels.
- Monitor vendor performance over time.
Among the questions that a vendor risk assessment seeks to answer are:
- Are there any issues with the vendor’s safety record or labor practices?
- Can the vendor meet current and future demands for materials, products, or services?
- Do the terms of the contract align with operational and financial objectives?
- Do the vendor have:
- Does the vendor meet all regulatory compliance requirements?
- What is the financial stability of the vendor?
- What is the vendor’s customer satisfaction rating (e.g., Net Promoter Score)?
- What is the vendor’s track record for meeting delivery schedules and quality requirements?
- appropriate insurance and coverage?
- an adequate disaster recovery plan in place?
- any reputational issues?
Vendor risk assessment questionnaires include a number of questions related to:
- Company policies concerning environmental, social, and governance (ESG) issues
- Financial and operational data
- Security and privacy controls
- Status of licenses and security clearances required for regulated industries
- Tracking and reporting capabilities to support audits
In addition to the vendor risk assessment checklist items, vendors may be asked to provide:
- Financial statements and tax documents
- Proof of ability to meet security and service level requirements
- Results from background and criminal checks
Benefits of vendor risk management
Improved risk management
Setting up a comprehensive vendor risk assessment helps organizations detect, evaluate, and mitigate potential risks from vendors’ vulnerabilities. The categorization part of the process ranks vendors as low, medium, or high risk, helping vendors make informed selection decisions and implement security controls to mitigate vendor risks.
Risk mitigation
A vendor risk assessment drives organizations to carefully evaluate vendors and suppliers against the organization’s risk thresholds and security standards. This process identifies any vulnerabilities and gives the organization the data needed to make informed decisions about the relationship and access that is provided.
Vendor risk assessments lower risk in several important categories, including:
- Compliance
A vendor risk assessment confirms compliance with applicable laws, regulations, and standards. - Contracts
A vendor risk assessment reviews contractual obligations, including terms of services, nondisclosure agreements (NDAs), and how fourth parties are handled to ensure they meet the organization’s risk thresholds and security standards. - Security
During the selection process, a vendor risk assessment focuses on cybersecurity and physical security controls, as these are often exploited by cyber attackers who use vendor vulnerabilities to gain access to an organization.
Additional benefits of a vendor risk assessment:
- Account not just for risks, but the likelihood of their occurrence
- Avoid materials supply or service disruptions
- Capture quantifiable risk data (i.e., risk scores)
- Gain a comprehensive view of a vendor’s risk profile
- Pinpoint and address threats associated with working with a particular vendor
- Provide a framework for risk evaluations, including the vendor risk assessment’s:
- Criteria
- Objectives
- Process description
- Process steps
- Required resources
Mitigate vendor vulnerabilities with a vendor risk assessment
Without a doubt, a vendor risk assessment can be tedious and time-consuming to create, execute, and manage. However, it should not be optional. As the enterprise continues to improve its cybersecurity posture, cyber attackers look for new vulnerabilities. Vendors are routinely attacked as they are often easier to breach than the target organization.
A vendor risk assessment program does provide return on investment. Overall, security is improved. In addition, vendor relations are more open and transparent, allowing all stakeholders to work together to combat threats, mitigate risk, and facilitate a productive relationship.
Unleash the power of unified identity security.
Centralized control. Enterprise scale.