Third-Party Vendor Risk Management: Guide and Best Practices
Doing business in the digital age means outsourcing. There’s just no way that most enterprises can do it all in-house: provide the technology and the conveniences that customers demand while delivering goods and services at a price they can afford. Third-party relationships are a must—but they can increase your organization’s information security risk.
Third-party vendors may not always have the cybersecurity safeguards that you need to comply with regulations and industry standards. Increasingly, regulators are applying the same scrutiny to your supply chain as they are to your organization. If you haven’t done your due diligence before, during, and after signing third-party contracts, your enterprise could lose important certifications.
Vendor risk management (VRM) can help you avoid risk and compliance pitfalls that contractors, service providers, vendors, and others in your business ecosystem can incur. Also known as third-party risk management, VRM involves a complex set of risk management processes from risk assessment to monitoring and mitigation, throughout the vendor lifecycle.
This guide to developing and implementing a third-party risk management program is designed to walk you through the vendor management process step-by-step.
Intended for use by your chief compliance officer or chief risk officer, it contains a trove of up-to-date information on vendor risk and how to identify and resolve the challenges vendor risk management might bring to your company.
To use this guide, feel free to read from beginning to end, or skip to the sections you most need. Along the way, click on the links sprinkled throughout for more detailed insights into a variety of topics. And if you feel overwhelmed by third-party risk management process, take heart: there’s a tool for that.
What is Vendor Risk Management?
Vendor risk management (VRM), a part of vendor management, is the process of identifying, analyzing, monitoring, and, where necessary, mitigating risks that third-party vendors might pose. Such risks could affect your business’s cybersecurity, regulatory compliance, business continuity, or organizational reputation.
As with any risk management program, third-party risk management begins with due diligence before signing a contract. It also involves a risk assessment for each contractor, vendor, supplier, and service provider with which your company works.
A growing number of enterprises either have a vendor risk management program or are starting one. Concerns over information security and data privacy are driving this change, but so are laws including the European Union’s General Data Protection Regulation (GDPR) that require organizations to understand how the third parties with whom they do business manage their own risks, and mandate third-party compliance as a condition of certification.
Is There a Difference Between ‘Vendor’ and ‘Third Party’?
There is a difference between ‘vendor’ and ‘third party,’ but it can be a subtle one.
A vendor is an external entity, often in the supply chain, that supplies goods or services to an organization. Examples are:
- Cloud service provider
- Law firm
- Software developer
- Website host
- Payment processor
- Raw materials provider
Third-party relationships encompass all these entities, but also include others with whom your organization does business, such as:
- Business partners
- Venture capitalists
- Regulatory agencies
- Nonprofits receiving your donations
While many companies have vendor risk management (VPM), others have more encompassing third-party risk management (TPRM) programs.
VRM vs. TPRM
The vendor risk management process involves due-diligence activities before contracting with a vendor, often using surveys or questionnaires that prospective vendors answer.
This step helps to ensure that the vendor under consideration complies with necessary regulations and industry standards and has a robust information security program.
Risk assessments are also a part of vendor risk management. For these, you may request evidence of the vendor’s own risk management, information security, and regulatory compliance efforts. Evidence may include compliance certifications, penetration test reports, financial information, and on-site audits.
Vendor risk management continues with monitoring and oversight throughout the lifecycle of the vendor relationship, and even after the contract has ended.
Third-party risk management may entail all the above steps, but with one caveat: While you choose your vendors, you cannot always select your third-party relationships, such as with customers and regulatory agencies. This means that you may not have as much control over risk incurred by non-vendor third parties.
What is a Vendor Risk Management Program?
To effectively manage the risks posed by the use of third-party vendors, contractors, and service providers, your organization would do well to implement a comprehensive vendor risk management program.
From vendor selection to vendor onboarding to vendor termination—and beyond—a vendor risk management program will enable you to identify the risks your third-party relationships pose to your enterprise. Then you can work with vendors to remedy those risks and continuously monitor for changes in your vendors’ risk posture that could affect your business.
How do I develop a vendor risk management program?
A successful vendor risk management program involves careful planning by a dedicated team, continual oversight, and commitment to the process at every stage.
Here are steps to take: (note: numerals are missing on the website version)
- Draw up formal policy and procedure documents. These are essential to your program’s success. The policy should explain at a high level how vendor risk will be managed. Procedure documents should detail roles and responsibilities, including those of senior management and your business lines.
- Establish a vendor selection due diligence process. Vetting your vendors before signing contracts with them is key. Ask to see SOC reports, conduct a risk assessment that includes results of penetration testing, and make site visits where necessary.
- Mind your vendor contracts. Templates are fine, but should be amended for each vendor to account for each party’s roles, responsibilities, and compliance requirements. Set contract standards that establish uniform processes for negotiation, review and approval, monitoring, and contract storage. Your contracts should also address service level agreements (SLA), proper issue escalation, vendor termination, and security documentation.
- Conduct ongoing vendor monitoring.
- Review the vendor’s financial statements.
- Ask to see their IT diagrams so you know how you’re affected if they have a cyberattack or business disruption.
- Conduct vendor audits.
- Periodically request and evaluate their SOC reports, business continuity and disaster recovery plans, and security documentation.
- Annually perform vendor risk assessments, performance assessments, and information security assessments.
- Perform internal audits of your organization, including vendor relationships and risks. Then, when examiners arrive to test your compliance, you’ll pass with ease and you’ll feel secure in the knowledge that your organization’s systems and data are adequately protected.
What Types of Risks Do Third-Party Vendors Pose?
Not every vendor brings risky business to an enterprise. But many things can go wrong when you’re dealing with an entity that is, for the most part, unknown.
These are common third-party vendor risks:
- Reputation risk: If one of your vendors has a business disruption that affects your customers, your company’s reputation could suffer.
- Operational risk: Every third party with which you do business increases the complexity of your business operations, and the risks to them.
- Transactional risk: Financial institutions are familiar with these. Disruptions at any point along the chain of payment transactions, including third-party payment processing, can cost your enterprise business and customers.
- Credit risk: If your financial institution uses third parties for loan origination, business solicitation, or underwriting, there’s a risk that they might default on their obligations, agreements, or payments to you.
- Compliance risk: A steady proliferation of regulations and rules makes it more difficult for everyone to be in compliance. Regulatory risk means that regulators will hold you responsible for your vendors’ compliance with their requirements as well as your own.
- Strategic risk: What would happen if a vendor failed to meet the terms of a contract with you or your customers, or didn’t provide the expected return on investment?
- Country risk: If any of your third-party service providers are located in a foreign country, you face risks caused by that country’s economic, social and political situation.
- Legal risk: A vendor could expose your enterprise to lawsuits or legal expenses.
- Vendor concentration risk: Relying on one or a small number of vendors for a service or function increases the risk that the service or function will not be provided.
- IT/Cybersecurity risk: A vendor could provide a portal to your enterprise for hackers.
- Cloud risk: Placing data or services on the cloud presents an added risk that they will be compromised.
Different risks prevail among different industries. To help determine which risks apply to your enterprise and to classify these risks in order of severity, try a quality governance, risk, and compliance tool such as ZenGRC.
What Risks Should Vendors Be Responsible For?
The short answer: All of them.
Third-party vendors, project contractors, and service providers are responsible for their own financial stability, financial reporting, IT/cybersecurity, regulatory compliance, legal standing, and overall operational soundness.
But when the regulatory rubber meets the road, you, the contracting entity, will shoulder the blame should one of your vendors fall out of compliance, experience a disruption in service, or get hacked.
Every third party with which you engage poses strategic and other risks to your organization. Exercising due diligence when choosing, hiring, onboarding, and monitoring your vendors can help prevent risks’ becoming threats; so can including language in vendor contracts requiring them to stay in compliance with all regulations, laws, and industry standards that your company must meet.
How Do I Analyze Third-Party Risk?
To help you perform the best possible third-party risk assessments, we’ll start before the beginning, to help you design your vendor management policy.
Your vendor management policy should establish business goals and guide you through your assessments of third-party security risk throughout the third-party-risk lifecycle: vendor selection, contract negotiation, onboarding, monitoring, termination, and beyond.
Questions you should ask—and answer—at this stage:
- How many personnel should we devote to managing third-party cyber risk?
- Which security frameworks should our contracts require vendors to comply with?
- Which methods should we use to assess third-party risk?
- Which documents should we require for vendor risk assessments?
- Who completes the documentation of third-party security risk assessments, and who signs off?
- How often should we reassess our vendors? What key performance indicators (KPIs) should we use?
- How much third-party risk can our business withstand?
- Who decides how to manage any vendor risks we find—whether to accept them or impose mitigating controls?
- How do we manage third-party risk in real time when vendor circumstances change?
The answers to all these questions will depend on the extent of your use of third parties: the number of contractors, vendors, service providers, and other third parties with which your organization does business, how frequently you engage them, and how you use them.
The type of business you conduct with third parties will also determine your vendor management policies and procedures. For instance, a financial institution using third parties to process sensitive customer data may have more stringent policies than a retail store purchasing goods from a vendor to resell.
How to Conduct a Vendor Risk Assessment
Conducting a vendor risk assessment is a complex task with many steps, especially if you’re doing the job manually. Emerging technology can perform most of these tasks for you—but more on that later.
Here are 10 essential steps for successful vendor risk assessment: (Again, numerals are missing on the web version)
- Risk ID. Identify all your third-party risks.
- Process risks
- Cybersecurity risks, including malware and ransomware threats
- Political risks
- Contract risks
- Legal and regulatory non-compliance risks
- Business continuity risks
- Vendor classification. Categorize your suppliers and contractors according to the information of yours that they can access.
- Network access
- System access
- Authorization access
- Data access
Suppliers and contractors with access to your information and systems will need a higher level of risk management than those without it.
- Define vendor performance metrics. Establish service level agreements (SLAs) with each vendor, and monitor to ensure that they meet the criteria on an ongoing basis.
- Determine regulatory compliance risks. Federal laws require third-party vendors and contractors with financial institutions and health-care providers to comply with certain frameworks, as stipulated in the Federal Financial Institutions Examination Council (FFIEC) guidebook for examiners and the Health Insurance Portability and Accountability Act (HIPAA). At the minimum, however, reporting on SOC 2 compliance ought to be required.
- Risk assess individual vendors. Consider each vendor’s location, how important to your business its products or services are, the sensitivity of the information it will handle, and whether it will have access to your digital network.
- Query vendors with a vendor risk management questionnaire. Vendor risk assessment questionnaire examples include:
- Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ)
- Center for Internet Security — CIS Critical Security Controls (CIS First 5 / CIS Top 20)
- The National Institute of Standards and Technology — NIST (800–171)
- Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite)
- Vendor Security Alliance — VSA Questionnaire (VSAQ)
You’ll also want to ask each vendor for its security policy and program documents and penetration testing results.
- Create clear vendor contracts with service level agreements, compliance requirements, and roles and responsibilities in the event of a security breach. Consult subject matter experts, internally and externally, for input.
- Establish a clear line of communication between your vendors, management, and board to stay abreast of and manage issues, and solicit and respond to feedback regarding your vendor risk management program.
- Conduct on-site audits. Where feasible and warranted by answers to the questionnaire, send your auditing team to vendor sites for in-person audits. Repeat these audits annually.
- Continuously monitor your vendors. Stay abreast of vendor changes, changes in your organization, and updates to regulations and standards.
If you need help
As you can see, vendor risk management is a big program requiring adequate staffing and budget—or your enterprise can cut costs and time by using quality governance, risk, and compliance (GRC) software. Automation can perform many of these tasks, including generating and sorting questionnaires, staying on top of compliance requirements, and continuously monitoring third-party vendors.
The Difference Between Enterprise Risk Management (ERM) and Vendor Risk Management (VRM)
In fact, for your VRM to function as it should, your organization will want to have both—and your management, executive team, and board of directors should all be involved.
Enterprise risk management considers operational, reputational, credit, legal, regulatory compliance, cybersecurity, and all other areas of risk an organization might face, including vendor and third-party risk.
The ERM process entails creating risk policy standards, determining the enterprise’s risk appetite (how much the enterprise can stand to lose) and conducting an organization-wide risk assessment. Companies typically use an ERM framework to guide them through the ERM process, such as COSO’s Enterprise Risk Management — Integrated Framework.
Vendor risk management focuses on managing the risks that third-party vendors pose to an enterprise. It entails
- Identifying vendors (and, for third-party risk management, all third parties with which your organization does business, including suppliers, service providers, and customers)
- Performing due diligence and risk assessments to ensure that each vendor’s information security and other operations fall within the risk appetite established in your ERM analysis
- Continuously monitoring vendor risk posture in the light of new regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), and updates to existing laws such as the Health Information Portability and Accountability Act (HIPAA), all of which require third parties to be in compliance
How Do Third-Party Vendor Management Audits Work?
There are two kinds of third-party vendor management audits:
- Internal, in which an internal auditor evaluates the contracting organization’s own vendor risk assessment process and control activities
- External, in which an organization’s auditors analyze a third-party vendor’s risk and compliance with regulatory expectations and standards
Chief Risk Officers, charged with managing third-party risks, tend to oversee these audits.
An external audit will often include a request for documentation; interviews with the vendor; possibly an on-site review; and a report to management on vendor controls, efforts to mitigate control weaknesses, recommendations for ongoing monitoring, and more.
Internal audits check all the contracting organization’s internal processes in the scope of its vendor risk management program, including due diligence, contracts (including a contractual right to audit), vendor categorization, communications, and vendor performance.
Create a Vendor Risk Management Workflow
Vendor risk management (VRM) is increasingly important and complex as more organizations migrate their data and services to the cloud and manage applications. Creating a VRM process flow can simplify this important job and help ensure success.
As you define workflows for VRM, include these steps: (Note: numerals for this list are missing on the website.)
- Vendor selection. Choose vendors that meet your organization’s requirements. Perform due diligence during the selection process, asking to see proof of compliance with applicable regulations and frameworks. Have the necessary forms for data collection on hand to send with your requests.
- Contract approval. Make sure that your vendor contracts require regulatory compliance, assign roles and responsibilities in the event of a security breach, and ensure you the right to audit their controls.
- Onboarding. Have approved processes and procedures for handling purchase orders and payment requests. Upon onboarding, assign permissions and access to your systems, networks, and data based on the vendor’s needs for access to do its job.
- Monitoring. Send vendor questionnaires periodically asking about risk management, security, and compliance. Use software to continuously monitor your vendors for changes in their risk posture.
- Termination. Have a well-defined process for offboarding, including terminating vendor access to your systems and the return of any equipment you have supplied to them.
Vendor Risk Management by Framework
A number of regulations and industry standards require third-party vendors to be in compliance, and may even serve as frameworks for managing vendor risk.
- The Health Insurance Portability and Accountability Act (HIPAA): Third-party risk management is specifically addressed in this federal law. Under HIPAA, electronically stored Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits must be protected against threats, hazards, and unauthorized use or disclosure. Under HIPAA, vendor contracts must contain privacy and security assurances.
- System and Organization Controls for Service Organizations 2 (SOC 2): Third-party assurance of adequate risk and security controls are increasingly required by contracting organizations in the form of SOC 2 certification.
- The Payment Card Industry Data Security Standard (PCI DSS): Third-party risk management is an important part of this industry standard. PCI DSS requires compliance from “third-party service providers,” which it defines as any vendor that stores, processes, or transmits cardholder data on behalf of a client organization, and any vendor that could affect the security of the cardholder data environment.
- The Federal Risk and Authorization Management Program (FedRAMP): Third-party assessment organizations are included in this federal program requiring strict security management from federal government cloud providers which are third-party service providers, themselves.
- The General Data Protection Regulation (GDPR): Third-party risk management is required under this European Union law that applies to all entities that collect, process, store, sell, or share data belonging to EU residents. It states that organizations must take necessary steps to protect citizens’ data, including information shared with third parties (known as data processors). Third parties must also protect that data, and must comply with all aspects of the GDPR.
- Control Objectives for Information and Related Technologies (COBIT). Vendor risk management using COBIT 5 is spelled out in detail in subsection DS2, from identification to monitoring and measuring.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework. Many organizations use COSO to mitigate third-party risk. The framework helps organizations minimize risk overall with processes and improved controls, and it addresses third-party risk throughout the document.
How to Automate Continuous Vendor Risk Management
To automate your vendor risk management, you’ll need vendor risk management software. A quality governance, risk, and compliance (GRC) software with VRM capabilities will serve quite well.
Why should you automate? Simply put, it’s the smart thing to do.
Just conducting due diligence reviews of third-party vendors and their security risks can take much time, effort, and expense—if you’re using spreadsheets.
Once a vendor is onboarded, the task of keeping tabs on their security is only just beginning. You need to send self-assessment questionnaires, obtain penetration testing results, continually update your vendor data, and more.
And you need to always be on top of changes, in real time. Otherwise, your own organization’s security and compliance could suffer.
Using ZenGRC to manage your third-party vendors takes the hassle and the worry out of vendor risk management. Its continuous monitoring features ensure you’re always on top of your third-parties’ compliance hygiene. It streamlines workflows so you don’t have to do everything yourself—even sending out those dreaded questionnaires and tallying the results for you as they come in.
Zen keeps track of vendors’ compliance with multiple frameworks, and provides continuous auditing in a few clicks, if that’s your desire, via its internal audit feature. Its user-friendly dashboards show you in a glance who’s compliant, and who isn’t.
With ZenGRC automating your vendor risk management tasks, you and your team can focus on other, more important tasks. Liberated from the tyranny of spreadsheets, your business will rise above the risks.
Why not call a Reciprocity expert today for your free consultation?