Assessing Vendor Risk Using Questionnaires

With the world at a relative standstill, many businesses are focusing on internal process and their core offerings. Outsourcing functions to third parties to reduce in operating costs and improve quality of service is not new but is systematically on the rise.  While this helps to free up resource, it also exposes businesses to the actions of suppliers and vendors. For companies that heavily rely on multiple suppliers, third-party risk is only amplified as B2B relationships become increasingly dependent and complex with each additional link in the supply chain. Effectively assessing and managing vendor risk is a critical step to protect your company’s interests and maintain your ongoing success.

The risks of third-party supplier and vendor relationships

Third-party suppliers and vendors can be anyone a business uses to support its operations.  This includes manufacturers, suppliers, service providers and contractors of any kind. While there are significant benefits from outsourcing tasks to vendors, businesses are ultimately responsible and must ensure compliance throughout the supply chain. Common areas of potential risk include:

  1. Legal Risk: most businesses store or process sensitive information such as personally identifiable information, personal health information or government data. There are legally mandated compliance standards that govern the handling of this information, and it is critical that third party suppliers and vendors meet these requirements
  2. Reputational Risk: third-party suppliers and vendors represent businesses and their actions reflect on the businesses who hire them. When a third-party fails to meet compliance standards or otherwise acts poorly, your business’ reputation can also be damaged
  3. Operational Risk: if a third-party’s operations are sub-par; your business’ operations are most likely to be affected. Resources spent fixing supplier mistakes can negatively impact business performance

It is important for businesses to protect themselves from vendor risks, before, during and after the relationship ends. This can be done through risk assessments, which are a critical piece in identifying, understanding, and managing risks to your organization. By performing multiple assessments over the year, businesses can understand the initial vendor risks and how they change during the partnership.

How to assess vendor risk

Businesses need to perform thorough vendor risk assessments so potential threats to the business can be mitigated.  Assessment also ensures potentially risky vendors can be rejected before entering a damaging relationship. Risk assessment should be a continuous process with a consistent approach applied to each vendor, based on a well-documented risk management plan.

When assessing vendor risk, businesses should focus on the following areas for effective risk mitigation:

  1. Assess Business Impact and Regulatory Risks: a vendor’s impact determines if they are critical or non-critical to the business. Regulatory risk determines if the vendor is low, moderate, or high risk.  This is important because not all vendors pose the same level of risk. Vendors that handle critical processes are a bigger threat then smaller contractors who only work with a single department
  2. Use a Standardized Approach: the risk assessment process should be repeatable and consistent in content and criteria. This allows vendors in the same category to be compared equally, and ensures important risk factors are considered for each vendor
  3. Assess Suppliers at the Product or Service Level: to understand every possible risk, product or service provided by vendors, each offering should be individually assessed, especially for critical impact / high-risk vendors
  4. Evaluate Risk when Selecting Vendors: vendors should be assessed during the selection phase to ensure the best vendor is selected by the business
  5. Conduct Due Diligence for Critical or High-Risk Vendors: due diligence assesses a vendor’s ethics and financially stability. This ensures the vendor has the stability and reliability to deliver services the business requires

Risk Assessment Tools

There are many vendor risk assessment tools and no single solution will be perfect for every organization.  However, the most widely used and adaptable tools include the following:

  1. Risk Assessment Templates: A risk assessment template is a tool that is used to document the risk that exists within an area, the potential consequences of those risks, and the recommended controls to reduce risk to acceptable levels. General templates for managing vendor risk are readily available and can be adapted to specific requirements
  2. Risk Assessment Frameworks: Most organizations are subject to standards or regulations based on best-practice or legal requirements that can be used to guide vendor risk management. The National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) include vendor risk assessment frameworks
  3. Vendor Management Questionnaires: Questionnaires can be sent to vendors to enquire about their security practices and controls. These questionnaires are usually completed prior to engaging with a vendor and updated at regular intervals to manage risk throughout the relationship. The best questionnaire solutions are automated to allow delivery, completion, and responses to be managed efficiently and cost-effectively
  4. Governance, Risk and Compliance (GRC) Tools: GRC tools allow businesses to easily implement a suite of processes to monitor critical areas and report results to identify risks during initial and ongoing assessments. They can be used to manage vendor risk assessment tools such as industry or regulatory frameworks and vendor management questionnaires.  GRC tools can produce vendor questionnaires in preloaded templates for a range of business functions and can also be customized to meet specific requirements.  They include support for Standardized Information Gathering Questionnaire (SIG/SIG-Lite), and the 2018 Vendor Security Alliance Questionnaire

There are significant benefits to businesses from outsourcing to third-party suppliers or vendors but there are equally significant risks to manage.  To understand and mitigate third party and vendor risks, businesses need to have a process in place for managing 3rd –party risk and conduct thorough risk assessments before, during and after the vendor relationships