In part 1 of this series, we covered key concepts about vendor risk management (VRM). With context on the importance of vendor risk management (VRM), subsequent articles in this series will share useful guidance on how to establish and implement a VRM program to fit your organization’s specific needs.
It’s important for you to remember that VRM is a discipline that provides visibility into vendor relationships, offering guidance on how to effectively monitor vendor performance and quality controls.
In this article, we’ll explore how to start a VRM program, including five tips to guide you along the way.
Let’s dive in!
Table of Contents
- Why is a VRM program so important?
- Launching your VRM program
- Align business goals with the VRM program (Plan)
- Create standardized agreements
- Implement a well-defined vendor selection process
- Perform periodic vendor assessments
- Implement a transparent and consistent reporting process
- How can technology help with your VRM program?
- Key Takeaways
Why is a VRM Program so Important?
Let’s keep it short and simple. VRM is a discipline focused on mitigating vendor risks. The program provides visibility into the vendor relationship and offers insightful guidance on how to effectively monitor vendor performances and quality (or lack of) controls during the lifetime of the business relationship.
Disruptions, ranging from supply chain shortages to brazen cybersecurity attacks on some of the largest technology or infrastructure service providers, have amplified the crippling and global effects of vendor challenges on every business. Most frightening, data breaches are experiencing record-breaking numbers across all industries. In 2021, data breaches jumped 68% year-over-year, according to an Identity Threat Resource Center report.
The most recent security breach at Okta underscores the risks when relying on vendors to handle part of your operations. Okta, one of the largest providers of identity authentication services in the world, experienced a data breach in late January, 2022.
The breach occurred via one of its key vendors, a sub-processor that provides customer support services to Okta’s customers. Even though Okta reported that only 366 corporate customers were impacted (2.5% of its customer base), this is significant because thousands of companies rely on Okta to manage user authentication to networks, applications, and services. The vendor had access to Okta’s internal networks, ticketing system, customer listing, and customer environments in some cases.
Regardless of the organization’s size, industry or maturity, no organization is immune from the domino effects of vendor risks.
Launching Your VRM Program
Even though your business is not entirely immune, you have control over the magnitude of the harm caused by these events. You influence what measures you can take to reduce vendor risks to an acceptable level.
Launching a VRM program from scratch is not easy. A lot comes into play and must be considered when deciding what you want the program to accomplish and how to measure its success. You’ll need to consider factors such as how much time to devote to it, what resources are required, and how to manage the program on a continual basis.
Whether you’re trying to implement a VRM program for the first time or looking to mature some of your existing practices, taking time to evaluate and build out the program will lead to greater success.
Where to start? Below are five tips to provide some guidance and inspiration on your journey.
Tip #1: Align Business Goals With The VRM Program (Plan)
Start off by understanding what are the goals you want to achieve, and use these factors to create a game plan. This holistic approach will help clarify and prioritize the top risks to mitigate (e.g., cybersecurity, strategic, and regulatory risks), enabling you to mobilize what needs to get done. Vendor risks should not be treated equally, as the landscape in which you operate will drive its focus.
At the minimum, create a vendor risk management playbook that lays out high-level guidance. This will be a handy resource as you build and mature the program.
Key aspects to include in the playbook:
- Purpose: Identify your goals for the VRM program (the “why”);
- Roles and Responsibilities: Identify key stakeholders and their specific responsibilities (the “who”);
- Risk Categories: Identify key vendor risks to your organization (the “what”);
- Vendor Lifecycle: Identify relevant stages of the vendor lifecycle to consider. The phases may include: procurement, continuous monitoring, and offboarding (the “when”);
- Vendor Management Activities: Identify the activities to be performed during the varying stages of the lifecycle (the “how”).
Your VRM program will evolve over time, so it’s essential to keep it current by reviewing the plan at least annually. And as needed, make updates to the playbook to proactively address changing dynamics.
Tip #2: Create Standardized Agreements
A standard set of agreements can help your organization scale your requirements and increase efficiency by reducing the time to draft, negotiate, and sign. Even though some large vendors are adamant about using their own templates, this baseline will help reduce legal costs and the time required to negotiate contractual terms.
The following elements should be included:
- Vendor Service Agreement: Defines the terms and conditions of the purchase of goods or services. Include these details in the contract: scope of services or goods to be covered, the timing of services, payment terms, party’s responsibilities, renewal and termination, indemnification, and enforcement clauses.
- Security Addendum: Establishes cybersecurity practices and protection measures to which service providers should adhere. This may include: audit or certification requirements, data encryption and key management, access controls, endpoint security, hardening standards, monitoring/logging protocols, vulnerability detection and management, governance practices, and incident detection and response.
- Data Processing Agreement (DPA): DPA is a legal contract between a data controller and a data processor that outlines the responsibilities and obligations of each party concerning how to process the data. It sets out the measures to be taken to ensure the security and confidentiality of the data, and compliance with relevant data protection laws and regulations.
Depending on your organization’s expertise, engaging outside legal counsel and cybersecurity subject matter experts to help with designing these requirements is worth every penny. These templates will set the tone for future negotiations and mitigate unnecessary pain points during the procurement process.
Tip #3: Implement a Well-Defined Vendor Selection Process
Creating a consistent approach to vetting vendors during the procurement phase is critical to the success of any new business venture. This due diligence will help to identify the ideal vendors by asking the right questions at the beginning.
We suggest performing the following critical steps during the vendor selection process:
Build a Business Case
Create a use case on “why” you want to procure a new application, service, or product. What challenges or limitations will it resolve, how does it help to advance your strategic objectives? Often with a limited budget to work with and finance needs to balance this against other requests, it’s advantageous to articulate the rationale behind the purchase and quantify the organization’s monetary and strategic value proposition.
Identify Prospective Vendors
Reach out to existing business partners you trust and ask for recommendations regarding vendors they use for a specific service or product. Market intelligence and research services provided by Forrester, Gartner, and IDC are also good sources to identify potential vendors and suppliers.
Perform Vendor Discussions and Assessments
Initiate discussions with the prospective vendors. It’s generally good practice to obtain at least two or three proposals for comparison purposes. Tools to support the evaluation process include:
- Request for Proposal (RFP): Describe your needs and objectives, categorize requirements into “must have” vs. “nice to have,” and provide estimated timelines and budget considerations.
- Vendor Scorecard: Create a scorecard that contains a list of pre-defined evaluation criteria. Consider assigning a different weight factor for each criterion, as some requirements are more critical than others. When designing the scorecard, consult with key stakeholders to identify what key information should be included. There is no “no size fits all” model for vendor scorecards. Capturing these topics will ensure that nothing gets overlooked and set the foundation for assessing the next prospective vendor
- Audit Reports: For vendors who provide a business-critical application or would be processing, storing, or transmitting sensitive corporate or customer data, ask if they comply with frameworks such as ISO/IEC 27001 or SOC 2 Trust Services Criteria. If affirmative, ask for a copy of their most recent audit report for review. If the vendor operates in a regulated industry or specific geographic region with stringent privacy regulations, obtain confirmation the vendor is compliant with the regulations (e.g., GDPR, CCPA, PCI DSS, HIPAA) and get a copy of their most recent compliance report. You can also develop your own Security Assessment Questionnaire.
Tip #4: Perform Periodic Vendor Assessments
There must be a level of trust when you first engage a vendor. Since vendor dynamics and cybersecurity posture may change over time, reviewing your vendors periodically is imperative. This will confirm they’re providing the services in line with expectations and there’s a monitoring mechanism in place to detect potential poor performance or cybersecurity issues before they pose a risk to your business.
Bearing in mind that not all vendors have the same risk levels, knowing what focus areas apply to which vendor is essential. By asking the right questions, you get the right answers.
We suggest the following steps for performing vendor assessments:
Step 1: Catalogue and classify the vendors:
- First step (catalogue): Compile a listing of your key vendors to be reviewed. Documentation is vital because you can’t assess or even protect something if you don’t know what you have. Start by documenting some basic information for the vendors — such as indicating what service(s) they provide; the type of data they have access to; the level of integration with your business; the contract duration; existing compliance frameworks or regulations they need to follow, and other business factors deemed important.
- Second step (classify): Assign a risk level to each vendor based on your internal ranking system. For instance, your decision matrix may state that all vendors with access to sensitive customer data or your databases would be considered “high risk” (aka access to the “crown jewels”). In contrast, vendors with non-administrative system access may be “moderate risk,” and vendors with no access to any corporate systems would be classified as “low risk.”
Step 2: Determine how often to review
The timelines will vary across vendors. You would want to rank vendors according to their business criticality and the sensitivity of the information they handle. A general rule of thumb: the greater the level of access or integration, the more comprehensive and frequent the reviews should be.
Taking a risk-intelligent approach will optimize your resources where it’s most crucial. Best practices suggest the following frequency for vendor reviews based on their assigned risk levels:
- High risk → Annually (typically);
- Medium risk → Everyone 1 to 2 years;
- Low risk → Every 2 to 3 years.
Step 3: Determine what to review:
In addition to assessing the vendor’s service performance against contractual obligations, cybersecurity reviews should also be performed. What to review should be proportionate to each vendor’s data type and criticality. Commonly used tools and activities include:
- Review their most current audit reports (e.g., SOC 2, ISO27001, PCI DSS)
- Internally designed vendor risk questionnaires
- Online assessment questionnaires (CAIQ, SIG questionnaire)
- VVendor security or compliance audits
Step 4: Determine who performs the reviews:
Vendor service performance reviews should be performed by the stakeholders who engaged the vendor. They would be in the best position to assess whether or not the vendor delivered on expectations. Cybersecurity reviews are more technical in nature and should be evaluated by personnel with solid information security expertise and knowledge of the various information security management system (ISMS) and compliance frameworks.
This task is typically assigned to the Information Security or Compliance teams in large enterprises. In smaller organizations, this task may be delegated to the IT team.
|Vendor Name||Vendor Service||Access Type||Departments||Contract Term||Applicable Frameworks||Risk||Review Frequency|
|Vendor “A”||credit card processor||Cardholder data||Sales, Finance||3-year contract||PCI DSS||High||Frequency: semi-annual Required: most recent PCI DSS ROC (annual), vendor questionnaire (semi-annual)|
|Vendor “B”||HR management application (HRMS). No outsourced support services.||Employee PII, performance reviews, compensation||All||Annually||SOC 2 (Security, Confidentiality, Availability)||Moderate||Frequency – annual Required: most recent SOC 2 audit report|
|Vendor “C”||Marketing services||Minimal||Marketing, Sales||Ad-hoc||None||Low||Frequency – annual Required: vendor questionnaire|
Tip #5: Implement a Transparent and Consistent Reporting Process
Vendor risk management is a program that impacts every department. A consistent report regime will ensure that leadership has the necessary tools and information to make accurate and informed decisions promptly.
The reporting cadence should be recurring in nature, at least once every quarter. The presentation would include high-level metrics of the VRM landscape. Also, the agenda may include: a snapshot of the vendor portfolio by risk levels, key vendor activities during the period, vendor data breaches, emerging trends or regulations that would impact the vendor’s and/or the company’s obligations.
By establishing a consistent reporting process, the correct information gets to the right people when needed. In addition to building transparency and accountability, periodic reporting to management will also satisfy reporting obligations you may have.
How Can Technology Help With Your VRM Program?
In recent years, technological advancements and cloud-based services have enabled organizations to scale and automate their VRM program cost-effectively with optimal results. Some businesses continue to track these activities using spreadsheets and manual methods, but the adverse impact on resources and productivity cannot be minimized.
When considering the increasingly stringent compliance requirements and operational complexities, the cost/benefit scale tips in favor of leveraging GRC and VRM tools to streamline the VRM program. The Paradigm Shift from a labor-intensive and highly administrative function towards meaningful risk-intelligent analyses.
Here are some vital benefits of leveraging technology, such as a GRC or VRM solution, to enhance workflow efficiencies and deliver results:
- Automate: Use artificial intelligence and complex algorithms to filter out the noise and get the insights you need.
- Consolidate: Capture and present information all in one place.
- Educate: Discover what we don’t know and help identify missed opportunities.
- Facilitate: Pivot from administrative tasks to insightful risk-intelligent analyses.
- Mitigate: Reduce the probability of errors with processing.
- Obligate: Promote transparency and accountability.
Technology is transformative. Technology will accelerate an organization’s potential to make informed decisions and take appropriate actions faster, better, and smarter.
- VRM is a discipline focused on mitigating vendor risks.
- Disruptions caused by vendor challenges can have crippling effects on businesses.
- Launching a VRM program from scratch is not easy, but it’s essential to control the magnitude of the harm caused by vendor risks.
- Align business goals with the VRM program to create a game plan that clarifies and prioritizes the top risks to mitigate.
- Create standardized agreements to help your organization scale your requirements and increase efficiency.
- Implement a well-defined vendor selection process to identify the ideal vendors by asking the right questions at the beginning.
- Establish vendor performance and quality controls during the lifetime of the business relationship.
- Continuously monitor and assess vendor risks to ensure that the program remains relevant and effective.
- Provide regular training to employees to enhance their awareness of vendor risks and how to mitigate them.
- Collaborate with vendors to achieve mutual benefits and ensure that they are aware of your expectations and requirements.
Here, you can navigate to parts one and three:
- The foundations and Benefits
- How to implement a Vendor Risk Management Program
- The Vendor Risk Management Lifecycle