How to Implement a VRM Program – Guide to Vendor Risk Management

In part 1 of our series, we covered key concepts about vendor risk management (VRM). With context on the importance of vendor risk management (VRM), subsequent articles in this series will share useful guidance on how to establish and implement a VRM program to fit your organization’s specific needs.

So What?

Why is VRM so important? VRM is a discipline focused on mitigating vendor risks. The program provides visibility into the vendor relationship and offers insightful guidance on how to effectively monitor vendor performances and quality (or lack of) controls during the lifetime of the business relationship.

Disruptions, ranging from supply chain shortages to brazen cybersecurity attacks on some of the largest technology or infrastructure service providers, have amplified the crippling and global effects of vendor challenges on every business. Most frightening, data breaches are experiencing record-breaking numbers across all industries. In 2021, data breaches jumped 68% year-over-year according to an Identity Threat Resource Center report (click link to read full report).

The most recent security breach at Okta underscores the risks when relying on vendors to handle part of your operations. Okta, one of the largest providers of identity authentication services in the world, experienced a data breach in January. The breach occurred via one of its key vendors, a sub-processor which provides customer support services to Okta’s customers. Even though Okta reported that only 366 corporate customers were impacted (2.5% of its customer base), this is significant because thousands of companies rely on Okta to manage user authentication to networks, applications, and services. The vendor had access to Okta’s internal networks, ticketing system, customer listing, and customer environments in some cases.

Regardless of the organization’s size, industry or maturity, no organization is immune from the domino effects of vendor risks.

Now What?

Even though your business is not entirely immune, you have control over the magnitude of harm caused by these events. You have influence over what measures you can take to reduce the vendor risks to an acceptable level.

Launching a VRM program from scratch is not easy. A lot comes into play and must be considered when deciding what you want the program to accomplish and how to measure its success. You’ll need to consider factors such as how much time to devote to it, what resources are required, and how to manage the program on a continual basis. 

Whether you’re trying to implement a VRM program for the first time, or looking to mature some of your existing practices, taking time to evaluate and build out the program will lead to greater success.  

Where to start? Below are five tips to provide some guidance and inspiration on your journey.

Tip #1 – Align Business Goals with VRM Plan

Start off by understanding what are the goals you want to achieve, and use these factors to create a game plan. This holistic approach will help clarify and prioritize the top risks to mitigate (e.g., cybersecurity, strategic, regulatory risks), enabling you to mobilize what needs to get done. Vendor risks should not be treated equally, as the landscape in which you operate will drive its focus.

At the minimum, create a vendor risk management playbook which lays out the high-level guidance. This will be a handy resource as you continue to build and mature the program.

Key aspects to include in the playbook:

  • Purpose – identify your goals for the VRM program (the “why”);
  • Roles and Responsibilities – identify key stakeholders and their specific responsibilities (the “who”);
  • Risk Categories – identify key vendor risks to your organization (the “what”);
  • Vendor Lifecycle – identify relevant stages of the vendor lifecycle to consider. The phases may include: procurement, continuous monitoring, and offboarding (the “when”);
  • Vendor Management Activities – identify the activities to be performed during the varying stages of the lifecycle (the “how”).

Your VRM program will evolve over time, so it’s essential to keep it current by reviewing the plan at least annually. And as needed, make updates to the playbook to proactively address changing dynamics.

Tip #2 – Create Standardized Agreements

A standard set of agreements can help your organization scale your requirements and increase efficiency by reducing the time to draft, negotiate, and sign. Even though some large vendors are adamant about using their own templates, having this baseline in place will help to reduce legal costs and time required to negotiate contractual terms.

The following elements should be included:

  • Vendor Service Agreement – defines the terms and conditions of the purchase of goods or services. Include these details in the contract: scope of services or goods to be covered, timing of services, payment terms, each parties’ responsibilities, renewal and termination, indemnification, and enforcement clauses.
  • Security Addendum – establishes cybersecurity practices and protection measures which service providers should adhere to. This may include: audit or certifications requirements, data hosting restrictions, data encryption and key management, access controls, endpoint security, hardening standards, monitoring and logging protocols, vulnerability detection and management, governance practices, and incident detection and response. Security addendums typically apply to vendors providing a service such as SaaS (software as a service), PaaS (platform as a service), or IaaS (infrastructure as service). Suppliers of goods may adhere to a different set of quality assurance standards (e.g., ISO 9000). 

Depending on your organization’s expertise, engaging outside legal counsel and cybersecurity subject matter experts to help with designing these requirements is worth every penny. These templates will set the tone for future negotiations and mitigate unnecessary pain points during the procurement process.

Tip #3 – Implement a Well-Defined Vendor Selection Process

Creating a consistent approach to vetting vendors during the procurement phase is critical to the success of any new business venture. This due diligence will help to identify the ideal vendors by asking the right questions at the beginning.

We suggest performing the following key steps  during the vendor selection process:

  • Build a Business Case – create a use case on “why” you want to procure a new application, service, or product. What challenges or limitations will it resolve, how does it help to advance your strategic objectives? Often with a limited budget to work with and Finance needs to balance this against other requests, it’s advantageous to articulate the rationale behind the purchase, and quantify the monetary and strategic value proposition for the organization.
  • Identify Prospective Vendors – reach out to existing business partners you trust and ask for recommendations regarding vendors they use for a specific service or product. Market intelligence and research services provided by Forrester, Gartner, and IDC are also good sources to identify potential vendors and suppliers.
  • Perform Vendor Discussions and Assessments – initiate discussions with the prospective vendors. It’s generally good practice to obtain at least two or three proposals for comparison purposes. Tools to support the evaluation process include:
    • Request for Proposal (RFP) – describe your needs and objectives, categorize requirements into “must have” vs. “nice to have”, provided estimated timelines and budget considerations. 
    • Vendor Scorecard – create a scorecard which contains a list of pre-defined evaluation criteria. For each criterion, you may want to assign a different weight factor as some requirements are more critical than others. When designing the scorecard, consult with key stakeholders to identify what key information should be included. There is no “no size fits all” model for vendor scorecards. Capturing these topics will ensure that nothing gets overlooked and set the foundation for assessing the next prospective vendor.
    • Audit Reports – for vendors who provide a business-critical application or they would be processing, storing, or transmitting sensitive corporate or customer data, inquire if they are compliant with frameworks such as ISO/IEC 27001 or SOC 2 Trust Services Criteria. If affirmative, ask for a copy of their most recent audit report for review. If the vendor operates in a regulated industry or specific geographic region with stringent privacy regulations, obtain confirmation the vendor is compliant with the regulations (e.g., GDPR, CCPA, PCI DSS, HIPAA), and obtain a copy of their most recent compliance report.

Tip #4 – Perform Periodic Vendor Assessments

There is a level of trust when you first engage a vendor. Since vendor dynamics and their cybersecurity posture may change over time, it’s imperative to periodically review your vendors. This will confirm they’re providing the services in line with expectations, and there’s a monitoring mechanism in place to detect potential poor performance or cybersecurity issues before they pose a risk to your business.

standardfusion VRM program -questionnaire screen with drop down option to resend assessment

Bearing in mind that not all vendors have the same risk levels, knowing what focus areas apply to which vendor is essential. By asking the right questions, you get the right answers.

We suggest the following steps for performing vendor assessments:

Step 1 – Catalogue and classify the vendors:

  • First step (catalogue) – compile a listing of your key vendors to be reviewed. Documentation is key…because you can’t assess or protect something, if you don’t know what you have. Start off by documenting some basic information for the vendors – such as indicating what service(s) they provide; the type of data they have access to; the level of integration with your business; the contract duration; existing compliance frameworks or regulations they need to follow, and other business factors deemed important.
  • Second step (classify) – Assign a risk level to each vendor based on your internal ranking system. For instance, your decision matrix may state that all vendors with access to sensitive customer data or your databases would be considered “high risk” (aka access to the “crown jewels”). In contrast, vendors with non-administrative system access may be “moderate risk”; and vendors with no access to any corporate systems would be classified as “low risk”. 

Step 2 – Determine how often to review:

The timelines will vary across vendors. You would want to rank vendors according to their business criticality and sensitivity of information being handled by them. A general rule of thumb: the greater the level of access or integration, the more comprehensive and frequent the reviews should be.

Taking a risk-intelligent approach will optimize your resources where it’s most crucial. Best practices suggest the following frequency for vendor reviews based on their assigned risk levels:

  • High risk → quarterly/semi-annually; 
  • Medium risk → semi-annually/annually; 
  • Low risk → annually/bi-annually.

Step 3 – Determine what to review:

What to review should be commensurate with the type of data and criticality of each vendor. In addition to assessing the vendor’s service performance against contractual obligations, cybersecurity reviews should also be performed. Commonly used tools and activities include:

  • Review their most current audit reports (e.g., SOC 2, ISO27001, PCI DSS)
  • Internally designed vendor risk questionnaires
  • Online assessment questionnaires (CAIQ, SIG questionnaire)
  • Vendor security or compliance audits

Step 4 – Determine who performs the reviews:

Vendor service performance reviews should be performed by the stakeholders who engaged the vendor. They would be in the best position to assess whether or not the vendor delivered on expectations. Cybersecurity reviews are more technical in nature and should be assessed by personnel with strong information security expertise and knowledge of the various information security management system (ISMS) and compliance frameworks. In large enterprises, this task is typically assigned to either the Information Security or Compliance teams. In smaller organizations, this task may be delegated to the IT team.

Illustrative Template:

Vendor NameVendor ServiceAccess TypeDepartmentsContract TermApplicable FrameworksRiskReview Frequency
Vendor “A”credit card processorCardholder dataSales, Finance3-year contractPCI DSSHighFrequency: semi-annual   Required: most recent PCI DSS ROC (annual), vendor questionnaire (semi-annual)
Vendor “B”HR management application (HRMS). No outsourced support services. Employee PII, performance reviews, compensationAllAnnuallySOC 2 (Security, Confidentiality, Availability)ModerateFrequency – annual   Required: most recent SOC 2 audit report
Vendor “C” Marketing servicesMinimalMarketing, SalesAd-hocNoneLowFrequency – annual   Required: vendor questionnaire 

Tip #5 – Implement a Transparent and Consistent Reporting Process

Vendor risk management is a program that impacts every department.  Implementing a consistent report regime will ensure that leadership has the necessary tools and information to make accurate and informed decisions in a timely manner.

The reporting cadence should be recurring in nature, at least once every quarter. The presentation would include high-level metrics of the VRM landscape. The agenda may include: a snapshot of the vendor portfolio by risk levels, key vendor activities during the period, vendor data breaches, emerging trends or regulations that would impact the vendor’s and/or the company’s obligations.

By establishing a consistent reporting process, the right information is getting to the right people when they need it. In addition to building transparency and accountability, periodic reporting to management will also satisfy reporting obligations you may have.

How Can Technology Help?

In recent years, advancements in technology and cloud-based services have enabled organizations to scale and automate their VRM program in a cost-effective manner with optimal results. Some businesses do continue to track these activities using spreadsheets and manual methods, but the adverse impact on resources and productivity cannot be minimized.

When taking into account the increasingly stringent compliance requirements and operational complexities, the cost/benefit scale tips in favour of leveraging GRC and VRM tools to streamline the VRM program. The Paradigm Shift from a labor-intensive and highly administrative function towards meaningful risk-intelligent analyses. 

Here are some of the benefits of leveraging technology, such as a GRC or VRM solution, to enhance workflow efficiencies and deliver results:

  • Automate – use artificial intelligence and complex algorithms to filter out the noise and get the insights you need;
  • Consolidate – capture and present information all in one place;
  • Educate – discover what we don’t know and help identify missed opportunities;
  • Facilitate – pivot from administrative tasks to insightful risk intelligent analyses;
  • Mitigate – reduce the probability of errors with processing;  
  • Obligate – promote transparency and accountability.

Technology is transformative. Technology will accelerate an organization’s potential to make informed decisions and take appropriate actions…faster, better, and smarter.