Introduction to Vendor Risk Management – Guide to Vendor Risk Management

It’s likely that you work with different external parties to obtain the goods and services that you need to support the business and services to your customers. Outsourcing has become a popular business strategy to help organizations save money and optimize operational efficiency.  Since vendors often have access to critical systems and important data, using vendors introduces risks that can lead to serious damage to the organization if not properly managed. There’s a degree of unpredictability on how they will perform, or if there are vulnerabilities in their security posture that could lead to a floodgate of dire consequences. In the three-part series, we will explore vendor risk management concepts and address these concerns. The series will provide an in-depth exploration of the vendor lifecycle and provide guidance on actionable tips to effectively manage vendors and vendor risks.

Part 1

Part 1 will serve as an introduction to vendor risk management, defining key terminologies, and highlighting key pointers along the way to drive adoption.

Traditional Risk Management vs. Enterprise Risk Management

When it comes to risk management, there are two schools of thought on which approach is better – traditional risk management vs. enterprise risk management.  Although both paradigms are similar in their goal to mitigate risks that could harm an organization, there are key differences between the two.

Traditional risk management (TRM) is the earliest form of risk management employed by organizations to address loss exposures generated by financial risk, operational risk, and credit risk. Traditional risk management is reactive and focuses on looking for solutions when problems surface.  Unfortunately, this siloed approach, coupled with its limited scope on financial hazards, made it challenging for organizations to proactively anticipate new risks and make informed decisions at the strategic organizational level. As industries, technologies, and ways of doing business evolve…the methodology for measuring risks did not.

What emerged from this shortcoming was Enterprise Risk Management (ERM). ERM is a framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004. In today’s business climate where management is expected to deliver value and be nimble, there was a crucial incentive to adopt an enterprise-wide and progressive approach to risk management. ERM is an evolutionary approach to risk management which is more holistic and strategic. A program which integrates risk management principles with business strategy to galvanize risk-based decision-making and drive performance more effectively. In ERM, decision-making is made at the top management level and impacts multiple business segments. Organizations are better equipped to anticipate potential opportunities and threats which impact their business, by adopting a risk-based mindset in developing a risk-informed strategy to achieve its objectives. Enterprise-level risk factors are broader in scope and include risks such as strategic risk, business risk, operational risk, financial risk, reputational risk, and regulatory risk. 

Traditional risk management is still a valid approach. However, using ERM will ensure the organization is better protected from a broader range of potential threats by taking a proactive approach to mitigate negative events from materializing. 

Third Party Risk, Vendor Risk, Supplier Risk, Service Provider Risk – What’s the Difference?

In vendor risk management, organizations may use different terminology to describe its vendors – by using vendors interchangeably with other terms such as third party, supplier, or service provider.  It can get confusing as these terms look all the same from a quick glance. However, there are subtle differences with these terms.

Before diving into the differences, let’s start off with where they are the same. Third Party Risk Management (TPRM), Vendor Risk Management (VRM), and Supplier Risk Management (SRM) are programs that organizations employ to manage their relationships and risks associated with external parties. The purpose of the programs are the same – its core purpose is to identify, assess, manage and mitigate risks with respect to external parties. 

Now for the differences. Slight variations arise in the nature of the relationship and resources provided by them.

Third-Party Risk Management (TPRM) is a generic catch-all term used to describe the management of risks from all third parties with which an organization interacts or does business with.  This would include a variety of external parties which fall into different categories such as business partners, service providers, suppliers, vendors, customers, government agencies, and not-for-profit entities just to name a few. In essence, TPRM is the overarching umbrella that covers all types of risk management activities associated with each external party that the organization has a business relationship with.

In contrast, Vendor Risk Management (VRM), Supplier Risk Management (SRM) and Supplier Provider Risk Management are narrower in scope and used to describe the risk activities associated with the provider of a service or product.

Supplier Risk Management (SRM) is focused on managing financial risks that are caused by the actions of a supplier and pertains to the supply chain workflow. The term “supplier” is used to describe the provider of a tangible product in the supply chain (such as sourcing of labor and raw materials).  In contrast, the term “vendor” and “service provider” are often used to describe information technology services offered by a provider. 

What’s the Big Deal About Vendor Risk Management?

In recent years, outsourcing has become a necessary component of doing business in a highly connected world. Engaging third-party subject matter experts to provide these services can lead to cost savings, a wealth of expertise not currently available in-house, and stronger performance results. An organization can launch, expand or scale its business quickly without requiring a massive investment to build the infrastructure from the ground up. Whether it’s hiring outsourced contractors or launching a new solution or technology, there’s an abundance of vendors who can readily support these initiatives. 

On the flip side, the vendor relationship also presents greater risk and uncertainty to the organization. There is a dependency on the vendors to provide a crucial function in a reliable and consistent manner. Any service disruptions to the vendor’s operations can lead to a domino effect where millions of businesses or customers are affected.

Recent global events such as the COVID 19 pandemic, supply chain blockage of the Suez Canal, rising energy prices from the Ukraine-Russia war, or cybersecurity attacks on global vendors (such as Colonial Pipeline, JBS Foods, Kaseya and SolarWinds) has amplified the crippling effects of vendor disruptions. Regardless of the organization’s size, industry, or geographic location, no business is immune.

Implementing an effective vendor risk management (VRM) program can minimize the harmful impacts of these events and reduce an organization’s overall risk exposure from third-party services.

Types of Risks Introduced by Vendors

Vendors are an extension of your business. An organization is ultimately liable for consequences resulting from their business failures, service disruptions, or security breaches. Having a thorough understanding of the different types of vendor risks will help you to classify vendors based on their potential threat to the business, and minimize the magnitude of reputational damage from adverse events.

When designing a VRM program, the question arises as to what aspects of the vendor relationship to focus on? Since it’s unrealistic to assess every risk, taking a risk-based approach and focusing your attention on common vendor risks is a good starting point.

Below are a list of top risks which are important to monitor:

  1. Compliance and regulatory risk – a vendor violates laws or regulations that you’re obligated to follow. Depending on your industry and services offered, the business may be required to be compliant with privacy, data protection, financial or environmental regulations. A failure to maintain compliance can result in harsh fines and enforcement actions against the business.
  1. Cybersecurity risk – a vendor may be a susceptible target of data breaches, malware, ransomware, and other cyber-attacks. The increasing sophistication and volume of cyber threats on vendors makes it more important than ever to monitor a vendor’s cybersecurity posture.
  1. Financial risk – your organization could miss its financial performance goals when a vendor fails to deliver on requirements or excessive vendor costs are not adequately addressed.
  1. Operational risk – a vendor’s failure to deliver the services or goods as promised could lead to the organization’s inability to carry out subsequent activities.
  1. Reputational risk – your organization’s public perception and brand could be jeopardized if the vendor you’re doing business with is operating in a manner that is inconsistent with the organization’s core values or standards.
  1. Strategic risk – when a vendor makes business decisions that are not aligned with your organization’s strategic direction, it could impede your ability to capitalize on evolving market trends and business transformation.

The type of risk a vendor poses to your business will be different, depending on the nature of the business relationship and services being provided. For instance, compliance and regulatory risk will be more significant to a health care service provider with access to customer personal health information (PHI) than a supplier who sources office equipment to your business. In contrast, the supplier would pose a higher likelihood of operational risks from non-delivery of products due to supply chain disruptions.

Taking a risk-based approach is key. Risks are inherent to every business and cannot be fully avoided. By accurately assessing “what” risks are applicable to “which” vendors will allow the organization to make informed decisions about the vendor, and implement remediation strategies to reduce vendor risks to an acceptable level. 

Benefits of an Effective Vendor Risk Management Program

Implementing a VRM program will help to effectively manage the sheer volume of vendors and associated risks in a systematic and transparent manner.  With a robust VRM program, you will be in control of every aspect of the vendor relationship. The program will provide you with valuable insights to simplify and scale your risk management process.

vendors in a vendor risk management program

Even though there is no one-size-fits-all approach, key benefits include:

  • Enhance day-to-day operational efficiencies by streamlining and automating key functionalities; 
  • Minimize adverse business disruptions by mitigating critical vendor risks before they become a threat;
  • Enforce accountability by monitoring performance against contractual obligations;
  • Control costs by identifying vendor redundancies and address overspending;
  • Monitor vendor adherence to industry standards or regulations. 

Who Should be Assessing Their Vendors and When?

Any organization that uses vendors will benefit from implementing a VRM program. Vendor assessments can take place during any stage of the lifecycle – from initial scoping of potential vendors to continuous monitoring activities of existing vendors.

Phase 1 (Procurement):

Every vendor, no matter its size or type of services to be provided, should be evaluated before entering into a partnership. The due diligence activities will vary depending on the vendor’s criticality to your business. For instance, a vendor who is 50% integrated into your operations will be assessed more thoroughly than a vendor with a minor role. Another factor that would influence the assessment rigor pertains to the type of services being provided and the level of vendor access to your “crown jewels” – a vendor which has access to corporate strategies or regulated customer data (such as PII or PHI) will warrant a throughout analysis of their cybersecurity controls than a vendor who does not have access.

Phase 2 (Continuous Monitoring during Vendor Lifecycle):

This phase is an essential strategic aspect of a robust VRM program. In a dynamic environment, implementing a governance capability to track vendor performance in real-time will enable more effective decision-making and raise awareness of emerging threats. If your business operates in a regulated industry or provides service to a certain group of customers, regulators in your respective jurisdictions will have mandates to evaluate and monitor vendors throughout the lifecycle of the relationship (e.g. GDPR, HIPAA, HITRUST, CCPA). If you are a service provider operating in an unregulated sector and undergo an annual certification to validate control effectiveness, there is a requirement to assess potential new vendors and evaluate the performance of existing vendors on an annual basis (e.g. SOC 2, ISO27001).

Managing the Vendor Ecosystem

To ensure that vendors are performing in accordance with standards and regulatory requirements, organizations have several resources available to manage the vendor ecosystem. Here are some commonly used practices and guidelines which serves a critical role in vendor risk management:

  • Pre-contractual diligence – Request for Information (RFI), Request for Proposal (RFP), or Request for Quote (RFQ) are used to obtain information about the vendor’s goods and services during the procurement process;
  • Vendor contract management – manage vendor contracts and legal aspects of the relationship;
  • Performance evaluation – assess and monitor vendor performance and control effectiveness via audits, site inspections, and vendor questionnaires;
  • Security scorecards – assess vendors across a benchmark of risk domains, and assign a grade ranking to signify the vendor risk level; 
  • Frameworks and regulatory standards – publications issued by policymakers, regulatory bodies, or accredited professional associations to guide organizations on their obligations. 

Organizations can perform these activities and track them manually using templates and spreadsheets.  While this approach is suitable when there’s only a small number of vendors and minimal operational complexity to account for, the program becomes time-consuming and difficult to manage as volume increases, regulatory requirements intensify, and transactions get complicated.

In recent years, advances in technology innovation and transition to cloud-based services have given rise to modern solutions that can help organizations transform and scale their VRM program via automation, integration, and enhanced data analytics capabilities.

These solutions, whether they are complete GRC platforms or VRM specific solutions, have revolutionized how we manage vendor risks in the best way possible by bringing everything together – a centralized database for vendor contract and performance tracking, consistent methodology for managing risks, simplify and automate vendor assessments, real-time and transparent reporting capabilities; and seamless integration with existing systems – a single source of truth.