Measuring/certifying security programs Risk management

How do I conduct a vendor risk assessment?

Conducting a thorough vendor risk assessment can help your business ensure that every company you work with is trustworthy and secure. It can help you avoid bad actors and know that your data is safe with those you do choose to work with.

Think of it this way: you do a lot to keep your organizational data safe and secure, and the vendors you choose to work with should maintain the same high standards. 

In this post, we’ll take a deep dive into what a vendor risk assessment is, what it should include — including eight types of risk — and the six steps you should take when conducting the assessment itself.

Let’s get started.

What is a vendor risk assessment?

First of all, a vendor risk assessment goes by many names. For example, you may have come across terms like third-party vendor assessment, third-party risk assessment, or vendor risk review. All of these terms refer to what we’ll refer to in this piece as a vendor risk assessment.

A vendor risk assessment is the process by which an organization evaluates the various types of risks third parties pose to their business (more on this below). These third parties may include contractors, vendors, suppliers, or other business partners. 

What are the benefits of a vendor risk assessment?

By properly vetting all potential third-party partners before granting them access to business-critical information and systems, you’ll be able to proactively identify risks and mediate them before they become a serious issue.

In addition to revealing and remediating risks throughout the vendor lifecycle before they become full-blown vulnerabilities, performing an assessment can also help you be better prepared if and when an incident should occur. By fully reviewing every aspect of a potential partner’s systems and operations, you’ll be better able to create an action plan — and carry it out, if necessary — to respond to previously identified risks.

Additionally, assessments that are thorough, professional, and well-managed can serve to shed light on and share security control best practices, demonstrate proper due diligence, and strengthen your organization’s relationships with its suppliers, vendors, and other third parties. It can also make the vendor selection process itself faster and more efficient, thereby reducing costs.

When should you conduct a vendor risk assessment?

These types of assessments are usually conducted at specific points during an organization’s relationship with a vendor. For example, they may be performed during a company’s search for potential partners in order to create a short-list or during the onboarding process before granting access to your networks and systems. 

It may be conducted again after a security breach as part of your incident response plan, on a periodic basis when new hardware or software is installed, during a contract renewal, to satisfy audit requirements, or to monitor continuous adherence to service level agreements (SLAs). 

What should be in a vendor risk assessment?

Before setting out to conduct your vendor risk assessment, it’s important that you first understand what you should be looking out for — including the various types of risks third parties may pose.

Strategy risk

From a strategic perspective, it’s important to identify if the third party in question would be likely to steal or otherwise compromise your organization’s intellectual property, ideas, trade secrets, or any other sensitive business information.

Cybersecurity risk

Take a peek behind the curtain to ensure the third party in question’s cybersecurity and IT infrastructure is sound. Are their processes secure? Remember, once you grant access to your own company’s sensitive information, it will be subject to the third party’s cybersecurity policies and practices.

Data privacy risk

Similar to cybersecurity risk, it’s essential to understand how the third party handles their data privacy and data security. Do they follow data privacy laws and regulations? Do they have a risk management plan in place if a breach were to occur?

Compliance risk

When it comes to compliance, does this potential partner follow all relevant local, state, and/or federal laws and regulations, in addition to all security frameworks related to their industry, region, and/or organizational model?

Operational risk

Assessing operational risk will entail a review of the third party’s daily operations, policies, and procedures to ensure they won’t put your own organization at risk. How do they curtail human error? How do they ensure day-to-day processes don’t fail? How do they ensure quality? Are they using any third parties themselves that could negatively affect your company?

Financial risk

You’ll also want to look at the third party’s finances. Are their books in order? Do they have enough money to continue operations? How does the business handle currency fluctuations and market risk?

Reputational risk

Will working with the company in question affect your company’s reputation? Does it pose a risk that your customers will lose confidence in your brand or product/service? After all, any loss of trust due to a lack of honesty or responsibility from a third party will directly reflect back on your own organization.

Geographic risk

Can where the company is physically located lead to day-to-day business operations going offline or coming to a stop entirely? For example, if the company is located in a geographic location prone to earthquakes, flooding, other natural disasters, or even political unrest, this could lead to their operations — and yours — coming to a halt.

Six steps of a vendor risk assessment

Now that you know a little bit more about what you should be looking for when putting a vendor risk assessment together, here are the steps you should follow when conducting the assessment itself.

Step 1: Determine risk criteria.

Considering all the different types of risk we covered above, it’s important to determine which risk criteria applies to the potential vendor in question. Maybe you check and see how they measure up against all of the aforementioned risk categories, or maybe some categories simply don’t apply. This will depend on what you’re hiring the vendor to do and/or what type of business you will be conducting with the vendor.

After determining which types of risk you will include in your assessment, come up with a system for how you will score said risks, and determine if you will weigh all risks equally. Whatever system you decide to use, make sure you use the same evaluation and scoring criteria for each potential partner in order to maintain an even playing field and avoid bias.

Once you have a good idea of the level of risk the vendor or supplier poses in each applicable category, then it’s time to determine how much residual risk your organization is comfortable with. Residual risk — which can never be fully eliminated — is the amount of leftover risk your company will take on after the potential partner has implemented all of the controls you deem necessary.

Defining what level of risk your organization deems acceptable can help you more easily eliminate vendors that don’t meet your risk tolerance threshold, and free you up to focus on the ones that do.

Step 2: Catalog vendors.

Now it’s time to catalog all of your potential vendors. Make a list and include information like what they would do for your company, which critical information and/or systems they would need to have access to, and if they will be managing essential business operations. This list can be organized by type of vendor, and/or type of product or service. This can also be done for both existing and potential vendors.

Next, ask yourself these questions: Would the loss of one of these vendors cause a disruption to your own organization? Would it impact your end users and/or customer base? How long would it take to recover from losing one of these vendor relationships?

Step 3: Conduct the vendor risk assessment questionnaire.

It’s time to send out vendor risk assessment questionnaires to those potential third parties that are still in the running.

The vendor risk assessment questionnaire — also known as the cloud security questionnaire or simply the security questionnaire — is a list of technical questions that serve to unearth and better understand the third party’s security and compliance processes and procedures. This series of questions helps assess and evaluate the partner’s overall risk, helping inform the overall risk assessment process.

Vendor risk assessment questionnaires come in many shapes and sizes. They can have as little as 20 to more than 100 questions, be a simple checklist or ask for specific criteria, or even serve as a starting point for probing follow-up questions by an IT compliance team. The approach and type of questionnaire you choose will depend on your company’s own compliance and regulatory requirements, acceptable level of residual risk, and other factors.

To learn more about how the security questionnaire works, what role it plays in your business, what risk assessment questions it may include, and the benefits of using a vendor risk assessment questionnaire tool, check out this post.

Step 4: Assess each vendor and rank according to risk criteria.

Now it’s time to assess each vendor that has met your initial risk requirements and completed your questionnaire successfully. During this step, it may be helpful to use a spreadsheet, matrix, or other organizational tool to help document how each vendor scores in each area. When you’re finished, you’ll have a clear way to compare vendors and choose which is the best partner for your company.

Step 5: Control risk.

In order to properly control risk, you’ll want to have a risk management plan in place for each potential vendor. If an event were to occur, how would you manage or mitigate it? Include specific response tasks, who will own what task, and how quickly you’ll need to complete each.

Such a plan will not only help you minimize damage, but also allow you to respond quickly should you need to. 

Step 6: Conduct annual assessments.

Remember, risk management isn’t something that can be completed once and never revisited, this will need to be a continual, ongoing process. You’ll need to carry out frequent monitoring of vendors’ processes, as well as annual reviews of new systems, hardware, software, products, and procedures. Have there been any updates to — or are there any new — laws and regulations that must be followed? This is when you need to address them.

By doing your due diligence, you’ll help ensure that your organization continues to meet all requirements and that the vendor relationship continues to be a safe and secure one for your business.

Strike Graph makes it simple to manage vendor risk

Don’t let unknown or unregulated vendor risk lead to regulatory fines, data breaches, service disruption, lawsuits, lost revenue, and/or reputational damage.

Strike Graph helps you take the nuanced and intensive vendor risk assessment process and turn it into a breeze with our machine learning solution. Our AI streamlines the risk assessment process, using predictive modeling and our internal control program to help you know what risks you need to be assessing and how potential vendors’ existing controls address those risks.

Ultimately, proper risk assessments can help your business minimize, neutralize, or completely avoid negative consequences if or when an event occurs. Using Strike Graph’s all-in-one compliance platform helps you enjoy these benefits all while improving accuracy, saving time, and giving you the confidence you need to proceed with the vendor(s) in question. This can help you get contracts signed — and your organization back to work — faster and more efficiently.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?