Creating an Effective Vendor Risk Management Program
Regulations including Basel II, SOX, PCI-DSS, HIPAA, GLBA and FFIEC guidelines, among others, mandate that risk-management policies extend to third-party vendors. There are additional motivations to assess third-party risk, including protecting a company’s reputation from being damaged by another company’s actions. In either case, the more deeply an organization understands its partners’ business, the easier it is to maintain quality of service.
Vendor risk management (VRM) programs evaluate, track and measure third-party risk to assess its impact on a business, and develop controls or other forms of mitigation to lessen the impact if something happens. It is important that a VRM program reflects and enforces an organization’s internal controls framework, ensures compliance with government or industry regulations, and achieves consistency with all vendors.
Principles for Developing an Effective VRM Program
Identify Potential Vendor Risks
Many companies assume they have to deeply assess every partner. Some vendors require increased scrutiny due to the strategic role they play in a company’s ability to generate revenue. Others may provide a minor service but have the potential to expose confidential information. Therefore, an organization should categorize and prioritize vendors, and focus assessments on the risks that are germane to the services they provide.
Develop Strategies for Higher Risk Vendors
When a vendor is identified as presenting substantial risk, strategies need to be identified to keep the vendor’s issues from causing your organization harm. In order to do so, consider the following:
- Make risk mitigation part of the negotiation and contract service-level agreement (SLA).
- Work closely with the vendor to identify and resolve issues to lessen risk.
- Gather outside information about the vendor to assess financial health.
- Measure the vendor’s performance over time.
- Have a plan if a vendor exceeds the risk threshold.
- Have plans for all vendors in case the business closes.
Align Vendor Control Environments with Internal Frameworks
Many organizations have a control environment to mitigate internal risks. Work with vendors to assess the effectiveness of their controls for the risks identified. Perform a gap analysis of the organization’s controls versus the vendor’s, and work together to close the gap. Needs should be aligned with industry standards and guidelines.
Implement Ongoing Metrics
Once vendor risks have been identified, measure performance against those risks. When developing measurements, identify the business value to be gained with the function or capability being measured, and define objective criteria that can be used to assess the value. Measures to consider include:
- Performance and SLA expectations;
- Disruption in workflow based on vendor performance;
- Breach of the vendor network, systems or facilities;
- Information/results on tests of internal security (physical or systems) controls;
- Vendor (non) compliance with laws, rules, regulations, policies and procedures.
A comprehensive automated VRM program is necessary to understand and track the risks vendors pose to business interests. Once risks are thoroughly understood, measured and tracked, an organization can develop strategies to mitigate them and protect the company from harm.
About the author
Sean Cronin is responsible for leading all aspects of ProcessUnity’s Risk Suite line of business including strategy, marketing, sales, client services, and strategic partnerships. He brings over 12 years of Governance, Risk and Compliance (GRC) experience to the company.