Best practices for vendor risk assessment

What is vendor risk assessment?
Organizations collaborate with external partners like vendors and suppliers to procure the goods and services that keep their business running.  Vendor risk assessment (VRA) is a systematic evaluation of potential risks associated with vendors or suppliers, and an essential component of vendor management.

Organizations collaborate with external partners like vendors and suppliers to procure the goods and services that keep their business running. But working with third parties comes with risk. For this reason, businesses systematically evaluate potential risks associated with their vendors and suppliers via a process called vendor risk assessment (VRA). 

The risk assessment process helps purchasing organizations understand the potential consequences of disruptions or breaches that may arise from their vendor relationships. In this article, we’ll discuss the best practices for vendor risk assessment and describe common assessment methods that can help organizations design a process to suit their specific needs, risk tolerance, and regulatory requirements.

How is vendor risk assessment conducted?

Key steps in a typical vendor risk assessment are as follows:

1. Identify critical vendors: Determine which vendors pose the highest risk to the organization.
2. Gather information: Collect data through questionnaires, audits, or other means.
3. Assess risks: Evaluate the potential impact and likelihood of each identified risk.
4. Prioritize risks: Rank risks based on severity and likelihood.
5. Develop mitigation plans: Create strategies to address significant risks.
6. Monitor and review: Continuously assess vendor performance and update risk assessments.

Organizations can use a number of methods to obtain the information they need to complete the key steps from vendors. Organizations often tailor their approach for their specific needs and risk tolerance, and any industry regulations they may be subject to.

Common vendor risk assessment methods include:

• Vendor Self-Assessment Questionnaires
  • Pros: Quick and cost effective for gathering basic information
  • Cons: Relies on vendor self-reporting accurately
• Third-Party Risk Management Platforms
  • Pros: Reduces manual effort, improves efficiency
  • Cons: Rigid and expensive
• On-Site Audits
  • Pros: Provides a thorough understanding of vendor operations and controls
  • Cons: Resource-intensive
• Collaborative Information Sharing
  • Pros: Improves supplier collaboration and strategic alignment
  • Cons: Few tools support external collaboration

What are the key areas of assessment?

Choose from the above audit methods, or a combination of methods, collect documentation to assess the following key areas of the vendor organization.

• Financial stability: Assessing the vendor's financial health and stability.
• Operational risks: Evaluating business continuity plans, disaster recovery, and incident response capabilities.
• Cybersecurity: Assessing data protection measures, access controls, and security incident response procedures.
• Compliance: Checking adherence to relevant regulations and industry standards.
• Performance: Evaluating the vendor's ability to meet contractual obligations and service level agreements.

What documents are collected during vendor risk assessment?

A significant amount of documentation is exchanged during vendor risk assessment. This documentation is crucial for understanding the vendor's operations, security practices, and overall risk profile. The following are examples of documentation that can be collected to evaluate the key areas of potential risk. Note that this list is not exhaustive, and that sensitive information exchange should always be secure and confidential.

Vendor Information:

• Business licenses, permits, and registrations
• Organizational chart
• Insurance certificates (general liability, cyber liability, etc.)
• Financial statements (for high-risk vendors)

Security and Compliance:

• Security policies and procedures
• Incident response plan
• Data protection policies
• Compliance certifications (e.g., SOC 2, ISO 27001)
• Vulnerability assessment reports
• Penetration testing reports
• Third-party audit reports

Contractual Agreements:

• Service level agreements (SLAs)
• Master service agreements (MSAs)
• Data processing agreements (DPAs)
• Confidentiality agreements (NDAs)

Operational Information:

• Business continuity and disaster recovery plans
• Subcontractor or third-party information (if applicable)
• Organizational structure and roles

When in the vendor lifecycle should vendor risk assessment take place?

Vendor risk assessments should be a continuous process throughout the vendor lifecycle, but are also likely to occur at key lifecycle stages. 

Pre-Onboarding

• Due diligence: Assessing potential vendors before entering into a contract.
• Risk identification: Identifying potential risks associated with the vendor.
• Risk mitigation planning: Developing strategies to address identified risks.

Onboarding

• Reassessment: Confirming the accuracy of initial assessment findings.
• Contractual obligations: Ensuring vendor compliance with security and privacy requirements.
• Access management: Establishing appropriate access controls for vendor personnel.

Ongoing Monitoring

• Continuous assessment: Regularly evaluating vendor performance and risk posture.
• Incident response: Assessing vendor involvement in security incidents.
• Regulatory changes: Evaluating impact of new regulations on vendor compliance.

Offboarding

• Data protection: Ensuring secure transfer or deletion of sensitive data.
• System access: Revoking access to systems and information.
• Final assessment: Conducting a final risk assessment to identify any residual risks.

By incorporating vendor risk assessments throughout the entire lifecycle, organizations can effectively manage risk, protect sensitive information, and maintain business continuity.

How are documents collected during vendor risk assessment?

Document collection methods vary depending on the size of the organization, the number of vendors, and the complexity of the assessment. 

Key Considerations

• Interoperability: Each organization may use different preferred tools. Choose a platform with broad compatibility to streamline vendor risk assessment.
• Security: Ensuring the secure transfer and storage of sensitive information is crucial.
• Organization: Implementing a system for organizing and categorizing collected documents is essential for efficient analysis.

Here are some common approaches:

Manual Methods

• Direct requests: Sending emails or physical mail to request specific documents.
• Portals: Providing a secure online portal for vendors to upload documents.

Automated Methods

• Third-party risk management platforms: These tools often include document management capabilities, allowing for centralized storage and access.
• Integration with vendor management systems (VMS): If an organization uses a VMS, it may integrate document collection processes.

Hybrid Approach

• Combination of methods: Many organizations use a combination of methods, particularly when using specialized internal tools like risk management platforms and vendor management systems. For example, initial requests might be sent to the vendor manually, followed by automated collection and storage internally.

External Collaboration Platforms

• External collaboration platforms like TakeTurns provide a secure workspace where an organization and their vendor collaborate (exchange, request, manage, and version) on the documents and files necessary for vendor risk assessment, while also tracking all communications associated with the process.

• Invite your vendor or supplier to a secure workspace: Invited participants join the workspace without having to sign up, they just verify their email. Since only invitees have access, you maintain a high degree of confidentiality and privacy. 
• All your risk assessment documents in one place: Use TakeTurns to share assessment checklists (vendor risk, cybersecurity, financial, supply chain, …) and request documents. Because it’s asynchronous, each team can work at its own pace and is notified when there are updates. 
• Gather responses with ease: TakeTurns notifies you when the supplier or vendor responds to your requests. Use the built-in chat to ask questions, resolve issues, and keep everyone on the same page. 
• Track progress: TakeTurns provides a complete timeline of all documents, requests, queries and communications. The audit trail helps demonstrate a commitment to good risk management practices and adherence to compliance standards.
• Raise the bar on privacy and confidentiality: When vendor or supplier risk assessments are performed via email, all that sensitive information remains in inboxes and file shares after the process is complete.  With TakeTurns, all the content is automatically archived and removed after your assessment is finished. 

By leveraging technology, organizations can significantly improve the efficiency, security, and accuracy of document collection during vendor risk assessments.

Final thoughts

Vendor risk assessment is essential for safeguarding an organization's operations, reputation, and financial health. Organizations should tailor their approach for their specific needs, risk tolerance, and industry regulations they may be subject to. But following best practices, including ongoing monitoring and the use of appropriate tools and technologies, will help organizations mitigate risks and build strong, resilient partnerships with their vendors and suppliers.

‍