Vendor Risk Management (VRM) is the process of managing and monitoring security risks resulting from third-party vendors, IT suppliers, and cloud solutions. VRM programs combine continuous third-party attack surface monitoring, risk assessments, and other third-party risk management initiatives to mitigate business disruptions caused by third-party security risks.
Vendor risk management programs have a comprehensive plan for the identification and mitigation of business uncertainties, legal liabilities, and reputational damage.
As businesses increase their use of outsourcing, VRM and third-party risk management become an increasingly important part of any enterprise risk management framework. Organizations are entrusting more of their business processes to third parties and business partners, so they can focus on what they do best. This means they must ensure third parties are managing information security, data security, and cyber security well. The risk of cyber-attacks and data breaches from third-party vendors must be identified and mitigated.
While outsourcing has great benefits, if vendors lack strong security controls, your organization is exposed to operational, regulatory, financial, and reputational risk. Vendor management is focused on identifying and mitigating those risks.
In this article, we cover the best ways to identify vendor risks and how to prevent and mitigate those risks.
What is Vendor Relationship Management?
When assessing a vendor, it's important to understand how the vendor fits into the overall context of your organization's projects and goals. Third-party relationships can range from a small one-off project with an independent contractor to an ongoing vendor relationship with a large multinational. Common vendor scenarios include:
- An original equipment manufacturer (OEM) who sells something your organizations needs, like a printed circuit board (PCB), to a computer manufacturer.
- A marketing freelancer sells her services to your company on a one-time or ongoing basis (leading to an ongoing vendor relationship).
- A Software-as-a-Service (SaaS) provider who sells software to your organization for a period of time.
Vendor relationship management is focused on overseeing the relationship with vendors, from due diligence and cyber security risk assessment through the delivery of the good or service onto planning for business continuity. The person who oversees vendor relationships is often called a vendor manager. Vendor managers can sit in any part of an organization, from human resources to the supply chain.
Vendor risk management is an important part of an organization's information risk management and overall risk management process. Vendors pose many risks, including financial, reputational, compliance, legal and regulatory risks.
This is why it's in the best interest of your organization to manage its vendor risks before, during, and after a vendor relationship ends.
What is a Vendor Risk Management Plan?
A vendor risk management plan is an organizational-wide initiative that outlines the behaviors, access, and services levels that a company and a potential vendor will agree on.
The document should outline key vendor information and be valuable to the organization and the third party. It should outline how your organization tests and gains assurance of vendor performance. And it should outline how the vendor will be able to ensure your organization's regulatory compliance and not expose customer data in security breaches.
Depending on the vendor and services provided, the relationship may be spelled out step by step with checklists or in a more casual manner.
In order for a vendor risk management plan to be useful, your organization must understand the vendor risk assessment process and be willing to work with your compliance, internal audit, HR, and legal teams to ensure the vendor risk management plan is followed for each new and existing vendor.
An effective vendor risk management plan is characterized by its vendor due diligence policy. Vendor onboarding is one of the most delicate phases of a VRM program because it has a significant impact on an organization’s security posture. Poor onboarding practices will overlook the different types of risks and security vulnerabilities of new vendors, adding these risk to your risk profile.
Proper vendor onboarding requires a thorough assessment of cyber threats and other cyber risks that are unique to each type of vendor, such as their compliance requirements. If available, certifications should also be reviewed - these make the onboarding process much faster.
Beyond onboarding, a VRM plan should aim to streamline third-party security risk management to expedite remediation processes, reducing negative impacts on security postures. Advanced techniques, such as vendor tiering, are very effective at improving remediation efficiency.
See a quick demo of UpGuard's risk assessment workflow in this video:
What are Third-Party Vendors?
A third-party vendor is virtually anyone who provides a product or service to your organization who does not work at your organization. Common third parties include:
- Manufacturers and suppliers (everything from PCBs to groceries)
- Services providers, including cleaners, paper shredding, consultants and advisors
- Short and long-term contractors. It's important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
- Any external staff. It's important to understand that understanding of cyber risk can be widely different depending on the external staff.
- Contracts of any length can pose a risk to your organization, and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames, so even the length of a contract can pose risk. In the IRS's eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as an employee and receive benefits.
What is Vendor Lifecycle Management?
The general lifecycle of a vendor relationship is as follows:
- Define and determine needs
- Create vendor assessments for all vendors
- Search for vendors and send out bids
- Select vendor(s)
- Define contract terms and timeframes
- Monitor relationship and performance
- End of contract, relationship or renewal
For high-risk vendors, steps may be skipped and may even result in early termination of a contract.
Why You Need to Manage Your Vendor Risks
Companies face a host of risks when they engage third parties. Vendors who handle confidential, sensitive, proprietary or classified information on your behalf are especially risky. If your third-party vendors have poor security practices, they can pose a huge risk regardless of how good your internal security controls are.
A myopic focus on operational risk factors like performance, quality standards, KPIs and SLAs is not enough. Increasingly, the biggest risks that come from third-party vendors are reputational and financial risks like data breaches.
Here's a sample of the risk that vendors can pose:
- Legal or compliance breaches, especially if you work in government, financial services or a military contractor
- Breach of the Health Insurance Portability and Accountability Act (HIPAA) that require protected health information (PHI) to be secured correctly
- Legal issues like lawsuits, class actions, loss of work or termination of relationships
- Information security and data security risks. You need to know how much information a vendor should have access to and has access to.
- Loss of intellectual property. If a vendor has access to proprietary information, there is a risk they steal it for themselves or expose it through a data breach
- Relaxed restrictions with long-term vendors can be a big risk, it's important for controls to be as rigorous five years in as on the first day
One key way to reduce risk is to only give vendors access to what data they need to get their job done and no more.
That said, to really reduce risk, organizations need to have an overall risk management strategy which means vendors are constantly measured and evaluated. It's not enough to have subject matter experts who own their vendors. Data breaches can come from any part of your organization.
Without organizational wide practices, departments can pick their own metrics to measure and ad hoc requirements that can result in substandard risk management.
What are the Benefits of Vendor Risk Management?
A good vendor risk management program will ensure that:
- Addressing future risks takes less time and fewer resources
- Accountability for both the company and vendor is understood
- The quality of your services isn't damaged
- Costs are reduced where possible
- Availability of your services is improved
- You can focus on your core business function
- Operational and financial efficiencies are secured
- Third-party security risks are reduced as long as everyone follows the plan
Even if your organization has a high-risk tolerance, regulations such as the Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), and the Health Information Portability and Accountability Act (HIPAA) mandate that risk management policies extend to third-party vendors, outsourcers, contractors and consultants.
How Do you Create an Effective Vendor Risk or Third-Party Risk Management Framework?
To create an effective third-party risk management framework, you need to apply the same criteria to all vendors, adapted to the type of product or service they provide.
- Recognize and outline all challenges. In the era of cloud computing, a poorly configured S3 bucket can be as big a threat as a sophisticated attacker. Make sure your third-party vendors are checking their S3 permissions or something else will. You could be liable for your vendors data breaches. The introduction of GDPR means that businesses that operate in the EU must provide data breach notifications, appoint a data protection officer, require user consent for data processing and anonymize data for privacy.
- Ensure the entire organization is onboard, without total compliance to your vendor management framework, it won't be as successful as it could be.
- Ensure your contracts have the "right to audit" as well as what security controls and requirements the supplier has in place.
- Outline how monitoring will occur, when it will occur, how reviews and feedback are conducted, and how risk exposures are identified and mitigated.
Read our guide on how to select a third-party risk management framework.
An ideal vendor risk management framework should streamline the complete lifecycle of third-party vendor risk management, from procurement and vendor selection to vendor contract negotiations, to business relationship establishment and continuous monitoring.
Streamlined management of vendor partnerships is achieved when management teams move from a linear vendor lifecycle style of risk management to an ongoing vendor risk management model. The following illustration can be used as a high-level template of this superior risk management model.
This ongoing monitoring model is optimized to keep stakeholders informed of an organization’s vendor risk management efforts. And the emphasis on continuous monitoring helps regulated industries, such as those in healthcare, rapidly identify and address emerging risks impacting regulatory compliance.
What is a Vendor Risk Management Maturity Model (VRMMM)?
A vendor risk management maturity model (VRMMM) is a holistic tool for evaluating maturity of third-party risk management programs including cybersecurity, information technology, data security and business resiliency controls.
A VRMMM allows organizations to develop a strategy before building out a program and to identify where and how goals will be set to make the program robust.
Any VRMMM must have two important parts:
- A way to identify and evaluate needs and potential risks
- A way to measure the relative development of maturity in components of the overall risk management framework, such as determining how each department is managing risks, where resources need to be moved and how improvements can be made
What are the Vendor Risk Management Maturity Levels?
There are six levels of a vendor risk management maturity model:
- Startup or no third-party risk management: new organizations beginning operations or organizations with no existing vendor risk management activities.
- Initial vision and ad hoc activity: third-party risk management activities performed on an ad hoc basis and considering how to best structure third-party risk activities.
- Approved road map and ad hoc activity: Management has approved a plan to structure activity as part of an effort to achieve full implementation.
- Defined and established: Organizations with fully defined, approved and established risk management activities where activities are not fully operationalized with metrics and enforcement lacking.
- Fully implemented and operational: Organizations where vendor risk management activities are fully operationalized with compliance measures, including reporting and independent oversight.
- Continuous improvement: Organizations striving for operational excellence with clear understanding of best-in-class performance levels and how to implement program changes to continuously improve the process.
Understanding where your organization's vendor risk management maturity level is a key part of understanding how to best manage vendor risk and where you can improve.
How to Create a Third-Party or Vendor Risk Management Checklist
When your organization is preparing to hire or onboard a new vendor, you need to work through a due diligence checklist to ensure they are fit. This is also known as a vendor assessment.
The critical parts to a vendor assessment are as follows:
- Ask for references from the vendor's other clients.
- Determine that the vendor is financially solvent, you may need to request financial statements.
- Verify they have liability insurance.
- If you operate in an industry with regulatory requirements, verify that they have the correct licensing and training, such as HIPAA training, security clearance or financial licence to provide the service.
- Conduct background and criminal checks.
- Assess whether the vendor will be able to meet your required service levels.
- Determine whether the vendor has proper security controls, technology and expertise to properly manage your sensitive information.
- Review the contract, including terms, renewals, required service levels, and termination requirements.
Vendor Risk Management Best Practices in 2023
The best practices for vendor risk management include:
- Taking inventory of all third-party vendors your organization has a relationship with
- Cataloging cybersecurity risks that the counterparties can expose your organization to
- Assessing and segmenting vendors by potential risks and mitigating risks that are above your organization's risk appetite
- Developing a rule-based system to assess future vendors and set a minimum acceptable hurdle for the quality of any future third parties in real-time by reviewing data security and independent reviews
- Establishing an owner of vendor risk management and all other third-party risk management practices
- Defining three lines of defense, including leadership, vendor management, and internal audit, where:
- The first line of defense includes functions that own and manage risk.
- The second line of defense includes functions that oversee or specialize in risk management and compliance.
- The third line of defense includes functions that provide independent assurance, above all, internal audit.
- Establish contingency plans for when a third party is deemed below quality or a data breach occurs.
- Ensuring a VRM program is supported by scalable processes and not manual tasks, i.e., the use of dashboards, GRC software, and questionnaire managers, not spreadsheets and other manual processes.
Learn how UpGuard helped Schrödinger shave hours from its vendor security program by eradicating spreadsheets.
Read the case study >
Breaches by vendors are almost always caused by failure to enforce already existing rules and protocols. You and your vendors need to be transparent about what you expect from each other and what risks are posed.
How to Address a Vendor Breach
It's no longer simple enough to ensure your organization's systems and enterprise web presence are secure. Your risk management program must address third and even fourth-party risk.
Your vendors can be the target of cyber criminals or accidently leak confidential information by poor configuration. Delays in schedules, failing to fulfil contracts, going over budget and cutting corners can cause financial and reputational damage even if your organization is not at fault.
By having and following a vendor risk management framework, your organization will be able to act quickly and follow a protocol if a vendor breach does occur. This can include anything from having your vendor pay the financial damages to termination of contract.
Automating Vendor Risk Management with UpGuard
UpGuard offers a suite of features supporting each stage of the VRM lifecycle, including:
- Due Diligence - Instantly gets a sense of a prospective vendor's cybersecurity efforts with external attack surface scans quantifying security postures. Then, perform targeted evaluations with a library of industry-leading security questionnaires mapping to popular frameworks and regulations.
- Continuous Attack Surface Monitoring - Have real-time awareness of the state of your vendor attack surface with real-time monitoring complimenting point-in-time assessments.
- Third-Party Data Leak Detection - Use UpGuard's propriety data leak detection engine to locate sensitive data leaks on the surface and dark web. With cybersecurity efforts reviewing each detected leak to remove false positives, you can have confidence in the reliability of all detected data leaks.
And much more!
Watch the video below to learn how UpGuard streamlines Vendor Risk Management processes: