10 Steps to Improve Vendor Risk Management in Your Organization
Third-party or vendor risk management (VRM) continues to grow as a major concern for organizations across the board, but many organizations are still lost on where to start or how to get meaningful data out of their VRM program. Oftentimes, departments manage their vendors and third parties separately, making it difficult to obtain information on third parties from all the different business units.
These 10 steps can help organizations get on track to integrated, holistic third-party risk management:
- Understand how processes create value and fit in your organization. If you outsource a process or part of it, you need to have an understanding of how that vendor is going to create value for you.
- Understand the risks to your processes. If you outsource a process or part of it, you should have an understanding of some of the risks your vendors pose and need to manage.
- Understand what data is needed in your processes and the risk that data poses. If you outsource a process or part of it, you need to know how vendors might put that data at risk.
- Ensure that vendors only have access to the data and processes they need to do their work.
- Don’t manage vendor risk the same way for every vendor — unless you have a lot of money to waste. Categorize your vendors by the level of risk they pose and design risk management programs for each level of risk.
- Understand that your vendor risk management process can create risk. Issuing, managing, scoring, and reporting on assessments manually can quickly become costly and complicated. Obtain the right tools to scale your vendor risk management operations.
- Have plans in place for when your vendors pose too much risk. These plans might not just be to replace the vendor. They could be to buy the vendor, invest in the vendor or other creative options.
- Understand how you will separate from a vendor and build that process into your contract with the vendor.
- Figure out what information you need in order to measure the risk for each vendor and ensure you have access to that data. If you need those measurements from the vendor, make sure that is in your contract. If you need independent verification from a third party (such as a credit reporting agency or a reputation reporting service), make sure you factor that into your outsourcing cost/benefit decision.
- Treat vendor risk management as a separate or dedicated discipline in your organization by assigning one team or individual to champion vendor risk. Do not expect your procurement team or business leaders to be able to consistently perform this task across your organization.
As regulations, standards and guidelines (e.g., HIPAA, ISO 27001, OCC guidelines) require increasing third-party due diligence, one team or individual in the organization needs to take ownership of third-party risk management in order to ensure vendors are not putting your organization at unnecessary risk.
Beyond these steps, many organizations have found value in integrated VRM solutions that identify third-party risks, verify that business partners and their employees are compliant, monitor for changes that might create new risks, and manage the investigation and remediation of incidents. While risk management is never finished, these steps are a good start to help the organization foster a holistic view of third parties.
For more information on third-party risk management, check out our webinar “Who Owns Third-Party Risk?”, which explains establishing program ownership, developing your policies, procedures, and practices, and establishing your vendor inventory.
Learn a few key insights from the workshop Third Party Management by Design.
Read about third parties being both a necessity and a burden.
Read about some of the highlights from our expert panel discussion.