How to Conduct a Vendor Risk Assessment in 9 Steps

 

What is a Vendor Risk Assessment?

 

A vendor risk assessment, sometimes called a third-party risk assessment, is a process that helps companies choose and monitor their business partners.

During this process, you identify and evaluate the potential risks of working with a vendor. Then, you decide whether the rewards of the partnerships would outweigh the risks. This decision is based on your organization’s policies, procedures, mission, goals and needs.

Conducting vendor risk assessments can be a long and tedious process. However, failing to do so could result in reputation damage, lost business, legal fees and fines. If one of your vendors fails to comply with a regulation (such as data privacy or safety standards), your company will face consequences, too.

 

Step 1: Know the Types of Vendor Risk

 

Before you can begin evaluating third parties, you need to know all of the types of risk you could face when entering into a business agreement. Forgetting even one of these categories could leave you scrambling if something goes wrong.

• Strategy risk: Will they steal your trade secrets, ideas or intellectual property?
• Financial risk: Are they financially stable?
• Compliance risk: Do they follow relevant laws and regulations?
• Geographic risk: Do they operate in a risky location (e.g. prone to natural disasters, politically unstable)?
• Technical risk: How sound are their IT and data management processes and infrastructure?
• Subsequential risk: Do they use third parties for any of their processes that could affect your company?
• Resource risk: Do they have adequate resources to do what you’re paying them for?
• Replacement risk: How easy would it be to replace them if they ceased operations?
• Operational risk: How could their day-to-day policies and procedures put your company at risk?
• Reputational risk: How will working with them affect your company’s reputation internally and externally?

 

Depending on what your business does and what you’re hiring a vendor for, some of these risk categories may not apply. Still, knowing all the potential risks gives you a more complete picture when assessing vendors.

 

Step 2: Determine Risk Criteria

 

Now that you know all of the possible categories of risk, you’ll need to develop risk criteria for your third-party assessments. These will depend on what type of business your organization conducts and the vendor does.

For example, a healthcare provider deals with sensitive data, so it would prioritize data privacy when assessing vendors. On the other hand, a restaurant would value vendors with low operational risk so they don’t have service interruptions that would cause them to close or limit their menu.

To avoid bias and find the vendors that are the best fit for your organization, assess vendors consistently. Don’t fast-track a third party just because you know someone who works there or they’re a household name. Design a vendor risk assessment with a set format and scoring criteria and use it for every evaluation.

 

RELATED: 4 Ways to Prevent Vendor Fraud

 

Step 3: Assess Each Product and Service

 

Third party risk assessments should actually consist of two separate assessments: one of the vendor as a company and one of each product or service you intend to purchase from them.

A company-level evaluation shows you the risk of working with the vendor. What is their reputation and how could working with them affect yours? Do they have legitimate, compliant business practices? How fast and reliable is their customer service?

On the other hand, a product-level evaluation shows you the risk of a specific product. For example, if you want to buy case management software, in addition to assessing the company you might ask:

• Is the software secure?
• How long will it take for our employees to learn to use it?
• How much does it cost?
• Does it comply with relevant laws (data privacy, reporting, etc.)?

 

Evaluating both the company and the product gives you a full picture of potential risk. This can help you decide whether to start or continue a business relationship with them.

 

Step 4: Get Help from Experts

 

Chances are, you aren’t a subject matter expert in every type of vendor risk. However, to get a full picture of the types of scenarios you could face and their levels of risk, you need to have a pretty high level of knowledge.

Enlist people in other departments of your organization (or connect with your external network) for help. Because they know day-to-day risks and their field’s best practices, and can assess a vendor’s potential risk at a deeper level.

Get insight from experts in:

• Compliance
• Finance
• Security
• IT
• Legal

 

You could even create a risk assessment team, with a designated member from contributing departments. This ensures consistent, timely evaluations.

 

 

Step 5: Assess Every Vendor

 

Third party risk assessments aren’t just for software and supply chains. Every vendor, no matter how small or what product or service they provide, should be evaluated before you enter into a partnership with them.

Evaluate cleaners, shredders, landscapers, landlords and caterers, even if you don’t conduct a formal risk assessment. If they have access to your files, data and/or physical space, they could pose a risk to your company.

For example, Target’s 2013 data breach that affected more than 70 million customers was caused by an attack on one of the company’s HVAC vendors. Using stolen credentials from the vendor, hackers installed malware on Target’s network. Ensuring third parties you work with meet your standards and follow best practices could save your company thousands of dollars and its reputation.

 

Step 6: Separate Vendors by Risk Level

 

After you’ve assessed a vendor, you should determine its overall level of risk. Separating potential vendors into risk levels can help you quickly determine whether to work with them and speed up the risk management planning process if so.

First, score the vendor as high-, medium- or low-risk based on your risk criteria. Then, give the vendor a business impact score. In other words, how important is the vendor and their product or service to your organization?

Finally, decide what amount of due diligence you’ll do for vendors at each risk level. This streamlines the process, improving efficiency and consistency and eliminating bias.

 

Need help organizing your risk assessments? Download our risk assessment and matrix template to help you define the scope, identify threats and create an action plan.

 

Step 7: Make a Risk Management Plan

 

After you’ve decided to work with a vendor and determined their risk level, it’s time to make a unique risk management plan.

Make a plan for how your organization can manage or mitigate each potential risk posed to it by the third party. Then, if disaster strikes, you can respond quickly and reduce any damage done. The plan should include risk scenarios and specific response tasks, including the name or role of the employee responsible for each one.

In addition, include ways that you will reduce these risks. For example:

• Frequent monitoring of the third party’s processes
• Yearly in-depth due diligence to stay up to date on the vendor’s procedures
• Contract considerations such as data storage requirements or review of subcontractors

 

When creating your risk management plan, enlist the help of experts in other departments. Just as they helped identify potential risks for the assessment, they can provide insight into how to prevent and handle these risks.

 

RELATED: Third-Party Due Diligence: 5 Steps to Reduce Risk

 

Step 8: Stay Up to Date on Regulations

 

The process of assessing vendors should extend further than just evaluating third parties. Your organization should stay up to date on new and updated laws and regulations. These include but aren’t limited to:

• Privacy laws
• Environmental regulations
• Employment and labor laws
• Tax code

 

As you modify your policies and procedures to stay compliant, assess all your vendors to ensure they are compliant, too. If they don’t make necessary changes, schedule a call to ask them about their plans. Cut ties with any vendor that is hesitant to update their processes, as you could be held responsible for their compliance breach.

 

Step 9: Conduct Annual Assessments

 

Third-party risk assessments are an important part of choosing vendors to work with. However, relying on a single evaluation isn’t enough.

Just like your organization, vendors evolve and change. As a result, their procedures might not meet your needs or standards anymore. For instance, a company may be bought out by another organization whose processes don’t mesh with yours. They might also update a product or start using a new one that doesn’t fit with your company’s policies.

Depending on the vendor’s risk level, you can assess them on a monthly or yearly basis. Ongoing monitoring and due diligence ensure your business relationships are safe and beneficial for both parties.