How to Conduct a Successful Vendor Risk Assessment in 9 Steps
Failing to identify risky vendors can cost you money, customers, and your company’s reputation.
Failing to identify risky vendors can cost you money, customers, and your company’s reputation.
Nearly 80 per cent of organizations have a formal program in place for vendor risk assessments, but around 30 per cent don’t have staff dedicated to the task.
Vendor risk assessment is not the place to cut corners. A thorough evaluation could save you from working with a company that’s unstable at best or criminal at worst. Failure to assess vendors before working with them could lead to non-compliance fines and penalties, lawsuits, financial losses, and a blow to your company’s reputation.
In this article, you’ll learn nine steps to effectively assessing vendors before working with them so you can avoid these negative consequences.
Our free vendor risk assessment checklist will keep you on track for a thorough evaluation that will protect your organization.
A vendor risk assessment, sometimes called a third-party risk assessment, is a process that helps companies choose and monitor their business partners.
First, you identify and evaluate the potential risks of working with a vendor. This could include anything from a conflict of interest to potential supply chain issues.
Then, you decide whether the rewards of the partnerships (e.g. financial, reputational) would outweigh the risks. This decision is based on your organization’s policies, procedures, mission, goals, and current needs.
Conducting a vendor risk assessment can be a long and tedious process. However, failing to do so could result in reputation damage, lost business, legal fees, and fines, even if your organization operates ethically and legally. If one of your vendors fails to comply with a regulation (such as data privacy or safety standards), your company will face consequences, too.
So, how do you conduct a vendor risk assessment? Before entering any new business relationships or renewing old contracts with vendors, follow the nine steps below.
Before you can begin evaluating third parties, you need to know every type of risk you could face when entering into a business agreement. Forgetting even one of these categories could leave you scrambling if something goes wrong.
Depending on what your business does and what you’re hiring a vendor for, some of these risk categories may not apply. Still, knowing all the potential risks gives you a more complete picture when assessing vendors.
Now that you know all the possible categories of risk, you’ll need to develop risk criteria for your third-party assessments. These will depend on what type of business your organization conducts and what you’re hiring the vendor to do.
For example, a hospital deals with sensitive personal data, so it would prioritize data privacy when assessing vendors.
On the other hand, a restaurant would value vendors with low operational risk so they don’t have service interruptions that would cause them to close or limit their menu.
To avoid bias and find the vendors that are the best fit for your organization, assess them consistently. Don’t fast-track a business just because you know someone who works there or they’re a household name. Design a vendor risk assessment with a set format and scoring criteria and use it for every evaluation.
Third party risk assessments should consist of at least two separate assessments: one of the vendor as a company and one of each product or service you intend to purchase from them.
A company-level evaluation shows you the risk of the vendor as a whole.
On the other hand, a product-level evaluation shows you the risk of a specific product or service.
For example, if you want to buy case management software, in addition to assessing the company you might ask:
Evaluating both the company and the product(s) gives you a full picture of potential risk. This can help you decide whether to start or continue a business relationship with them.
You probably aren’t a subject matter expert in every type of vendor risk. However, to get a full picture of the types of scenarios you could face and their levels of risk, you need deep insight.
Enlist people in other departments of your organization (or connect with your external network) for help. Because they know day-to-day risks and their fields’ best practices, they can assess a vendor’s potential risk at a deeper level.
Get insight from experts in the following departments/fields:
You could even create a risk assessment team, with a designated member from each contributing department. This ensures consistent, timely, and knowledgeable evaluations.
Third party risk assessments aren’t just for software and supply chains. Every vendor, no matter how small or what product or service they provide, should be evaluated before you enter into a partnership with them.
Evaluate cleaners, shredders, landscapers, property managers, and caterers, even if you don’t conduct a formal risk assessment. If they have access to your files, data, and/or physical space, they could pose a risk to your company.
For example, in December 2022, over 271,000 patients of Avem Health Partners learned that their medical information had been compromised. The reason? Avem’s vendor 365 Data Centers had suffered a data breach.
In fact, “downstream entities affected by multi-party incidents [like Avem] outnumber primary victims [like 365 Data] by over 800 per cent” according to one study.
Ensuring third parties you work with meet your standards and follow best practices could save your company thousands of dollars and its reputation.
After you’ve assessed a vendor, you should determine its overall level of risk. Separating potential vendors into risk levels can help you quickly determine whether to work with them and speed up the risk management planning process if so.
First, score the vendor using your risk criteria. As mentioned above, this could be a color, a number, or a simple low-, medium-, or high-risk designation.
Then, give the vendor a business impact score. In other words, how important is the vendor and their product or service to your organization?
Finally, decide what amount/types of due diligence you’ll do for vendors at each risk level. This streamlines the process, improving efficiency and consistency and eliminating bias.
For example, low-risk vendors might just need a quick financial audit, while high-risk ones might require weeks of searching through public records.
Download our risk assessment and matrix template to help you define the scope, identify threats and create an action plan.
After you’ve decided to work with a vendor and determined their risk level, it’s time to make a unique risk management plan.
Create a plan for how your organization will manage or mitigate each potential risk posed to it by the vendor. Then, if disaster strikes, you can respond quickly and reduce negative consequences.
The plan should include risk scenarios and specific response tasks, including the name or role of the employee responsible for each one.
In addition, include ways that you will reduce these risks, such as:
When creating your risk management plan, enlist the help of experts in other departments. Just as they helped identify potential risks for the assessment, they can provide insight into how to prevent and handle these risks.
The process of assessing vendors should extend further than just evaluating vendors.
Your organization should stay up to date on new and updated laws and regulations. These include but aren’t limited to:
Remember that you might not only be subject to your local, state, and federal laws. Your company may also have to follow laws and regulations in other parts of the world. For instance, if you process the data of EU individuals, you must follow the GDPR’s requirements.
As you modify your policies and procedures to stay compliant, assess all your vendors to ensure they are compliant, too. If they don’t make necessary changes, schedule a call to ask them about their plans. Cut ties with any vendor that is hesitant to update their processes, as you could be held responsible for their compliance breach.
Vendor risk assessments are an important part of choosing businesses to work with. However, relying on a single evaluation isn’t enough.
Just like your organization, vendors evolve and change. As a result, their procedures might not meet your needs or standards anymore.
For instance, a company may be acquired by another organization whose processes don’t mesh with yours. They might also update a product or start using a new one that doesn’t fit with your company’s policies.
Depending on the vendor’s risk level, you can assess them on a monthly or yearly basis. Ongoing monitoring and due diligence ensure your business relationships are safe and beneficial for both parties.
If you’re still simply reacting to workplace incidents like fraud, compliance lapses, and security breaches, you’re putting your organization, your employees, and your reputation at risk.
With i-Sight’s powerful case management software you can increase oversight, track and manage fraud investigations, and report on results for better risk management and prevention.
i-Sight’s award-winning reporting tool highlights trends and hot spots in investigation data, helping you identify your areas of risk. Use this insight to focus preventive measures and improve your program.
Learn more about how i-Sight can help you reduce risk and prevent incidents here.
To our customers: We’ll never sell, distribute or reveal your email address to anyone. Privacy Policy
Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.