Nearly 80 per cent of organizations have a formal program in place for vendor risk assessments, but around 30 per cent don’t have staff dedicated to the task.

Vendor risk assessment is not the place to cut corners. A thorough evaluation could save you from working with a company that’s unstable at best or criminal at worst. Failure to assess vendors before working with them could lead to non-compliance fines and penalties, lawsuits, financial losses, and a blow to your company’s reputation.

In this article, you’ll learn nine steps to effectively assessing vendors before working with them so you can avoid these negative consequences.

What is the Purpose of a Vendor Risk Assessment?

A vendor risk assessment, sometimes called a third-party risk assessment, is a process that helps companies choose and monitor their business partners.

First, you identify and evaluate the potential risks of working with a vendor. This could include anything from a conflict of interest to potential supply chain issues.

Then, you decide whether the rewards of the partnerships (e.g. financial, reputational) would outweigh the risks. This decision is based on your organization’s policies, procedures, mission, goals, and current needs.

Conducting a vendor risk assessment can be a long and tedious process. However, failing to do so could result in reputation damage, lost business, legal fees, and fines, even if your organization operates ethically and legally. If one of your vendors fails to comply with a regulation (such as data privacy or safety standards), your company will face consequences, too.

So, how do you conduct a vendor risk assessment? Before entering any new business relationships or renewing old contracts with vendors, follow the nine steps below.

Step 1: Know the Types of Vendor Risk

Before you can begin evaluating third parties, you need to know every type of risk you could face when entering into a business agreement. Forgetting even one of these categories could leave you scrambling if something goes wrong.

• Strategy risk: Will they steal your trade secrets, ideas, or intellectual property?
• Financial risk: Do they have/bring in enough money to continue their operations?
• Compliance risk: Do they follow relevant laws and regulations?
• Geographic risk: Do they operate in a risky location (e.g. prone to natural disasters, politically unstable)?
• Technical risk: How sound are their IT and data management processes and infrastructure?
• Subsequential risk: Do they use third parties for any of their processes that could affect your company?
• Resource risk: Do they have adequate resources (e.g. time, money, employees) to do what you’re paying them for?
• Replacement risk: How easy would it be to replace them if they ceased operations?
• Operational risk: How could their day-to-day policies and procedures put your company at risk?
• Reputational risk: How will working with them affect your company’s reputation internally and externally?

Depending on what your business does and what you’re hiring a vendor for, some of these risk categories may not apply. Still, knowing all the potential risks gives you a more complete picture when assessing vendors.

Step 2: Determine Risk Criteria

Now that you know all the possible categories of risk, you’ll need to develop risk criteria for your third-party assessments. These will depend on what type of business your organization conducts and what you’re hiring the vendor to do.

• What types of risk will you assess?
• How will you score risks?You could use a numbered scale or a color scale (red for most risky, yellow for medium, green for low).
• Will you weigh each type of risk equally or place more value lower risk in certain categories?

For example, a hospital deals with sensitive personal data, so it would prioritize data privacy when assessing vendors.

On the other hand, a restaurant would value vendors with low operational risk so they don’t have service interruptions that would cause them to close or limit their menu.

To avoid bias and find the vendors that are the best fit for your organization, assess them consistently. Don’t fast-track a business just because you know someone who works there or they’re a household name. Design a vendor risk assessment with a set format and scoring criteria and use it for every evaluation.

Step 3: Assess Each Product and Service

Third party risk assessments should consist of at least two separate assessments: one of the vendor as a company and one of each product or service you intend to purchase from them.

A company-level evaluation shows you the risk of the vendor as a whole.

• What is their public reputation?
• How could working with them affect yours?
• Do they have legitimate, compliant business practices?
• How fast and reliable is their customer service?
• Have they recently been involved in any public scandals? What about?
• Is the company located in a dangerous or unstable area?

On the other hand, a product-level evaluation shows you the risk of a specific product or service.

For example, if you want to buy case management software, in addition to assessing the company you might ask:

• Is the software secure?
• How long will it take for our employees to learn to use it?
• How much does it cost?
• Does it comply with relevant laws (data privacy, reporting, etc.)?

Evaluating both the company and the product(s) gives you a full picture of potential risk. This can help you decide whether to start or continue a business relationship with them.

Step 4: Get Help from Experts

You probably aren’t a subject matter expert in every type of vendor risk. However, to get a full picture of the types of scenarios you could face and their levels of risk, you need deep insight.

Enlist people in other departments of your organization (or connect with your external network) for help. Because they know day-to-day risks and their fields’ best practices, they can assess a vendor’s potential risk at a deeper level.

Get insight from experts in the following departments/fields:

• Compliance
• Finance
• Security
• IT
• Legal
• ESG (environmental, social, governance)

You could even create a risk assessment team, with a designated member from each contributing department. This ensures consistent, timely, and knowledgeable evaluations.

Step 5: Assess Every Vendor

Third party risk assessments aren’t just for software and supply chains. Every vendor, no matter how small or what product or service they provide, should be evaluated before you enter into a partnership with them.

Evaluate cleaners, shredders, landscapers, property managers, and caterers, even if you don’t conduct a formal risk assessment. If they have access to your files, data, and/or physical space, they could pose a risk to your company.

For example, in December 2022, over 271,000 patients of Avem Health Partners learned that their medical information had been compromised. The reason? Avem’s vendor 365 Data Centers had suffered a data breach.

In fact, “downstream entities affected by multi-party incidents [like Avem] outnumber primary victims [like 365 Data] by over 800 per cent” according to one study.

Ensuring third parties you work with meet your standards and follow best practices could save your company thousands of dollars and its reputation.

Step 6: Separate Vendors by Risk Level

After you’ve assessed a vendor, you should determine its overall level of risk. Separating potential vendors into risk levels can help you quickly determine whether to work with them and speed up the risk management planning process if so.

First, score the vendor using your risk criteria. As mentioned above, this could be a color, a number, or a simple low-, medium-, or high-risk designation.

Then, give the vendor a business impact score. In other words, how important is the vendor and their product or service to your organization?

Finally, decide what amount/types of due diligence you’ll do for vendors at each risk level. This streamlines the process, improving efficiency and consistency and eliminating bias.

For example, low-risk vendors might just need a quick financial audit, while high-risk ones might require weeks of searching through public records.

Step 7: Make a Risk Management Plan

After you’ve decided to work with a vendor and determined their risk level, it’s time to make a unique risk management plan.

Create a plan for how your organization will manage or mitigate each potential risk posed to it by the vendor. Then, if disaster strikes, you can respond quickly and reduce negative consequences.

The plan should include risk scenarios and specific response tasks, including the name or role of the employee responsible for each one.

In addition, include ways that you will reduce these risks, such as:

• Frequent monitoring of the vendor’s processes
• Yearly in-depth due diligence to stay up to date on the vendor’s procedures
• Contract considerations such as data storage requirements or review of subcontractors

When creating your risk management plan, enlist the help of experts in other departments. Just as they helped identify potential risks for the assessment, they can provide insight into how to prevent and handle these risks.

Step 8: Stay Up to Date on Regulations

The process of assessing vendors should extend further than just evaluating vendors.

Your organization should stay up to date on new and updated laws and regulations. These include but aren’t limited to:

• Data privacy laws
• Environmental regulations
• Employment and labor laws
• Tax code

Remember that you might not only be subject to your local, state, and federal laws. Your company may also have to follow laws and regulations in other parts of the world. For instance, if you process the data of EU individuals, you must follow the GDPR’s requirements.

As you modify your policies and procedures to stay compliant, assess all your vendors to ensure they are compliant, too. If they don’t make necessary changes, schedule a call to ask them about their plans. Cut ties with any vendor that is hesitant to update their processes, as you could be held responsible for their compliance breach.

Step 9: Conduct Annual Assessments

Vendor risk assessments are an important part of choosing businesses to work with. However, relying on a single evaluation isn’t enough.

Just like your organization, vendors evolve and change. As a result, their procedures might not meet your needs or standards anymore.

For instance, a company may be acquired by another organization whose processes don’t mesh with yours. They might also update a product or start using a new one that doesn’t fit with your company’s policies.

Depending on the vendor’s risk level, you can assess them on a monthly or yearly basis. Ongoing monitoring and due diligence ensure your business relationships are safe and beneficial for both parties.

FAQ's

What should be in a vendor risk assessment?

What are the types of vendor risks?

The types of vendor risks include strategy risk, financial risk, compliance risk, geographic risk, technical risk, subsequential risk, resource risk, replacement risk, operational risk, and reputational risk.

What makes a vendor high risk?

A vendor may be considered high risk based on factors such as their public reputation, compliance with laws and regulations, operational stability, financial status, potential impact on the company's reputation, and the level of difficulty in replacing their products or services.