What is a Vendor Risk Management Program?Published January 10, 2020 • 2 min read
Vendor Risk Management (VRM) focuses on managing and planning for third party risk. A VRM program sets boundaries around how to mitigate risk related to vendors, IT suppliers, and service providers. A solid program does not stand alone. Instead, it pairs with an information security program that examines third party risk with the lens of protecting corporate assets. The goal of a successful VRM program is to prevent cyberattacks caused by third-party relationships through due diligence and life cycle management. Cybersecurity is not the only focus, as there are also reputational, contract/legal risks, privacy, operational, and strategic risks to consider. The purpose of a VRM Program is to provide a management framework to identify, measure, monitor, and mitigate the risks associated with third party vendor management.
When developing a VRM Program based on the risk appetite of the company, the following factors should be considered:
- Ensure each outsourcing relationship supports the institution’s overall requirements and strategic plans;
- Ensure the institution has sufficient expertise to oversee and manage the relationship;
- Evaluate prospective providers based on the scope and criticality of outsourced services;
- Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services; and
- Notifying its primary regulator regarding outsourced relationships, when required by that regulator.
The third-party risk management program needs to start at the beginning of the relationship between organizations. The business needs to work with IT and Information Security teams to establish a stable foundation in which to build a successful risk management strategy. The key to the cybersecurity foundation is to understand how the third-party manages risk. Both organizations must agree on what is an acceptable risk before the relationship moves towards any exchange of information. Third-party vendor management programs need to examine the supply chain, vendor relationships, and the risk management process.
A successful VRM program focused on cybersecurity should provide an organization with these abilities:
Identify: Any and all vendors that have access to sensitive systems, networks, and data. Vendors should be assigned risk ratings and scores based on reputational scoring, cybersecurity risk, and an overall risk assessment.
Detect: Changes in risk posture. Continuous monitoring is essential to determine if the third-party risk has changed for a vendor. Effective vendors have robust data security practices to help mitigate cyber risk.
Protect: Systems, networks, and data from third-party risk. A sound VRM program needs protective security controls and technologies to prevent against loss.
Respond: Appropriate processes need to be in place in the event of a security incident. In most third-party risk scenarios, time is of the essence so pre-built playbooks are essential
Recover: In the event of a data breach, organizations need a business continuity plan on how to return to normal business operations. A proper plan generally involves the right people, processes, and technology.
While organizations leveraging a VRM program need to assess reputational, legal, and privacy risks; many organizations begin with cybersecurity risks as they help to identify the other risk areas. Additional information on other risk areas within a VRM can be found here.