What is Vendor Risk Management (VRM)? The Definitive Guide

Published December 27, 2018 by 4 min read

Vendor risk management (VRM), a part of vendor management, is the process of identifying, analyzing, monitoring, and mitigating risks that third-party vendors might pose. Such risks could affect your business’ cybersecurity, regulatory compliance, business continuity, or organizational reputation.

As with any risk management program, third-party risk management begins with due diligence before signing a contract. It also involves a risk assessment for each contractor, vendor, supplier, and service provider with which your company works.

A growing number of enterprises either have a vendor risk management program or are starting one. Concerns over information security and data privacy are driving this change, but so are laws including the European Union’s General Data Protection Regulation (GDPR) that require organizations to understand how the third parties with whom they do business manage their own risks, and mandate third-party compliance as a condition of certification.

The Difference Between ‘Vendor’ and ‘Third Party’

A vendor is an external entity, often in the supply chain, that supplies goods or services to an organization. Examples are:

  • Cloud service provider
  • Law firm
  • Accountant/auditor
  • Consultant
  • Software developer
  • Website host
  • Payment processor
  • Raw materials provider 

Third-party relationships encompass all these entities, but also include others with whom your organization does business, such as: 

  • Business partners
  • Venture capitalists
  • Regulatory agencies
  • Nonprofits receiving your donations
  • Customers

While many companies have vendor risk management (VPM), others have more encompassing third-party risk management (TPRM) programs. 

Third-Party Vendor Risk Management: Addressing the Risks 

The vendor-risk-management process involves due-diligence activities before contracting with a new vendor, often using surveys or questionnaires that prospective vendors answer.

This step helps to ensure that the vendor under consideration complies with necessary regulations and industry standards and has a robust information security program. Using a risk management framework and software-as-a-service (SaaS) can help you avoid exposing your business to high risk. 

Risk assessments are also a part of vendor risk management. For these, you may request evidence of the vendor’s own risk management, information security, and regulatory compliance efforts. 

Evidence may include compliance certifications, penetration test reports, financial information, and on-site audits. With existing third-party relationships, assessing past vendor performance can provide clues to potential risks.

Types of risk include: 

  • Legal—Do your vendors comply with applicable regulations and industry standards? If not, your organization could face legal liabilities. The Health Information Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), among others, require vendor compliance.
  • Financial—How might a vendor cause your organization to lose money? Examples include supply chain disruptions, insolvency, a lack of operational resilience, and other types of financial risk exposure.
  • Reputational—Reputational risk may follow whenever vendor risk causes an organization to suffer financial hardship, data breaches, business disruption, or loss of certification.
  • Cybersecurity—Cybersecurity risk is one of the biggest concerns when doing business with third parties. Security breaches of your vendor’s systems can result in damage to your own information technology systems and disruptions in business processes. Using a good framework for security controls such as the National Institute of Standards and Technology’s cybersecurity framework (NIST CSF) can help to ensure that your data is always safe and secure. 

Vendor risk management continues with monitoring and oversight throughout the lifecycle of the vendor relationship, and even after the contract has ended. 

Third-party risk management may entail all the above steps, but with one caveat: While you choose your vendors, you cannot always select your third-party relationships, such as with customers and regulatory agencies. This means that you may not have as much control over the risk incurred by non-vendor third parties. 

To effectively manage the risks posed by the use of third-party vendors, contractors, and service providers, your organization would do well to implement a comprehensive vendor risk management program.

From vendor selection to vendor onboarding to vendor termination—and beyond—a vendor risk management program will enable you to identify the risks your third-party relationships pose to your enterprise. Then, you can work with vendors to remedy those risks and continuously monitor for changes in your vendors’ risk posture that could affect your business. 

Vendor Risk Management Strategy: What’s Included

A successful vendor risk management program involves careful planning by a dedicated team, continual oversight, and commitment to the process at every stage.

Here are the steps to take: 

1. Draw up formal policy and procedure documents 

These are essential to your program’s success. The policy should explain at a high level how vendor risk will be managed. Procedure documents should detail roles and responsibilities, including those of senior management and your business lines.

 2. Establish a vendor selection due to the diligence process

Vet your vendors before signing contracts with them. Ask to see SOC reports, conduct a risk assessment that includes results of penetration testing, and make site visits where necessary. 

3. Mind your vendor contracts 

Templates are fine but should be amended for each vendor to account for each party’s roles, responsibilities, and compliance requirements. Set contract standards that establish uniform processes for negotiation, review, and approval, monitoring, and contract storage. Your contracts should also address service level agreements (SLA), proper issue escalation, vendor termination, and security documentation.

4. Conduct ongoing vendor monitoring

  • Review the vendor’s financial statements
  • Ask to see their IT diagrams so you know how you’re affected if they have a cyberattack or business disruption
  • Conduct vendor audits
  • Periodically request and evaluate their SOC reports, business continuity and disaster recovery plans, and security documentation.
  • Annually perform vendor risk assessments, performance assessments, and information security assessments.

5. Perform internal audits of your organization

This includes vendor relationships and risks. Then, when examiners arrive to test your compliance, you’ll pass with ease and you’ll feel secure in the knowledge that your organization’s systems and data are adequately protected. 

6. Automate what you can

Cut costs and time by using quality governance, risk, and compliance (GRC) software. Automation can perform many of the tasks listed here, including generating and sorting questionnaires, staying on top of compliance requirements, and continuously monitoring third-party vendors. 

How To Automate your VRM Program

Once you’ve onboarded a vendor, the task of keeping tabs on their security is only just beginning. You’ll need to send self-assessment questionnaires, obtain penetration testing results, continually update your vendor data, and more. 

And you’ll need to always be on top of changes, in real-time. Otherwise, your own organization’s security and compliance could suffer. 

Using ZenGRC to manage your third-party vendors takes the hassle and the worry out of vendor risk management. Its continuous monitoring features ensure you’re always on top of your third-parties’ compliance hygiene. It streamlines workflows so you don’t have to do everything yourself. It will even send out those dreaded questionnaires and tally the results as they come in.

Zen keeps track of vendors’ compliance with multiple frameworks and provides unlimited audits in a few clicks via its internal audit feature. Its user-friendly dashboards show you at a glance who among your third parties is compliant, and who isn’t.

With ZenGRC automating your vendor risk management, you and your team can focus on other, more important tasks. Liberated from the tyranny of spreadsheets, your business will rise above the risks.

Why not call a Reciprocity expert today for your free consultation?

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo