Much goes into the successful implementation of a Vendor Risk Management Program. From policy to procedure, the process can be daunting to those who aren’t in the know. Carbide aims to make this challenge easier with these 8 Steps.
1. Create and keep an inventory of your third-party suppliers
Make a list of all your third-party suppliers. Start by getting in touch with the person or persons responsible for accounts payable in your organization. They usually have a list of your vendors and can even lead you to vendors you aren’t working with but still have on the books. Keep track of third-parties and their relationships with their vendors (also called fourth-parties). Categorize these vendors accordingly and keep a full record of their contact information, location, and what products or services they provide to the organization.
A great deal of information goes into producing a vendor profile for the inventory. Questionnaires can often help with the production of a profile for your vendors.
2. Tier and Rank your Vendors
Ranking vendors evolves your list into a comprehensive inventory. As a great way to minimize risk at the outset, this helps you understand who your vendors are and what information your vendors have access to.
Two ways you tier your vendors are according to the level of access they have, and the level of risk they pose to your organization. This is the classification stage in which vendors are classified according to three primary attributes; business criticality, data sensitivity, and regulatory impact.
Higher business function (or business criticality) and higher level of proprietary access (data sensitivity) means a higher level of risk (regulatory impact). In this, criticality refers to those vendors which are critical to the function of the organization.
You can create a ranking system reflecting the level of criticality explained above. A Rank 1 vendor might be a Critical Risk, Critical to IT Business Function vendor who has access to employee information where a Rank 4 vendor might supply the stationery goods for the office and thus has very little access or critical importance overall. A Rank 4 would be little to no risk to the organization.
3. Create a Policy for Vendor Management
Creating a policy for vendor management is all about establishing your vendor risk management program and ensuring that your plan is ready to go. This will be the guide that clearly outlines what your vendor risk management program will look like and who will take part in the process.
Preparing a policy for vendor management can also mean making sure that all contractual obligations are up to snuff and that you have rightly performed your due diligence on vendors before request for proposal while including all relevant stakeholders in the process. As well, it is a matter of putting a system in place before a vendor is onboarded, which means determining what systems you want certain vendors to have access to, and ensuring the proper policies are in place to mitigate risk for those systems.
Policy is where you include your service level agreements (SLAs), compliance standards, acceptable controls, contractual obligations, auditing requirements, plans for disaster recovery or business continuity and so forth.
4. Perform Due Diligence
This is where you get to know your vendor before entering into a contract with them and is also conducted periodically throughout the relationship. Here you collect all the details about the vendor, get to know what risks are associated, and evaluate the potential impacts those risks might have on your organization. This all occurs at the onboarding phase which has its own level of risk management and remediation of risk at the contracting level. Generally all pertinent stakeholders take part in this phase and necessary risks are managed before a vendor is taken on. Controls are put in place for the ongoing vendor relationship and some risks are deemed acceptable. Continued monitoring occurs throughout the lifecycle of the vendor relationship.
5. Conduct a Risk Assessment
Here you identify the risks associated with a vendor's products and services and evaluate the severity and impact those risks have on your organization. There are several risks associated with working with particular vendors. To name a few, operational, legal, and reputational risks tend to pose a great deal of risk to organizations and are usually listed as primary.
Just as there are numerous risks that a vendor poses, there are also various ways to assess a vendor. One way to do this is to start with a security questionnaire that begins the process. A security questionnaire can ensure that vendors meet compliance requirements and regulatory standards as well as can provide a basic understanding of their security posture. From here you can plan a level of testing for the vendor such as providing a penetration test which further adds to the assessment.
Keep in mind that throughout the process you’ll want to also assess each product and service that the vendor provides and in doing so you might want to enlist the help of subject matter experts in your organization that match each service offering. Assessment of the vendor as a whole and of their services should be conducted in the due diligence stage and periodically throughout the vendor relationship.
6. Track your Vendors with Dashboard Ready Scorecards
Scorecards allow you to keep all information in one place for easy monitoring of potential risks. Internal risk assessments and cyber security health can all be kept and tracked on one vendor’s dashboard. Another card can rank and tier vendors according to their health in those areas. Scorecards allow stakeholders to determine what risks require attention for remediation or which vendors may need special consideration. They also allow for better collaboration between the organization and their vendors and can include transparency about remediation efforts as they occur.
7. Include Oversight for Continuous Monitoring
Continuous monitoring is meant to provide details that are not available in the initial assessment phases. Frequent review helps to identify risks that are usually undisclosed and ensures that vendors live up to their SLAs and regulatory requirements. This allows for further dashboard tracking in real time of a vendor’s risk posture and changing vulnerability landscape. It is employed for overseeing risk indicators not regularly notified about in risk assessment so might include indications having to do with network systems or other web security protocols providing a picture of changes as they happen for better risk management.
8. Employ Incident Management
Establish mechanisms for effectively responding to incidents that arise from third-party vendor risk and attempt to automate that process as much as possible such as setting alerts in AWS or your preferred cloud service provider.