Nearly all organizations need to work with vendors or third-party suppliers. Whether you’re a global organization, a non-profit institution, an agency or a small business, your organization has the potential to face severe fines and penalties for failing to understand and comply with applicable regulations. An effective vendor risk assessment, or risk review, is a good way to identify risks that vendors and third parties may pose to your business, and to prevent and mitigate those risks.
Vendor Risks: A few of the risks posed by vendors in today’s business environment include:
- violation of legal or compliance regulations;
- general legal issues, which can result in lawsuits, termination of relationships and loss of business;
- breach of privacy and data security laws, depending on the type of vendor access;
- loss of intellectual property, if the vendor has access to proprietary information and loses, sells or steals it.
Goals of Assessment: The vendor risk assessment is a critical step during both vendor management due diligence phases: vetting the vendor pre-engagement and ongoing monitoring post engagement. Assessment goals include identifying any risk the vendor will pose, evaluating if the vendor can eliminate those risks, mitigating and monitoring the risks that cannot be eliminated, assessing the extent that any outstanding risk may bring to the company and determining if your company is willing to accept those risks.
Vendor Classification: The first step is to classify the exposure created by your vendors by assessing the likelihood and impact of a risk event (such as a cyber event). Common risk levels are low, medium and high. The level will tell you how much scrutiny to apply during the pre- and post-engagement due diligence phases.
Begin the Assessment: After classifying the vendors, you will know what the scope of the assessment should be. For instance, high-risk vendors can be assessed via questionnaire and on-site evaluation, while low-risk vendors may need only to be assessed with a questionnaire and document validation. Regardless of the risk level, each vendor should complete a self-assessment questionnaire. The type and depth of the questions usually are guided by the vendor’s risk level. You can search online using the terms SIG Core and SIG-Lite for sample questionnaires (SIG stands for standard information gathering). The questionnaire should include well-documented expectations and guidelines as well as a deadline. Upon receipt, validate the vendor’s assertions by examining the documents provided by your vendor that prove their controls are operating effectively, such as policies, procedures, training, audit results or other factors and produce a findings report identifying any potential issues to discuss with your vendors and the steps required to mitigate that risk.
Ongoing Monitoring: After you’ve engaged a vendor, continue to update your data as the relationship with your vendor evolves (for example, if they stop doing an important function in-house and decide to outsource to a third party). The frequency of post engagement reviews usually depends on the vendor’s risk level and may require constant fine tuning. For example:
- Low-risk vendors – annually/bi-annually
- Medium-risk vendors – semi-annually/annually
- High-risk vendors – quarterly/semi-annually
Things to consider when determining review schedules include:
- the length of time the vendor has been in business
- customer complaints
- vendor bankruptcy or layoffs
- lawsuits or negative press releases or media
- lowered ratings by agencies (Moody’s, S&P, AM Best)
- increased vendor incidents or non-resolution of incidents
Hold your vendors accountable for helping you close any issues that must be addressed. This way, no exposure will go unaddressed.
Ultimately, vendor risk assessments are not only important when bringing on a new vendor, but also to ensure that the vendor maintains expected service level standards without causing any risks to your company, investors or customers.
While it’s impossible to eliminate 100% of your risk exposure, developing an effective approach to understanding your potential risk and minimizing existing risk within your vendor management program is essential to the security of your business and its data.
For more information on insurance coverages including cyber, contact your independent insurance agent.
Neither The Cincinnati Insurance Company nor its affiliates or representatives offer legal advice. Consult with your attorney about your specific situation. This loss control information is advisory only. The author assumes no responsibility for management or control of loss control activities. Not all exposures are identified in this article. Contact your local, independent insurance agent for coverage advice and policy service.