Vendor Risk Management: What Is It & How Do I Conduct It?
A Crowdstrike report found that 45% of the organizations they surveyed experienced a software supply chain attack in the previous 12 months, and that attacks in general have increased by 430%. Meanwhile, according to research by the Cyentia Institute, 98% of organizations had a third-party vendor that experienced a data breach in 2022, and supply chain attacks surpassed direct Malware-based attacks by over 40% last year.
Attacks on the supply chains of organizations, i.e. through their, often smaller, vendors are becoming increasingly popular and widespread. They expose companies to a variety of potential risks that can directly impact their data and operations.
Given the fact that the average global data breach costs $4.35M (in the US this number is $9.44M), it's essential to have a robust Vendor Risk Management (VRM) strategy in place to ensure that a security breach affecting one of your vendors, does not undermine your own security.
This article explores the importance of VRM and provides insights into its key components, challenges, and best practices. By understanding and implementing a comprehensive VRM strategy, organizations can enhance their operational efficiency, protect their valuable assets, and foster strong, collaborative relationships with their vendors instead of experiencing a breakdown of trust and fruitful business relations once a breach happens.
What is Vendor Risk Management (VRM)?
Vendor Risk Management (VRM), also known as supply chain risk or third-party risk management, is a comprehensive approach to evaluating, monitoring, and mitigating the potential risks that may arise from an organization's relationships with its vendors.
A VRM strategy, when implemented appropriately, helps companies rank the vendors they work with based on their respective risk profiles and criticality to its own operations, optimize processes, gain visibility into their security controls, and identify and address key risks, whether they’re cybersecurity, operational, or compliance risks. Ultimately, with an effective VRM strategy, an organization can ensure that their data, systems, and operations are protected from potential vendor risks.
A successful VRM program requires the implementation of policies, tools, technologies, and processes to ensure that a company and its departments are aware of any potential adverse effects that might result from one of their vendors' security getting breached, and have taken the appropriate steps to reduce and minimize them. VRM can also improve and streamline the vendor-client relationship, not only helping their vendors maintain a secure and compliant environment but also finding new ways to improve efficiencies and workstreams.
Common tools in VRM include:
These are often given to vendors in order to assess their security risk posture and understand how the vendor fits in with the larger vendor ecosystem. By having all vendors fill out a security questionnaire, you can get an understanding of which vendors have risks that require attention and addressing.
These are external tools that assess the security posture of a vendors’ public and external system. These are automated tools that can flag risks that are on the surface, and are more exposed to potential exploitation. This could, for example, alert a company to a vendors’ risky website or misconfigured public-facing database. Because it scans public-facing systems, vendors don’t have to play a part, simplifying the entire process.
Risk Assessment Brokers
Also known as shared assurance providers, this is a third-party resource that provides supplier risk assessments. Unlike questionnaires which require you to trust your vendors’ answers, these assessments are designed to be objective, validated, and verified.
These are just a few of the most common tools but as you’ll see later in the article, there are pros and cons to these approaches and newer, more innovative ways and tools to facilitate more effective VRM exist today and should be considered.
Why Is VRM Important?
A robust VRM program is necessary in today’s modern age of vendor interdependence. As the dependence on third-party relationships grows, so does the need for effective VRM to ensure these partnerships remain secure and mutually beneficial. VRM allows organizations to identify and remediate potential risks associated with their vendors, including cybersecurity, operational, financial, or legal risks.
It can also improve overall collaboration, transparency, accountability, and communication, which is vital for smooth business operations and can help improve trust and overall vendor performance. By improving the vendor-client relationship, companies can create new efficiencies, and create relationships with key teams inside their vendors, which will come on handy in the case a bsecurity break does transpre in the future, since it will make remediation so much faster, easier, and more collaborative.
At the same time, for organizations to have an effective VRM strategy and processes in place will also do much for improving internal company communications and collaboration across teams, between IT and Risk departments, human resources, legal and procurement, to name just a few. In fact anyone in the organization might need to onboard a new vendor at some point, and if there isn't a clear, easy to follow process, employees will find the easiest way to do it, which may be high-risk. You could also end up creating friction or losing trust with your colleagues. VRM is an opportunity to engage with the rest of the business and create an improved degree of awareness and shared responsibility for keeping the business and its data (and client data) safe.
What are the risks of not having a VRM strategy in place?
Organizations that fail to implement a robust VRM strategy expose themselves to numerous risks and potential consequences beyond just data loss or a disruption in operations.
Without a VRM strategy, organizations may struggle to manage their vendor relationships effectively, leading to inefficiencies in procurement, contract management, and vendor performance monitoring when it comes to security. As the number of vendors increases, managing them without a streamlined process can lead to the buildup of operational risks.
This can also make it challenging to build strong, collaborative and lasting relationships with their vendors, which could result in downstream issues, such as communication gaps and potential disputes. These issues may worsen in cases where a vendor’s security has been compromised — your departments might have unexpected downtime and may experience disruptions to critical business services.
There are also more specific cybersecurity risks to be aware of. Companies may inadvertently partner with vendors that have poor security practices, exposing themselves to the risk of data breaches, cyberattacks, and other security incidents. As regulators and compliance standards are increasingly requiring organizations to validate their third-parties, working with a potentially risky vendor may lead to fines or other regulatory action.
What are the challenges of VRM?
One of the primary challenges with existing vendor risk management approaches is that many methods are outdated. They often rely on point-in-time assessments, tick-box exercises, and self-reporting which only provide a snapshot of a vendor's risk posture and may not accurately reflect the current state of their security and compliance. As a result, organizations may not know how changes in their vendor’s environment or new vulnerabilities may make their way downstream to their own systems.
These methods no longer work given how fast environments change and how interconnected and interdependent vendors and clients have become. Companies can’t assess a vendor based on information that’s a year old and that doesn’t include information on how vendors ensure that they are also looking into the security of their own vendors and third-parties. Without organizations also gaining insight into their vendor's vendors, there’s a major blind spot in their risk management strategies.
An additional challenge is having visibility into a company’s own third-parties. The advent of SaaS partners makes it a breeze for any department to onboard a new vendor in minutes. But if there’s no process or policy in place to ensure you’re aware of any new vendor, it creates a shadow IT environment that evades attempts to manage potential risks. Not only does this add to the problem of vendor complexity, it can be a huge blind spot that won’t make itself known until an issue arises.
This means many commonly used and traditional models of VRM simply don’t work as intended. If a vendor suffers a data breach or some other accidental issue that prevents them from continuing to provide their services to your company, a traditional VRM model won’t have given you the information you need to facilitate a quick and coordinated response to address and remediate the risks to your organization resulting from the security breach at your vendor.
Key flaws with traditional VRM approaches:
- Manual reviews of vendors. It is not possible to cover often hundreds or thousands of vendors through an approach based on individual risk assessments and reviews.
- Manual chasing of suppliers. The same applies to the still too common practice of manually chasing suppliers individually. This way, more time is spent on gathering information than on actually reviewing and remediating identified risk factors
- Annual security reviews. Because of the nature of point-in-time assessments, these security assessments will usually have to be repeated once a year for each supplier, turning all of the above points into continuous and open-ended problems for organizations.
- Rushing security assessments. Because it's a slow process - and businesses don’t like it - there is a very real danger that the process is done in a rushed way, or even not at all.
- Misallocation of time and resources. Vendors spend all their time responding to requests, rather than on security improvements (this is often overlooked).
- Traditional approaches don’t work. Traditional approaches to VRM simply don't work. Breaches are almost just as common and detrimental with them, as they would be without them. Points in time assessments are also out of date.
- Inaccurate information. Vendors are incentivised by business logic and time and resource constraints to tell their clients what they want to hear. This means that traditional assessments are often faulty or incorrect. This could result in friction between organizations and their vendors, and in the worst case scenario, lead to confrontations and the breakdown of trust and business relations.
- No follow-up to assessments. With traditional approaches to VRM, it is also common that even if assessments are done in a proper and conscientious manner, there is often no follow-up on the findings. Reports are created and end up gathering dust in some office shelve (or online folder), rather than being acted upon and mitigated. The only effective way for this to change is through enhanced client-vendor communications and relationships, and the understanding that only collaboratively can risks be mitigated effectively.
- Too reliant on individual judgements. Vendor risk assessments are often too dependent on individuals making the right judgment calls. This is very difficult to scale, not least because it requires specific security expertise.
Vendor Risk Management Best Practices
To effectively manage vendor risks, organizations should adopt a set of key principles and consider working with a vendor risk assessment framework and then leverage tactics, policies, processes, and technology that can help them carry out their VRM strategy.
As mentioned before, VRM should evolve from being mere point-in-time to being much more proactive and focussed on continuously monitoring vendors, as well as on enhanced and continuous communications with vendors, to ensure any risks are identified and addressed as soon as possible. As a priority, a successful VRM program should thus foster a collaborative relationship between organizations and their vendors. This allows both parties to work together to minimize risks and address vulnerabilities or issues together, and in a timely manner, and it makes vendors comfortable knowing you’re looking to work with them to improve their risk management posture, and thus their own as well as your security.
A few key tactics and strategies for improved VRM include:
Prioritizing visibility: Begin by compiling a comprehensive list of all current vendors and establish a process to stay aware of new or incoming vendors. This ensures that no vendor is overlooked and this is a requirement before moving forward with the rest of your VRM strategy.
Implement ongoing monitoring capabilities: Use vendor risk management tools, processes, and technology to continuously monitor the security posture of vendors. This requires open communication with vendors and a systematic approach to tracking their performance and compliance. Specific tools and technologies can help organizations validate vendor claims, identify potential risks, and automate monitoring and remediation efforts.
Define a response process for issues: In case of an attack, breach, unexpected downtime, or vendor availability issue, have a well-defined communication policy and response plan in place that includes your vendors as well. By ensuring your vendor communicates with you as soon as possible, you can react and put any contingency plans in place to reduce the risk of a security breach at your vendor also impacting your company.
How Can I Implement a VRM Strategy?
Implementing a VRM strategy requires a combination of internal buy-in, effective communication, and leveraging the right tools and technologies.
Getting internal buy-in for your VRM strategy
Effective VRM requires the input and expertise of various departments, such as legal, IT, human resources and procurement. By fostering cross-functional collaboration, companies can better understand their vendor risks and develop appropriate mitigation strategies. Enforcing your established processes and policies requires support and commitment from key stakeholders.
This requires specific communications that articulate the value of following your VRM strategy based on key department priorities and stakeholder responsibilities. Soft skills are important here, as well as trust and the confidence that your strategy will make positive impacts and not just be a hindrance to some departments. Use empathy to understand what your colleagues are trying to achieve and how you can support them with that. This will go a long way to making any VRM approach more effective.
Using Vendor Risk Management Software
Depending on what you use, VRM software and tools can automatically flag up potential risks and automate vendor risk management processes, including some of the manual tasks and processes an internal team may have to do, saving time and initiating the remediation process so recovery can happen faster.
Risk Ledger’s novel approach to VRM
Risk Ledger's approach to Vendor Risk Management emphasizes a collaborative way of assessing and mitigating risks associated with third-party vendors. Their platform enables organizations to securely share and manage risk data with their clients and customers while streamlining the risk assessment process. Risk Ledger is based on a social network model, which means that organizations and their vendors can communicate directly through the platform and address any remediation issues together. This collaborative approach saves time and resources, as organizations no longer need to repeatedly perform risk assessments on the same vendors.
Risk Ledger's vision is to create a global network where organizations can securely and efficiently manage vendor risks, fostering a more resilient and secure supply chain ecosystem by promoting collaboration between organizations based on Risk Ledger’s new Defend-As-One methodology to VRM.This approach helps organizations leverage the collective knowledge and experience of others, resulting in a more comprehensive understanding of the risks involved in the supply chain of organisations, including much further down the chain, including in 4th, 5th and 6th parties, and thus to improved decision-making. With this greatly enhanced collaboration and information sharing between organizations and their vendors, collective cybersecurity becomes possible, while risks and threats can be significantly reduced and more easily mitigated.
Risk Ledger can help companies with their vendor risk management solutions by providing a centralized platform for securely sharing risk data, automating risk assessments, and continuously monitoring vendor risks. Not only does the platform showcase the security posture of a company to their clients, it also reveals concentration risks in the wider supply chain ecosystem.
This allows organizations to uncover all their vendors (as well as their respective vendors) and effectively implement their VRM strategy without leaving behind any shadow vendors. By promoting collaboration and displaying real-time and continuously updated information, Risk Ledger helps organizations make more informed decisions and improve their overall security posture in an increasingly complex and dangerous cyber risk environment.
Frequently Asked Questions About Vendor Risk Management
What is vendor risk management and why is it important?
Vendor Risk Management (VRM) is a comprehensive approach to evaluating, monitoring, and mitigating potential risks a vendor may pose to an organization. It is essential for streamlining vendor-client relationships and maintaining a secure and compliant environment by helping organizations spot key risks, improve collaboration and communication, and enhance efficiencies.
What makes a vendor high risk?
A vendor is considered ‘high risk’ if both the likelihood of them suffering a cyber security incident is high, and the potential impact of that incident on your organization is also high. This risk could emerge as a result of poor security practices, financial instability, lack of regulatory compliance, history of data breaches or security incidents, inadequate quality controls, and having poor communication and accountability.
What should be in a vendor risk assessment?
A vendor risk assessment should cover various aspects of the vendor's operations, security posture, and compliance. This includes:
• IT Operations
• Software Development
• Network and Cloud Security
• Supply Chain Management
• Human Resources Security
• Physical Security
• Data Protection
• Security Governance
• Security Certifications
• Business Resilience
• Financial Risk
• Environmental, Social and Governance (ESG).
For more information about Risk Ledger’s vendor risk management assessment framework, including the over 200 security controls against which vendors are assessed, see HERE.
The assessment should help organizations identify potential risks associated with the vendor and determine if they align with the organization's risk tolerance and compliance requirements.
What is the difference between a vendor and a third party?
While the terms "vendor" and "third party" are often used interchangeably, there are subtle differences. A vendor is a specific type of third party that provides goods or services to an organization. Vendors can include suppliers, manufacturers, and service providers. On the other hand, a third party refers to any external entity that has a relationship with the organization, including vendors, partners, consultants, and even customers.