You don’t need to be risk-averse when assessing vendor relationships. Just like when you buy a house, you want to do your due diligence to make sure working with a particular organization is the right decision. The better the research, the lower the risk. Otherwise, if something unexpected happens, it’s back to the drawing board.
Here is a five-step process of a Vendor Risk Management Program to help you make the most effective decisions. These aren’t one-time tasks that are forgotten once a relationship is started. Instead, that relationship must be continuously monitored, in the form of a Vendor Risk Assessment, or else the reasons behind some of those early decisions made could get buried under new corporate policies, exposing additional risks.
1) Maintain List of Vendors and Their Services Along With What Data They Handle
If you don’t know who the current set of vendors you work with are and what they’re capable of, it is impossible to get vendor risk assessments appropriately done. Start with management from the beginning and list every single vendor relationship you have, as well as every SKU, or more appropriate, every line item of services you can acquire from them before considering new vendors. Along with an assessment of what each vendor does, you need to identify what data they work with, what would happen if that data were to be exposed, and how to respond if that were to unfortunately occur. This information must be acquired before being able to work with any new vendor.
Working with a new vendor involves a bit of risk and requires a bit of work to minimize that. If an existing vendor relationship strengthens, the same information required to handle any new data also needs to be acquired. Some vendors do not understand the importance of safely processing HIPAA (Health Insurance Portability and Accountability Act) protected medical data. Processing Personally Identifiable Information (PII) and Payment Card Industry (PCI) data is another risk that has hard requirements, too. If they’re not prepared to deal with the additional complexities of processing the protected data, that’s exactly what the Vendor Risk Assessments are for. It is better to identify these issues sooner than after spending months on a project that can’t be safely completed.
2) Question the Internal Group That Would Be Working with Vendor
When a company works with a vendor, it is the responsibility of the company’s IT staff to conduct a Vendor Risk Assessment. You’ll need to identify what data the vendor needs to process and what safeguards need to be in place before a vendor can gain access to privileged data. Are there any requirements of the vendor, like insurance, or is it just identifying the resources and risks for data management? How about known security requirements? If encryption is involved, how will security keys be managed? Will the vendor be capturing data or just processing the existing data you provide? Always think of the risk involved whenever sharing company data to third parties.
3) Question the Vendor’s Policies and Procedures
You should have a questionnaire to help you access the inherent risk of working with a vendor through their self-assessment. Identify the most significant areas of risk for your business and tailor the questions to those areas. For best results, limit the questions to the multiple-choice type or ranking on a scale from 1-5 or Yes, No, Partially, N/A. Keep the business questionnaire simple and don’t expect lengthy essay answers to be answered at all unless of course, the vendor will be providing ad copy, technical documentation, or other written work product. Ask for verification when appropriate, such as professional licenses and certifications. You might have separate questionnaires based upon the level of access required by the vendor.
4) Visit the Potential Vendor’s Office Location
For the next step of your Vendor Risk Assessment, you should perform an on-site audit of the vendor’s business to ensure reality matches survey answers of the Vendor Risk Assessments. Obviously, to minimize risk, what needs to be looked for depends on the type of work to be done and the risks associated with its exposure. If the vendor provides accounting services to you, how well do they protect the information you provide them to process? Be wary of red flags and get a feel for their company culture, too. Are there any regulatory issues you need to check for? Just because your organization knows some required ANSI processes inside-and-out doesn’t mean everyone does.
5) Review Results
The results of the Risk Assessment should be reviewed, both internally and externally, to ensure everyone is in agreement on how things should move forward with the vendor. For issues where the vendor answered “partially” on the questionnaire, is that something they’re willing to adequately fulfill? Any training requirements should also be documented. Are there any third-party services involved that need to be reviewed separately? If the internal discussion results in a termination of work with this particular vendor, you have the option of telling them why you came to this decision. Sometimes, relationships are just too far apart that it is obvious to both parties that it just wouldn’t be a good partnership. When comparing results from both the questionnaire and the vendor location visit, if you noticed a difference, be sure to ask for clarity. There might be a reasonable expectation for the issue. If there are areas of concern, that’s okay. You have to determine the best way to reduce that risk. You typically can’t be 100% risk-free. Hopefully, the assessment reveals that the relationship will continue to move forward with any potential issues identified and addressed.
For your Risk Management Program, in addition to reviewing results with internal and external personnel, the vendor questionnaire itself should also be checked periodically to see if we’ve learned anything and needs to be updated. When it comes time to assess the next vendor, the questionnaire should be ready to put into action.