Vendor Risk Management (VRM) Definition
Vendor risk management (VRM) is the practice of evaluating the risk postures of business partners, suppliers, or third-party vendors both before a business relationship is established and for the duration of your business contract. This includes the entire vendor life-cycle management process, even off-boarding. This is an important concept and practice to put in place during the evaluation of your vendors and the vendor selection process.
Mitigating vendor risk when managing vendor relationships is essential for businesses. Disruption to business continuity, financial impacts, and damage to reputation can all be avoided with proper practice and diligence.
What to Include in Your Vendor Risk Management Strategy
Your vendor risk management strategy should include a contract that outlines the relationship that will exist between your business and the vendor. Because of the increasingly interconnected nature of global supply chains and flow of data, there should be clear guidelines. Any organization should know what data is being processed and who has access and control of sensitive information.
A key, yet often overlooked, feature of vendor risk management is understanding your vendor’s cybersecurity program. This allows you to understand how well they’re going to be able to secure your data, both from a physical and cybersecurity perspective. Using a utility company an example, a vendor processing HR data with an unsecured port can be just as dangerous as a another vendor leaving a door unlocked at a power substation.
The vendor must also agree to and comply with any regulations that pertain to your industry or government. Finally, to ensure that all these contract requirements are met, vendor performance must be monitored on a continuous basis and proactively addressed.
Need a place to start with your vendor cyber risk management program? Get a cyber security risk assessment template.
Vendor Risk Management: Addressing Vendor Risks
Below is an outline of the many overall risks vendors and third parties can bring to your enterprise:
Third-Party Legal Risk
There are many legal risks associated with sharing sensitive information with third parties. For instance, if your vendor is breached and you lose your customers’ personally identifiable information (PII) like social security numbers or health care records, the law clearly states that you are responsible — not your vendor. Or, if you fail to spell out security expectations in your vendor contract, you may have no legal recourse whatsoever if your vendor compromises your data.
Third-Party Reputational Risk
So much of third-party vendor risk management is based on reputation. Be sure to ask a lot of questions at the beginning of the vendor procurement process so that you can weed out the businesses you’d rather not work with. In addition, you should also monitor news feeds during the procurement process. After all, you would want to know if a business associate has been hit with a lawsuit during the time you were engaged with them and how that could affect the performance of their contract with you. And don’t forget about the reputational harm that could affect your company if your customers’ sensitive information is stolen due to an insecure vendor.
Third-Party Financial Risk
Before entering into a business agreement, it is important to be fully aware of a vendor’s financial history and past performances. Companies often conduct credit monitoring to determine this information, as well as ask for references from other organizations that have done business with the vendor. This ensures that a company is fully informed about the vendor's proposed plan before signing a contract.
Third-Party Cyber Risk
Of the various risks a vendor poses, there are some things you need periodic updates on, which are relevant only at certain points of a business relationship. If you’ve established a vendor’s credit worthiness at the beginning of the process, for example, you’ll likely feel quite comfortable about their financial standing during the rest of the process. This is a good example of how some elements of vendor risk management do not require continuous security monitoring.
Cyber risk is not quite as simple.
Cyber risk is unique in that things can happen on a moment's notice which could catastrophically damage your organization. You simply cannot rely on periodic or infrequent snapshots, cyber security audits, and vendor assessments of cyber health to understand current and potential vendor risk. The thing that makes cybersecurity “special” is that it can pose functional, financial, reputational, and legal risks.
It’s important to understand that cyber risk management doesn’t end when your vendor signs a contract. Managing third-party cyber risk requires persistent vendor monitoring and awareness. Using tools like security ratings, or a vendor risk management tool, can update your team as to how that third-party’s security program is performing.
And this vendor risk doesn't stop at your contracted third-parties. Depending on the type of data or level of access a vendor has, you may also be at risk from their vendors. This is why an organization must have an idea of where cyber risk lies in the entire vendor ecosystem. Fourth-party risk management is the practice of assessing and managing the cyber risk presented by your vendors' vendors and is something that should be considered in your overall vendor risk management process.
You and your team have to know at all times whether they are accessing your network in an unauthorized manner, or if your most important data could be jeopardized by their actions. Any slip-up or incident may have a catastrophic impact on your business (and lead to some pretty embarrassing headlines).
Get the Weekly Cybersecurity Newsletter
Vendor Risk Assessment: Consider This
Some losses from “traditional risks” can be easily and quickly recuperated. For example, if a food and beverage vendor doesn’t show up one day to cater a meeting, you’re only dealing with a limited amount of loss and little risk exposure for anything else. Or, if a vendor doesn’t complete a project to your expectations, there are reasonable steps you can take to remedy the situation without dramatically impacting the bottom line.
Cybersecurity risks are not as easily dealt with or remediated. If someone hacks into your corporate network through a vendor and steals your most precious data, the outcome could be catastrophic. Your reputation can be damaged irrevocably, financial losses can be huge, and legal liability may be hard to transfer to your vendor.
This is why vendor risk management, third-party risk management — and especially IT risk vendor management — is not something to be taken lightly. All angles and IT security risks must be examined with every vendor, both large and small, and, where appropriate, reported to the Board for effective vendor risk assessment oversight.