In the complex world of cyberspace, it is not possible to acquire all technical and operational knowledge within an organisation. We are heavily dependent on external suppliers and vendors to deliver on business objectives. Third-party vendors are extensions of the organisation. Therefore, it is critical to manage vendors effectively and align your organisation’s vendor inventory with your corporate business strategy.
Rabbon recommends establishing a Vendor Risk Management Program(VRMP).
A VRMP will help you with the following:
- vendor selection
- vendor due-diligence
- vendor’s internal security practices and assurances
- vendor on-boarding
- contract renewals
- ongoing monitoring and performance evaluations
- vendor termination
What is a Vendor Risk Management Program (VRMP)?
A VRMP is a formal set of processes, procedures and practices that help organisations evaluate, manage, and monitor the risks associated with the solutions and services provided by third-party vendors. VRMP identifies and mitigates business uncertainties, such as business disruption or continuity, legal liabilities, and possible financial and reputational damage.
A strong VRMP should:
- reflect your organisation’s internal controls framework
- include effective controls for business continuity management
- allow you to continuously monitor vendor performance
- allow you to consistently manage and share information about your vendors with a variety of stakeholders
- align with industry standards like ISO 27001, NIST, ISO 28000.
How to build an effective Vendor Risk Management Program (VRMP)?
A vendor catalogue is a list of all approved vendors that your organization wants to manage. Developing such an inventory is critical. As you will require comprehensive visibility over your vendors, service or solution they are providing and the type of data they are allowed to access.
Vendor relationships may include business partners, service providers, joint ventures, distribution channels, outside counsel, utilities, physical security, and many others. Identifying vendors typically involves:
- reviewing existing inventories and contracts
- analyzing accounts payable
- conducting meetings with various stakeholders
Once you have a complete picture of your vendor landscape, you can begin classifying vendors based on the potential risk they may pose to your organisation.
Step 2: Assessing Risks associated with the vendors
After identifying vendors, the next step is to classify vendors into risk tiers (high, medium, low). You can choose any classification that is aligned with industry standards or compliance requirements. But remember to be consistent with the classifications. Vendors are classified by how much potential risk they pose to the organisation. Vendor risk managers can send business unit owners an initial risk assessment questionnaire, which can be used as a starting point for evaluating and classifying vendors. Classifying vendors is your opportunity to do a preliminary rating. You can use this process to decide what level and frequency of due diligence you need.
Step 3: Set up your VRMP
Working with a large number of vendors may lead to the allocation of limited resources to assess each vendor’s potential risk. It is advisable to focus your due diligent efforts on vendors that pose the highest risk to your organisation. These are typically vendors that may expose your organization to regulatory penalties, financial losses, fines, or reputational damage. Therefore, it is critical to develop a policy for governing the prioritisation of vendor assessments
Use IT GRC solution for managing vendor assessments
You can use our IT GRC solution to centralize your process and risk documentation about a specific vendor. Vendor risk managers, business unit owners, and vendors can use the assessment to interact with one another throughout the vendor management lifecycle. These interactions usually include:
- requesting or providing evidence and documentation
- assigning or following up on actions as part of the issue remediation process
Define vendor management processes
Processes form the basis of a compliance assessment. They are also the organizing containers for the work done in a compliance assessment. Strong VRMP include well-defined processes that state:
- the subject matter under examination
- how performance will be assessed
- who owns each process
Define risks, requirements, and checklist items
By defining risks, vendor risk managers can identify and prioritize the areas of uncertainty that an organization faces, and align risks with a specific set of requirements. In addition to defining risks and requirements, they can also specify corresponding due diligence checklist items or vendor assessment questionnaires. This helps vendor risk managers analyze a vendor and ensure that the vendor meets the organisation’s requirements.
Contact Rabbon if you need further advice on the Vendor Risk Management Program. You can start vendor assessment by using a DIY tool kit.
You can download our tool kit from here.
Cybersecurity is what we do
Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone“
You can contact our Cyber Security Consultants for an obligation free consultation.
Phone : +61 2 80513207
Email: [email protected]