Vendor Risk Management — Why Your Company Can’t Afford to Ignore It


If your company is like most organizations, you’re utilizing an ever-expanding network of vendors to support your business. These vendors likely perform a wide variety of functions on your company’s behalf — ranging from supplementing operations, to providing supplies, transporting goods, processing financial transactions, managing your website, servicing HVAC, and maybe even changing the paper towels in your restrooms.

While these arrangements undoubtedly augment your business capabilities, these partnerships could also be introducing risks to your company that you might not even be aware of — especially when the responsibility for managing those risks lies outside of your organization, with the vendors. In today’s volatile business environment, where breaches, data exposure, and regulatory non-compliance can land your company on the front page, how do you get your arms around such a complex issue?

If your company uses vendors, then you need to ask yourself the following questions:

Does your company already perform vendor management?

The first thing you need to figure out is whether or not your company already performs vendor management in some capacity. This work typically originates in a Procurement office, but it isn’t atypical for organizations to not perform this work at all — let alone do it comprehensively, in a manner that drives vendor risk remediation.

If your company already has a vendor management function, then you’re one step ahead. The next step for you should be to find out what information is being collected and how it is being used to control vendor risk. Rather than reinvent the wheel, it makes sense to partner with the internal group that leads this effort, so that you can influence the questions that are being asked and the information that is captured and analyzed to assess vendor risk.

If your company does not currently have a vendor management program in place, then the likelihood that your company has active, unmanaged exposure risks that is extremely high. Vendor risk management needs to be treated as a first class citizen within your organization and it needs attention at the highest level.

Who are your key vendors?

Not all vendors are created equal in terms of their relative importance — and not all vendors will introduce the same level of potential risk to your organization. Companies that utilize a high volume of vendors can apply a common sense framework to figure out who the most critical vendors are for your business, and start focusing there, before moving on to less critical vendors down the road. Questions that will help you identify key vendors include:

  1. Does the vendor have access to any sensitive and / or confidential organization or client data?
  2. Does your organization store or host sensitive client or organization data on the vendor’s systems?
  3. Does this vendor have access to your organization’s or your clients’ intellectual property or other data that could result in financial or reputational harm if stolen?
  4. If this vendor suffers a breach, will that require reporting obligations to your clients?
  5. Would a failure of this vendor’s processes cause your organization to activate its Business Continuity Plan or Disaster Recovery Plan?

What risks do you want to measure?

It’s difficult to capture information about vendor risk without first understanding what risks you want to assess. Once you know that, you will be able to ask the right questions when you perform vendor risk assessments.

Some of the many domains of vendor risk that could be assessed include [but are certainly not limited to] cybersecurity, legal, regulatory, and continuity. Well defined, quantitatively measurable vendor evaluation and monitoring criteria is the key to understanding and actively managing vendor risk.

Do I have capacity to take this on?

If nobody owns vendor management in your organization, where does the responsibility fall?

Does your team have the required expertise — to say nothing of the capacity — to take this workload on?

If the answer to these questions is “no,” then you should you explore augmenting your capabilities [through consultants, managed services, staff augmentation, etc.] to give this effort the serious attention that it deserves.

What tools should I use to make this easier?

Spreadsheets are useful, but tracking vendor risk information might require a more sophisticated approach. Selecting the right tool will provide you with not only better data management / analysis, but also help you to automate the data management process with vendors.

Another important factor to consider: how will your vendors exchange documentation securely with you to confirm the controls they have in place?

What do I do with the data?

Once you’ve gone through the painstaking effort to collect information from vendors about their level of risk, what do you do with all that data? The purpose of vendor management is not just to collect data to check a box — it has to be used to accomplish the desired objective of eliminating operational vulnerabilities introduced by your key vendor relationships.

Risk intelligence can also be used to make informed decisions about whether to work with specific vendors. In the case of critical vendors, your action plan should consider assisting the vendor in closing the risk gaps and periodic reviews to ensure continued compliance. For critical vendors, a partnership approach to compliance and remediation can offer a lot more benefits compared to to the disruptive process of vendor replacement.

Getting a handle on your company’s vendor risks can be a daunting challenge, but it doesn’t have to be an insurmountable one. By following the protocol outlined above, you can tackle this complex issue and reduce operational risks that your company is exposed to as a function of key third party relationships.

For more information or if you need assistance with your vendor risk management program, please contact us at