How To Perform A Vendor Risk Assessment

How to Perform a Vendor Risk Assessment

Knowing who your vendors are, how they manage their risks and the impact it could have on your company is a crucial piece of your InfoSec program. It’s also a requirement for SOC 2, ISO 27001, HIPAA and more!

At Tugboat Logic, we’ve set out to simplify how you manage IT risk, audits and compliance, including tackling the dreaded Vendor Risk Assessment (VRA). However, we believe that safer data benefits everyone. So we put together this handy Vendor Risk Assessment guide if you want to perform VRA’s solo.


What Is a Vendor Risk Assessment?

Vendor Risk Assessment, or a vendor risk review, is the process of identifying risks to your organization associated with a vendor’s operations and products. You evaluate the potential risks or hazards associated and the inherent impact on your organization. 

Performing VRA’s helps you select partners aligned with your security and compliance values. 

Risks may include:

  • The dependability of operational, customer, and financial information
  • Legal and regulatory compliance
  • Security breaches, operations effectiveness

Conducting vendor risk assessments can be complicated. However, failing to complete VRA’s often results in reputational damage, lost business, legal fees and fines. 

Suppose one of your vendors fails to comply with regulations like data privacy or security standards. In that case, your company faces the consequences, too. 


Types of Vendor Risk: Inherent and Residual

During your risk assessment, you identify lots of uncertainties. They fall into two kinds of risk.

First, there’s inherent risk. That’s the amount of risk that exists in the absence of controls. What are the chances of something happening and how bad would it be? Otherwise known as likelihood and impact.

Then there are residual risks. That’s the risk that remains after you apply controls. 

For example, when you drive, you accept the inherent risk of a car accident. However, you can do everything right and that possibility remains. But to reduce the risk of injury, you wear a seatbelt. This mitigates and reduces your risk exposure. 

Inherent and residual risks exist everywhere and InfoSec is no exception. Businesses need to accept some level of risk to operate. Your customer’s expectations and your management team’s risk tolerance will influence your acceptable risk levels. 


Which Vendors Need to Be Assessed? 

A small organization may have a dozen or so vendors. But larger, more established companies may have hundreds or thousands! So how do you identify vendors for assessment when the quantities become unmanageable for your team? Sadly, it’s a bit of a grey area. It boils down to cost and risk levels. For example, the vendor that provides your computer hardware is likely a lesser threat than the company that disposes of your hardware devices. So if time and resources are limited, assess the disposal company and don’t worry about the hardware supplier.

When you kick off your vendor risk assessment program, it’s important to create and incorporate a detailed pre-contract due diligence process. While you onboard new vendors, send over a VRA template asking the right questions right off the bat. It’ll save you time and expenses. 

You’ll also need to monitor and reassess vendors regularly (more on that later). The digital threat landscape is constantly changing, after all. Adding this step to your business as usual practice helps mitigate identified risks, build trust and create productive relationships. 


Steps of a Vendor Risk Assessment Procedure

Completing a DIY vendor risk assessment involves multiple steps, lots of coordination and a bit of patience. But it’s possible! 

  1. Build a vendor risk assessment template. Spreadsheets are a great way to collect this information and keep it organized.
  2. Create an internal folder that stores all your vendor docs in one place. 
  3. Send vendors your custom vendor assessment questionnaire via email. 
  4. Keep everything on track and set deadlines for responses from vendors. Stay on top of them!
  5. Review responses and assess vendor risk and compliance.
  6. Update existing spreadsheets or add all the files to the internal folder. You’ll want to be able to compare answers from previous years easily.
  7. Collect responses as evidence for your audits.
  8. This is important. Set a reminder in your calendar! Leave plenty of time to plan for reassessment.


The Art of the Enterprise IT Risk Assessment

PS: Want to streamline risk identification and conduct better assessments, faster? Download The Art of the Enterprise IT Risk Assessment and learn how to get executive buy-in and create a more effective risk management practice across your team and organization.

Questions to Ask During a Vendor Risk Assessment Program

When it comes to the security of your organization and the clients you serve, it pays to be nosey!

Questions like:

  • Is there a succession plan in place for the CEO and other high-level managers? 
  • Are their technology and security systems up-to-date? How often is that done? Are they compliant with applicable laws, regulations and standards? 
  • Do they have their own vendor risk management program? Who’s the main contact for their VRM program?
  • If a breach or incident occurs, how will they communicate with clients?

The possibilities are endless! If it matters to you, ask.

There’s plenty of ready-to-go templates online to get you started. But it’s important to ask yourself how your VRA initiatives integrate with other businesses. So make sure you customize the questions to align with your security posture.

Take the recent event with the Kaseya ransomware attack

A Bloomberg report states, “Throughout Kaseya’s products, there were multiple violations of basic cybersecurity practices that would make a hacker’s job easy.” And the company that reviewed the software after the breach recognized “severe and exploitable vulnerabilities” in only a few hours of research.

Asking questions like the examples above and reassessing vendors frequently is just smart business. Kaseya users who completed VRA’s may have lessened the impact of this breach on their own business. VRA’s help you conduct your due diligence and build trust and accountability for the parties involved.

But the reality is, it’s challenging to stay on top of assessing all new vendors and reassessing existing vendors annually to meet your audit requirements.


Vendor Risk Reassessment Programs

A number of InfoSec frameworks require vendor reassessment every year. But your company can reassess quarterly, semi-annually or annually. It just depends on the risk of the vendor and your company’s risk appetite, tolerance and acceptance level.

It’s common for auditors and clients to see changes in reassessment answers year over year. As companies grow, so does their risk level. Make sure to document and compare answers every time to make sure you can see a complete picture.


3 Tips to Accelerate Vendor Risk Assessment Programs

If you spend all your time accounting for risks and checking the status of your controls, it’ll be an uphill battle. So if you want to improve your security posture, make sure you:

  • Standardize the risk process across your organization
  • Monitor risks and recognize if your controls are operational at any single point in time
  • Strengthen your InfoSec program

If you have internal resources to standardize, monitor and mature your processes, controls to strengthen your InfoSec program, more power to you! That’s a lot to take on—but you’ve got this! And we really hope that this blog has helped you. 

But it’s not unusual to find your hands tied. Maybe there’s a lack of knowledge, staffing, funds, or all three. That’s often when organizations look for assistance from online templates, consultants or software. There’s plenty of options out there. Don’t be afraid to shop around. 


Tugboat Logic and Vendor Risk Assessment Programs

We believe that risk is at the core of every InfoSec program. The policies we create and the frameworks we comply with ultimately reduce our company’s risk. And by extension, the risk our customers and vendors face. 

Once a business relationship is established, it’s usually a long-term thing. So year after year, you’ll be conducting vendor risk assessments on the same organizations. It may seem repetitive but as technology evolves, so do unforeseen gaps and cyberthreats. With Tugboat Logic, you can quickly assess your vendors whenever you need with just a few clicks. And with annual, semi-annual, quarterly and monthly reminder options, you’ll remain continuously compliant. 

We’re here to help you with all your risk assessment needs. So if you have any questions or are interested in a free trial, contact us today.

The Art of the Enterprise IT Risk Assessment