TechTarget.com/searchcio

https://www.techtarget.com/searchcio/feature/What-is-vendor-risk-management-VRM-A-guide-for-businesses

What is vendor risk management (VRM)? A guide for businesses

By Sean Michael Kerner

Every organization relies on third-party vendors for services, technology or other components. But with each added vendor, an organization's supply chain faces an expanded attack surface and increased risk. In fact, any risk within a third-party vendor potentially extends to all its associated organizations, expanding the risk's scope and impact. Enter vendor risk management (VRM).

What is vendor risk management?

VRM is the process of identifying, assessing, mitigating and monitoring risks from third-party vendors or suppliers that provide technology or services to an organization. VRM is important throughout the vendor management lifecycle, from selecting and onboarding a vendor through day-to-day operations to offboarding when that relationship ends.

VRM protects organizations from disruptions tied to vendor relationships, including data breaches, ransomware attacks and compliance violations.

VRM addresses cybersecurity risks, as evidenced in numerous recent supply chain data breaches, particularly the SolarWinds hack of 2020. In that high-profile cyber attack, hackers infiltrated and severely compromised SolarWinds' Orion IT monitoring and management platform, some of its data and many of the platform's users.

Why is vendor risk management important?

No modern business works in isolation. Every organization relies on vendors to operate, which explains vendor risk management's increasingly foundational role in company operations.

These aspects highlight VRM's critical business importance:

• Data breach defense. Without proper VRM policies in place, third-party services are more susceptible to data breaches. VRM details third-party risk exposure, mitigating data breach risk.
• Business continuity. VRM evaluates operational resilience of critical business processes, which supports business continuity.
• Supply chain visibility. VRM identifies not just third-party risks but also fourth-party risks – vendors' vendors – providing visibility into an organization's extended supply chain.
• Regulatory compliance. Understanding and managing third-party risk is part of numerous regulations, including the Sarbanes-Oxley Act, Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA).
• Business reputation. Third-party vendors negatively affect an organization's reputation through poor security practices, mishandling of sensitive data or failing to meet service standards. VRM pinpoints vendors with possible reputational risks before incidents occur.
• Clear accountability. VRM ensures that accountability for both the company and the vendor is clearly understood, minimizing confusion about responsibilities when issues arise.
• Supplier quality. Regular assessments and continuous monitoring aid vendors in maintaining high standards throughout the relationship, improving everyone's service quality.

Common types of vendor risks

Organizations face various risks when engaging with third-party vendors. Understanding these different risk categories is essential for developing a VRM strategy. Among the common types of vendor risks are:

Cybersecurity risk

Cybersecurity risk refers to the impact of a cyber attack against a vendor. This increasingly critical risk category encompasses performance degradation or loss of important information from data breaches. The impact varies by industry, with healthcare and financial sectors facing particularly severe consequences from even minor breaches.

Why it's important to assess. Third-party vendors with poor security practices pose a huge risk – regardless of an organization's internal security controls. For example, a threat actor exploiting a vendor's weak cybersecurity eventually accesses an organization's sensitive data, making the third-party vendor's security risks the associated organization's security risks.

Operational Risk

Operational risk involves disruptions to an organization's workflow caused by partial or complete halts in vendor services. These disruptions typically arise from issues within the vendor's internal processes, staff turnover or drops in service quality.

Why it's important to assess. A vendor's operational failures directly impact an associated organization's ability to serve its customers, meet deadlines and maintain quality standards. Assessing operational risks ensures vendors meet required service levels and have their own business continuity measures in place.

Financial risk

Financial risks emerge when vendors cannot perform as stated in a contract, when they face insolvency issues or if they suddenly go out of business.

Why it's important to assess. Before entering into a business agreement, organizations need to be fully aware of a vendor's history – financial and otherwise. A third-party vendor's financial instability often precedes increased costs, lost revenue, service disruptions and even sudden termination of critical services.

Reputational risk

Reputational risk involves damage to an organization's public image resulting from a vendor's actions or failures.

A vendor's actions and public perception sometimes directly affect an organization's reputation. Negative publicity surrounding a key vendor – from poor business practices, ethical lapses or security incidents – damages an organization's brand by association.

Why it's important to assess. Reputation impacts business success. Third-party vendors harm a company's reputation through careless handling of sensitive data, interactions that don't meet that company's standards or their own public scandals. Any vendor security breach that exposes customer data often causes lasting reputational damage to an associated organization, even if the fault lies entirely with the vendor.

Regulatory and compliance risk

These risks arise when vendors fail to meet regulatory requirements that extend to an organization through their relationship. Different industries have specific compliance requirements applying to vendors handling certain types of data or providing particular services. For instance, healthcare providers must ensure their vendors comply with HIPAA regulations when handling patient information.

Why it's important to assess. If a vendor is breached and loses personally identifiable information, such as a customer's social security numbers or healthcare records, the law clearly states the organization is responsible, not its vendor. Depending on the industry, noncompliance with regulations such as the General Data Protection Regulation, HIPAA or PCI DSS leads to significant fines and legal actions.

How to conduct a vendor risk assessment

A structured approach to vendor risk assessment ensures a comprehensive evaluation of potential risks. Here's a step-by-step process to follow:

• Assemble internal stakeholders. Gather a cross-functional team representing multiple roles with different priorities. This team will plan and guide the assessment program, ensuring organizational adoption and long-term success.
• Define acceptable levels of risk. Before assessing potential vendors, define the organization's risk appetite. This makes the vendor selection process more efficient, identifying vendors that won't meet the required risk tolerance. It also clarifies which controls to require from vendors before working with them.
• Build the vendor risk assessment process. Proceed with clear controls and requirements. Start with an internal profiling assessment; categorize vendors based on factors including importance to the supply chain and access to sensitive data. This categorization determines the type, scope and frequency of assessment for each vendor group.
• Send vendor risk assessment questionnaires. Different types of questionnaires can be sent. Industry-standard questionnaires – Standardized Information Gathering (SIG), for example—can be used to gather vendor information. A customized questionnaire is also available, depending on the organization's needs. Consider employing frameworks such as the NIST Cybersecurity Framework when designing questionnaires to ensure they reflect industry best practices.
• Employ continuous risk monitoring. VRM is not a point-in-time exercise. Continuous monitoring is essential to identify cyber, business and reputational risks that arise between periodic assessments. This monitoring also verifies that vendor assessment responses align with real-world security practices.
• Categorize and remediate risks. Risks identified either during regular assessment or through continuous monitoring must be categorized as either acceptable or unacceptable. For unacceptable risks, organizations work with vendors on remediation or, if the issue can't be resolved, terminate the relationship.
• Establish clear reporting expectations. Reporting must include standard metrics that summarize the primary elements of vendor risk portfolios. Ensure reports are easily understood by all stakeholders and include information that properly details risks.

Challenges with vendor risk management

Developing and maintaining a vendor risk management practice is no easy task. The following are some common VRM challenges:

• Getting stakeholder buy-in. Convincing executives and stakeholders of VRM's importance is difficult, especially without visible ROI.
• Identifying vendors. Some large organizations don't have a centralized location to manage all vendors. Understanding what's in use and who is using it on a day-to-day basis is a complex task.
• Assessing risks. Accurate risk assessments require expertise and resources. Manual input on spreadsheets is time-consuming and prone to human error.
• Managing the volume. Even a small organization often has many vendors. Handling multiple assessments sometimes overwhelms teams, especially those with limited resources.
• Dealing with uncooperative vendors. Some vendors do not provide complete or timely information, adding to assessment difficulties.
• Keeping up with regulations. Changing laws and standards – and remaining current with them – adds further complexity.
• Evolving threat landscape. The constantly changing nature of security threats and vulnerabilities requires continuous updating of assessment criteria and controls.
• Allocating resources. Securing sufficient budget and personnel for VRM activities is another hurdle.

Four keys to a successful VRM strategy

Consider these four essential elements to build and maintain a successful VRM strategy:

1. Define a clear VRM policy. Develop formal documentation outlining the organization's approach to vendor risk, including risk tolerance levels, assessment methodologies and governance structure.

2. Employ vendor tiering and segmentation. Not every vendor has the same effect. With hundreds – sometimes thousands – of third parties, it's not possible – nor prudent – to apply the same level of scrutiny to each vendor. Create a tiering system that lets the security team invest significantly more resources in higher-risk relationships while maintaining baseline monitoring of all.

3. Embed VRM throughout the vendor lifecycle. Integrate risk management at every stage of the vendor relationship. This includes the following:

• During sourcing and selection, identify and shortlist low-risk vendors.
• During onboarding, as due diligence before granting access to systems.
• Periodically, to check service-level agreements and evaluate contract adherence.
• During offboarding, ensure that system access is terminated and data is protected.

4. Develop contingency plans. Prepare for vendor disruptions. Create documented response plans for critical vendors, including alternate suppliers and operational workarounds.

Vendor risk management tools, frameworks and resources

Several established frameworks and tools exist to help organizations develop and enhance their VRM capabilities. The following chart provides an overview of some available resources:

Category	Resource	Description	Best Used For	Link
Standardized Questionnaires	SIG	Industry-standard questionnaire, with a" SIG Lite" option for less complex assessments	Broad security control assessment across multiple domains	Shared Assessments SIG
	Consensus Assessment Initiative Questionnaire (CAIQ)	Cloud Security Alliance questionnaire focused on cloud security controls	Cloud service provider assessments	CSA CAIQ
	Vendor Security Alliance Questionnaire (VSAQ)	Cybersecurity-focused questionnaire created by leading tech companies	Cybersecurity posture evaluation	Vendor Security Alliance
Vendor Assessment Frameworks	NIST Cybersecurity Framework	Five core functions: identify, protect, detect, respond, recover	Comprehensive cybersecurity program assessment	NIST CSF
	ISO 27001	International standard for information security management systems	Systematic information security program evaluation	ISO 27001
	COBIT	ISACA framework for IT governance and management	IT control environment assessment	COBIT Framework
VRM Technology Solutions	GRC Platforms	Integrated options for governance, risk and compliance management	Enterprise-wide risk management programs	Gartner GRC Tools Guide
	Security Rating Services	Independent security posture assessments	Objective security performance metrics	BitSight / Security Scorecard

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.