The First Step in Vendor Compliance Management: Risk Assessments

by Sarah Harvey / August 21st, 2018

If your organization utilizes a third-party vendor to conduct part of your business process – whether that be billing, customer service, data processing, etc. – the risks associated with that partnership could ultimately put you out of business. Because of this, establishing a formal risk assessment process allows organizations to do their due diligence and lays the foundation for effective vendor compliance management. But how can it be done? You can first start by identifying the types of risks that your vendors pose to your enterprise. By properly vetting your vendors and having a formal, documented risk assessment in place, you’ll be able to mitigate any potential threats to your organization. Let’s take a look at what a formal risk assessment is and some of the most notable risks that your vendors could pose to your security posture.

What is a Formal Risk Assessment?

While a gap analysis allows organizations to compare the controls they have in place with the controls they are trying to attest to and then remediate the identified vulnerabilities, a risk assessment goes a step further: it allows organizations to identify, assess, and prioritize organizational risk. Risk assessments evaluate the likelihood and impact of those threats actually happening and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack. Without a risk assessment, an organization can be left unaware of where their critical assets live and what the risks to those assets are. This is why most information security frameworks require a formally documented, annual risk assessment and why we suggest that a risk assessment should be your first step in implementing an effective vendor compliance management system. When it comes to vendors, think of it this way: conducting a formal risk assessment allows your organization to be proactive rather than reactive. Risk assessments will give your organization the upper hand by allowing you to stay ahead of a malicious attack and address the potential adverse impact, saving your business from any operational, financial, or reputational loss.

Types of Third-Party Vendor Risk

Without a vendor compliance management system in place, an organization is much more likely to suffer some sort of loss. Thus, understanding the types of risks that your vendors could carry is critical in maintaining a strong security posture, avoiding fines and penalties, and safeguarding your business’ reputation. Conducting a risk assessment ensures that your organization performs its due diligence and is committed to upholding a strong security posture.

Operational Risk: Because organizations who enter into contracts with third-party vendors typically do so to fulfill a business need or because the vendor excels in a certain function, the operational risk that a vendor poses needs to be strongly considered. If a vendor’s processes fail, how would your operations continue? If one of your vendors was a cloud service provider and their service was suspended, how would your organization recover?
Financial Risk: Determining the financial risk that your third-party vendor carries goes hand-in-hand with operational risks. If one of your vendors was breached, how would your organization be financially impacted? Would you have to pay legal fees, regulatory fines, or for the cost of an investigation?
Reputational Risk: The reputational risk that a third-party vendor poses to your organization should not be looked over. If a third-party vendor is known for security breaches or ethical violations, what impact could that have on your business? Does the vendor you’re partnering with hold the same core values that your organization does? If a vendor causes your organization to be breached, how will your clients view your organization – as a trusted resource or an insecure service?
Compliance Risk: Regulatory compliance efforts are at an all-time high and organizations are requiring their third-party vendors to demonstrate compliance more frequently. When implementing a vendor compliance management system, you’ll need to consider what the risks are if your vendor violated a regulation. For example, if your third-party vendor is considered a data processor, what would be the impact be if they violated GDPR? If your payment processor violated the PCI DSS, what would the implications be on your compliance?

Many of these third-party vendor risks go hand-in-hand, but analyzing each category is a useful strategy when properly vetting a potential vendor. If you rely on a third-party vendor to perform a critical part of your business process, establishing a vendor compliance management system is crucial. Have you assessed the risks that your third-party vendors pose?

Need help identifying your vendors’ risks? We’re here to help! Contact us today to learn more about our Third-Party Onsite Assessment and how KirkpatrickPrice can help you ensure that you’re properly vetting your vendors.