Skip to main content

Business Driven Vendor Risk Assessment Template

August 23, 2016

The pace and level of outsourcing has continued to evolve and now includes any and all business areas and cloud services. Outsourcing decisions often occur under the radar focusing on the economics of the agreement and not risk management oversight. In these scenarios, it is quite common to perform a risk assessment after a contract has been signed leaving a company with very little leverage to address critical audit findings. In an ideal world, risk assessments should be performed before the contracts are signed so that the requirement to correct critical findings makes its way into the contract between the parties.

New relationships of this manner tend to evolve rapidly from a risk perspective as the scope and location of services changes to accommodate business needs. The risk assessment templates traditionally used to manage vendor risk simply cannot keep pace or produce any type of actionable output for the business. Furthermore, these risk assessment templates typically require the active participation of a professional “risk manager” which is a scarce resource in most businesses if they have one at all!

What’s the solution? Use a risk assessment template written in business terms that:

  • Is integrated into the business process for “business buyers” to execute;
  • Informs the buyer of the risks their purchase presents; and
  • Gives your organization clear guidance as to what they MUST do to manage this risk.  

Here is a general five step approach to help you get started on an effective business driven risk assessment template:

Step 1- Policy

Develop and communicate a policy that requires all vendor relationships of a certain nature (e.g. those that involve sharing of information or outsourcing certain business processes) be registered and a risk assessment performed by the relationship owner prior to approval or renewal. While this sounds easy it could be something that takes months to complete. A trick is to focus on the procurement team(s) and help them to establish the practice of performing risk assessments for large contracts or contracts with certain business or information impact. Also, assist your contracts team and work with legal to get standard language to support assessments and remediation. 

Step 2- Questions

Develop the universe of risk factors (e.g. information exposure, compliance exposure, strategic value) that compels you to manage and translate controls into the form of questions the business relationship owner can understand. For example, risk of compliance to the Payment Card Industry (PCI) for protecting card holder data is translated as “Are you sharing credit card data with the vendor?” as opposed to “Does the relationship require compliance with PCI?”.

Step 3- Score

Score the questions and answers relative to each other from a risk perspective so that the results can be:

  • Compared against other relationships to give you a portfolio view;
  • Tracked over time as the scope of the relationship changes; and
  • Aggregated with the total population of relationships for portfolio analysis.

Step 4- Guidance

Based on specific results of individual questions and the overall score, develop a set of required actions or guidance the business owner must take (e.g. assess/confirm the vendor’s compliance with PCI). Make sure these are in alignment with the contractual language. It is also a good practice to try to establish connections with your peer if you have not already.

Step 5- Integrate

Look at the touch points within your business environment where buyers must interface (e.g. procurement and legal) and integrate the risk assessment template and supporting process for best results at those points. 

Remember, the business-driven vendor risk assessment template is all about integrating risk management into the outsourcing/procurement process by giving the relationship owners the tools and guidance to act as front-line risk managers.

    Michael Myaskovsky

By: Michael Myaskovsky

Third-Party Risk Management Director of IT and Client Services

See More

Related Blogs

June 26, 2014

The Best ISO 27001 Risk Assessment Approach

Information security management took a big step in 2005 with the introduction of ISO/IEC 27001. The standard provided organizations with best practice...

See Details

March 16, 2017

OCC Updated Guidance on Third-Party Risk

Recently, the Office of the Comptroller of the Currency (OCC), released updated guidance for bank examiners as they scrutinize third-party risk progra...

See Details

June 01, 2012

2012 Healthcare Industry Security Trends

Many healthcare organizations are struggling with meaningful use. A key area of confusion is the risk assessment. Properly conducting a risk assessmen...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related insights

September 12, 2017

Third-Party Risk Program Assessment

Learn how to build a solid foundation for your third-party risk program.

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

September 19, 2017

Governance Risk and Compliance Services

Optiv works with your organization to optimize its investment in RSA Archer.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.