Skip to main content

Six Steps for Establishing a Vendor Risk Management Program

August 18, 2016

One of the key problem areas of enterprise risk management is vendor risk. Managing hundreds to thousands of vendors, suppliers, outsourcers and other third-party relationships is difficult in the best of financial times. But with shrinking budgets and smaller staffs, how can vendor risk management be performed correctly?

Vendor Risk Management

These same shrinking budgets are forcing more companies to cut costs by outsourcing critical processes and systems containing confidential information. This makes the challenge of managing vendor risk and compliance even more difficult.

Business and regulatory mandates are pressuring executive level officers to focus on compliance to privacy requirements. This detracts resources from business operations and revenue generation. Moreover, the lack of standards or acceptable metrics to assess risk serves as a constant distraction for vendors completing multiple audits for their clients. Sometimes these audits are performed hundreds of times per year, costing the vendor time, money and the opportunity cost of not applying human capital to other projects.

Many organizations are not able to adequately defend their selection of vendors or the ongoing use of those vendors. The mere task of performing due diligence and risk modeling on vendors is cost prohibitive and beyond the ability of most organizations.

Establishing a vendor risk management program is a challenging undertaking. The process increases in complexity because of the large number of participants from the enterprise (e.g. procurement, information and physical security, legal and regulatory compliance) and the vendor (e.g. sales, security, information technology, legal and human resources).

These six steps are key for establishing a cost-effective vendor risk management program:

  1. Corporate Governance: The place to start is with a strong internal governance system and policies. Establishing a corporate-wide policy creates a solid foundation for the program. It is required before you can get all the organizations within the business to participate.
  2. Vendor Contracts: Contracts are the starting point from a vendor management perspective. Getting the necessary terms and conditions agreed upon is imperative from the beginning of the relationship. Key areas of consideration are “right to audit” and “security requirements.”
  3. Risk Assessments: There are three components of a complete vendor risk assessment: relationship risk, business profile risk and control risk. To perform due diligence, it is necessary to know what to review and what evidence to gather. When performing a risk assessment, there are a number of high-risk controls to measure, and certain red flags that will alert the auditor to problems.
  4. Onsite Audit: The key to an effective on-site audit is being prepared. Establish an audit plan that focuses the due diligence effort on critical areas that will result in correctable high impact findings. Watch for “red flags” that may indicate possible problems within the vendor’s environment.
  5. Reporting: Concise audit results are critical in providing guidance for the different areas within the organization to review (e.g. procurement, legal and security). The organization should review the risks identified in the report and require the vendor to correct areas of weak control to be in compliance with organizational requirements.
  6. Risk Monitoring: Ongoing risk monitoring is required to keep abreast of any significant changes to your vendor’s environment. Key areas to monitor include the company’s financial health, business continuity plans and security controls. A sudden change in any of these areas could significantly increase the risk the vendor poses to the organization.

    Michael Myaskovsky

By: Michael Myaskovsky

Third-Party Risk Management Director of IT and Client Services

See More

Related Blogs

July 15, 2014

Application Security by Obscurity | Optiv

“Security by obscurity” is a pejorative term to most in the security industry and with good reason. Typically, it’s just a matter of time before light...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

June 04, 2014

Managing Third-Party Risk

Today, most organizations are outsourcing critical business operations to third parties. While internal business activities present a level of risk, t...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


January 13, 2016

Third-Party Risk Solution Primer

As companies grow and become interdependent upon each other, the issue of third-party risk rises to the forefront in boardrooms across the globe.

See Details

September 12, 2017

Third-Party Risk Program Assessment

Learn how to build a solid foundation for your third-party risk program.

See Details

September 19, 2017

Governance Risk and Compliance Services

Optiv works with your organization to optimize its investment in RSA Archer.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.