Six Steps for Establishing a Vendor Risk Management Program

By Michael Myaskovsky ·

One of the key problem areas of enterprise risk management is vendor risk. Managing hundreds to thousands of vendors, suppliers, outsourcers and other third-party relationships is difficult in the best of financial times. But with shrinking budgets and smaller staffs, how can vendor risk management be performed correctly?


These same shrinking budgets are forcing more companies to cut costs by outsourcing critical processes and systems containing confidential information. This makes the challenge of managing vendor risk and compliance even more difficult.

Business and regulatory mandates are pressuring executive level officers to focus on compliance to privacy requirements. This detracts resources from business operations and revenue generation. Moreover, the lack of standards or acceptable metrics to assess risk serves as a constant distraction for vendors completing multiple audits for their clients. Sometimes these audits are performed hundreds of times per year, costing the vendor time, money and the opportunity cost of not applying human capital to other projects.

Many organizations are not able to adequately defend their selection of vendors or the ongoing use of those vendors. The mere task of performing due diligence and risk modeling on vendors is cost prohibitive and beyond the ability of most organizations.

Establishing a vendor risk management program is a challenging undertaking. The process increases in complexity because of the large number of participants from the enterprise (e.g. procurement, information and physical security, legal and regulatory compliance) and the vendor (e.g. sales, security, information technology, legal and human resources).

These six steps are key for establishing a cost-effective vendor risk management program:

  1. Corporate Governance: The place to start is with a strong internal governance system and policies. Establishing a corporate-wide policy creates a solid foundation for the program. It is required before you can get all the organizations within the business to participate.
  2. Vendor Contracts: Contracts are the starting point from a vendor management perspective. Getting the necessary terms and conditions agreed upon is imperative from the beginning of the relationship. Key areas of consideration are “right to audit” and “security requirements.”
  3. Risk Assessments: There are three components of a complete vendor risk assessment: relationship risk, business profile risk and control risk. To perform due diligence, it is necessary to know what to review and what evidence to gather. When performing a risk assessment, there are a number of high-risk controls to measure, and certain red flags that will alert the auditor to problems.
  4. Onsite Audit: The key to an effective on-site audit is being prepared. Establish an audit plan that focuses the due diligence effort on critical areas that will result in correctable high impact findings. Watch for “red flags” that may indicate possible problems within the vendor’s environment.
  5. Reporting: Concise audit results are critical in providing guidance for the different areas within the organization to review (e.g. procurement, legal and security). The organization should review the risks identified in the report and require the vendor to correct areas of weak control to be in compliance with organizational requirements.
  6. Risk Monitoring: Ongoing risk monitoring is required to keep abreast of any significant changes to your vendor’s environment. Key areas to monitor include the company’s financial health, business continuity plans and security controls. A sudden change in any of these areas could significantly increase the risk the vendor poses to the organization.

Michael Myaskovsky

Third-Party Risk Management Director of IT and Client Services

Michael Myaskovsky manages customer-facing service delivery and IT operations of the Evantix portal. He is responsible for customer satisfaction, portal infrastructure and change management. Michael joined Optiv with over 25 years of expertise in IT operations, infrastructure planning and product management.