Vendor risk management (VRM) is a form of risk management that focuses on finding and mitigating risks associated with vendors. It helps to ensure that the use of service providers and IT suppliers does not result in a breach which could impact a company’s entire value chain. It assesses the maturity of control categories put in place by an organisation to manage their risk and compliance. Exposure risk, inherent risk, and assessment risk are measured against a company’s risk appetite to compile a residual risk index. VRM gives companies insight into the risk posed by their vendors and identifies which vendors have adequate security controls in place and which are found to be lacking.
Why is it important?
Our global economy relies upon complex networks of businesses known as supply chains. Supply chains map out the production flow, from source to destination, between companies and their suppliers. Supply chains are vital. They enable companies to outsource areas of their business to specialists and so help to reduce costs, improve efficiencies, enhance performance and free up vital time and resources. But while your company can outsource work to third-party vendors or suppliers, you cannot outsource risk. The complexity and interdependence of supply networks increases your attack surface and creates vulnerabilities within your organisation.
To illustrate this: let’s say that you are a lawyer who has been working remotely since the COVID-19 pandemic restrictions were implemented. You have had to transact large volumes of sensitive information about your clients digitally. You are using a supplier with a low security maturity, and you risk having your client's sensitive personal data exposed in a breach.
The amount and type of risks vary between companies based on factors such as size, jurisdiction, applicable laws and industry, among others. Volume, type and sensitivity of data also play a part in understanding threat levels. With customers demanding instant and efficient prioritisation of risks posed by suppliers, supply chain risk management should form a central part of an organisation’s overall risk strategy.
What is a vendor?
Third-party vendors and suppliers have access to certain intellectual property or information that can be internal or customer related. These vendors are usually outside of your direct control, but it is your duty as a company to control and manage their risk.
With vendors, it is important to take remediation of risks seriously, to try and reduce risk, rather than just measure it.
Types of vendor risk
There are multiple types of vendor risk that can affect your company directly. These include reputational, compliance and legal, financial, cyber, strategic and operation risk.
Reputational risk: your company can really take a big hit when customers are dissatisfied with your business or standards.
Compliance and legal risk: when laws, regulations, rules, or policies are not followed companies face fines and legal fees.
Financial risk: the two main forms of financial risk are excessive costs (regular audits make sure that spending is up to bar) and lost revenue (what vendors are affecting revenue).
Cyber risk: it is important to understand that not all vendors pose the same level of risk and assessments should be made to look at your systems and hopefully avoid cyber-attacks.
Strategic risk: allows you to establish key performance indicators when vendors make decisions that don’t line up with your strategic objectives.
Operational risk: this becomes an issue when vendors are failing to offer their services as they promised, and it can negatively impact your organisation.
Case study
So, why is risk assurance so important, and what happens when you do not take it seriously enough?
Let’s take the vendor SolarWinds as an example. Their system, “Orion” was used by 33,000 customers to help manage their IT resources. In 2020, there was a software update sent out to its customers that included a hacked code. About 18,000 customers downloaded this code which went undetected for months and led to access of many high-profile clients such as the US government and some Fortune 500 companies.
This famous breach allowed the hackers to gain access to important data that they were able to change or destroy. While some companies knew they were hacked, others may never know. Future product plans, along with employee or customer information was leaked and held for ransom so clients lost trust in those holding their information. The level of access was deep and broad, leading to governments and organisations realising that they need to actively seek out vulnerabilities in their systems.
Vendor risk management notices breaches, and takes steps to fix them, this also includes being pro-active. By engaging with suppliers to ensure that your security systems are up to date you can reduce the risk of data breaches within your organisation. There is no one solution, but this should serve as a wakeup call to agencies and companies that taking information security and risk management seriously is a must.
And while this may be an extreme case with extreme results, knowing your individual company’s risk and making sure that your vendors are safe before you must spend loads of time and money fixing a breach is imperative.
What do VRM and C2 have in common?
When you onboard a supplier, it is crucial that you carry out initial due diligence to assess the risk posed to your organisation and subsequent continuous monitoring to detect changes in risk status.
At C2, we are committed to helping more companies survive and thrive in a digital economy. We help you categorise your risk, provide you with assessments to analyse policies, processes and controls, as well as help you build compliance directly into your frameworks. With a tailor fit system, you can monitor your live ratings and manage your audits.
If you have questions, or want to book a demo, please click below. We would be happy to share our solution and connect with you.