Where to Start
With a well-organised, efficient vendor risk management process, you can mitigate risks without adding strain to your security team. Achieving this is possible with proper guidance and tools, and the results are undeniable:
27% of businesses that didn’t have a third-party risk management programme in place suffered high-impact incidents, compared to only 2% of businesses that did.
So how can we achieve these results?
First, you should address whether you have a clear picture of your vendors within your business. If the answer is “no,” this is a great place to start.
Before any progress can be made in the vendor assessment process, you need to be aware of what suppliers are working with your company and what goods and services they provide you. Without this data, you won’t know what you should be assessing.
To address this, you should collect a list of your known vendors from procurement and add them to your vendor register. Key information should be recorded, such as the goods and services vendors provide and contact.
Now you have your list; we should address the elephant in the room.
You won’t be able to assess all your vendors every year without a huge team. Therefore, you should simply aim to get as close to 100% understanding of your vendors while remaining realistic. Often, businesses assess the top 25% of vendors by financial status; this is because the highest risk is usually with the vendors you spend the most money with – as such, we consider that a key factor.
Although there are different angles to consider, we suggest organisations develop a simple and repeatable strategy to categorise vendors quickly to help with this. This strategy is often called a tiering assessment, which guides us neatly into our Tiering 101.