Are you asking yourself the right questions when it comes to vendor coverage? It’s something that all businesses think about, but with limited resources, it’s almost impossible to optimize your vendor portfolio by rigorously assessing each and every supplier. In this blog, we’ll talk about vendor coverage and how businesses can best identify third-party vendors that come with significant risk.
An organization’s third-party risk team is presented with the difficult challenge assessing with limited time and resources. The first thing to address is, do you have a clear picture of your vendors within your organization? If the answer is “no,” this is an excellent place to start. Before any changes can be made to the assessment process, you need to know what vendors are working with your business and what goods and services they provide you. Without this information, you won’t know what you should be assessing. To start to address this, you should collate a list of your known vendors from procurement and add them to your vendor register. Information such as the goods and service vendors provide and contact should be documented.
Once you have the list, we should address the elephant in the room. You won’t be able to assess all your vendors every year without an army of people. But it would help if you were aiming to get as close to 100% coverage of understanding your vendor landscape. Often organizations end up assessing the top 25% of vendors by financial value because there is usually a risk in the vendors you spend the most money with, and so we consider that a key factor. However, there are other aspects to consider. We would recommend organizations developing a simple, easy and repeatable method to quickly categorize vendors often called a tiering assessment to help with this.
A fit for purpose tiering assessment should be consistent, remove “gut feel,” and ensure a focus on what matters to the organization. Your tiering assessment shouldn’t be complicated, but it should focus on key risk factors that could have a significant impact on your organization. These factors might include things like contract value, the type of data your vendors handle, the access they have to your data, premises or customers, their compliance certifications and any reputational impact they carry. One approach to the assessment is using simple scores weighted against the factors as part of the tiering process, allowing you to effectively rank vendors with increasing trust levels such as Informal, Trusted, Partner or Strategic. This will help your third-party risk team understand and prioritize their efforts to establish and assure trust.
It is crucial to understand from the outset that while you should be striving to achieve 100% coverage, this doesn’t mean assessing each and every vendor. For most businesses, it would be unfeasible to plan, test, evaluate and remediate findings from each vendor on an annual basis. But because tiering provides you with an indicative importance and risk level of the vendor to your organization, you can focus and put resources into the ones that matter most to you.
You know who the vendors are, you have figured out the priorities and the activities. You now need to create the process to execute this. Every organization will have an approach specific to their needs, but most have the following components.
To achieve, you need to understand that a one size fits all assessment process simply won’t work. You will need to tailor questions directly to key vendors based on their individual risk profiles. For instance, you wouldn’t want to ask a technology vendor the same 100 questions you asked your office supplier. It’s one of the many ways you can tailor tiered assessments to work for your business and dramatically reduce its vulnerability.
To summarize, in most organizations, it’s not realistic to strive for 100% assessment of all vendors, but you can strive to understand all your vendors and achieve that 100% coverage.
SureCloud provides cloud-based, Governance Risk and Compliance products, and Cybersecurity & Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with Integrated Risk Management solutions, enabling you to make better decisions and achieve your desired business outcomes. SureCloud utilizes a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation, meaning you get immediate and sustained value from the outset.