There are several types of vendor-related risks that you should be aware of. And although the risk of being compromised due to a successful hack of your vendor or partner is certainly possible, it is among the least probable on that list. In this article, we will overview the main types of risks that you should keep in mind. We will also help you to create a methodology and a workflow to embed vendor risk management techniques to help you pick the best one for the job.
What Is Vendor Risk Assessment?
Contrary to popular belief, vendor risk assessment is not about reading the news in order to find the most recent security breach of a given vendor. It is a complex process of grouping and qualifying vendor-related risks that might potentially harm the interests, security, or reputation of your company.
What Are the Risks?
Before creating a policy and performing the assessment, you should create a list of risks that you will be assessing your vendors for. Here are the typical ones:
- Security risks. You should check whether or not the vendor of your choice was subject to successful security attacks or was found to maintain leaking databases. Also, if your company operates under a certain compliance, chances are that all your software and app vendors should be certified to work under that compliance as well.
- Financial risks. Price rises are a common occurrence in today’s world. Thus, you should check the history behind the given vendor to understand their typical practices in that area. Try to avoid asking that vendor’s salespeople, since all you will hear will be their company's position. Go directly to the users on Reddit or any other forum or social media that you prefer.
- Operational risks. Sometimes, in order to start using a new piece of equipment or app, you have to update or recreate certain workflows in your organization. So, before you go into that long and expensive process, check whether there is a less demanding alternative.
- Replacement risks. Some data storage and backup vendors tend to keep your data in proprietary vaults, making it almost impossible to migrate. So, you should keep vendor lock-in in mind, since there is always a possibility that you will need to replace the solution in the coming years.
- Reputational risk. Lastly, there are reputational risks. Remember what happened to the antivirus giant Kaspersky? It was accused of espionage, and a lot of US-based organizations immediately dropped the company’s solutions for good. Whether those accusations were true or not, nowadays it is considered to be bad business practice to use Kaspersky antiviruses, since it can cast doubt on your organization.
When Do You Need to Run a Risk Assessment?
You should perform vendor risk assessment during several different stages of your relationships:
- When looking for a new product. Obviously, the first stage when you perform a risk assessment is when you look for a new product or a solution that will fit your needs.
- Yearly reviews. Regular yearly reviews of each vendor from whom you buy strategic products or applications are a necessity for two specific reasons. First, each year there are new products released that might be more advanced than your existing ones. Second, sometimes vendors change their financial or security policies in such a way that they will become unsuitable for your organization.
- When terminating the existing contract. In this case, you should perform a post-mortem risk assessment to understand what exactly made you finish the contract, and seek a more suitable vendor based on these assumptions.
Vendor Risk Assessment Checklist
So, here's the exact procedure that you should perform in order to have a solid understanding of the vendors you are about to interact with and the risks tied to them:
- List all the vendors. In this first step, you should gather a list of all the vendors and their specifics, like the products they provide, the areas they operate in, and other basic information. It would be great not only to gather formal information from their websites or news but also to get in touch with their clients.
- Assess the risks. According to the list we provided earlier in the article, create a unique list of risks for each vendor. It would be particularly useful to provide detailed evidence here.
- Classify the risks. Once you have understood which risks the vendors are prone to, it's time to classify those risks by probability, impact, and other factors unique to your company.
- Pick the vendor. Now that you have gathered all the information, it's time to decide which vendor you are about to shake hands with.
Now you know how to create a thorough and thought-through workflow around choosing the right vendor. However, don't overdo it.
You see, such thorough frameworks work great for enterprise-grade organizations that need to meet the needs of their internal security policies. For sure, if an organization has five thousand employees, they will need a lot of complex frameworks just to continue normal operations. But for smaller companies, such policies can be excessive.
So, while keeping the complex method in mind, try to stick to common sense. Don't overplan and overprocess, but instead embed the main idea of vendor risk assessment and vendor risk management into your workflow – which is finding the best vendor to suit your needs.