The Top 3 Drivers of Vendor Risk Management Programs

As data breaches and privacy violations are increasingly traced back to vendors, suppliers and other third parties, most organizations are looking to either launch vendor risk management (VRM) programs or mature their existing programs. Over the past 15 years working with hundreds of organizations, we've found that VRM programs are usually driven by one of three objectives. In this post, we'll break out these drivers and discuss the motivations for each.

1. Automation-Driven VRM

Automation-centric VRM programs usually start as a reaction to a personal pain, such as a heavy workload or too much complexity.

These programs tend to be championed by an individual, often in procurement, looking to expedite vendor onboarding and due diligence. Spreadsheet-based vendor assessments are often cited as a pain, with back-and-forth emails, version control issues, and inconsistent processes creating headaches for everyone involved.

Automation-driven vulnerability risk management initiatives tend to be more of a project than a program. As such, they lack the oversight of more mature programs tied to governance, risk and compliance (GRC) efforts.

Organizations with automation-driven VRM objectives are usually characterized by:

• A bottom-up approach, driven by an individual or small team
• Manual processes creating headaches
• The need for simple, custom questionnaires
• A limited number of suppliers
• No existing visibility into third-party risk
• No strategic mandates for managing third-party risk and compliance

There’s nothing wrong with starting your vendor risk management program here. In fact, many successful VRM programs begin by eliminating the manual processes that can miss security control gaps and increase the risk of data breaches.

Automated vendor risk assessment solutions can help to streamline and accelerate these programs.

2. Compliance-Driven VRM

Moving up the maturity scale, compliance-driven programs arise from the need to address one or more regulatory requirements.

When you work with third-party vendors to handle and process data, it doesn't mean that your organization is no longer accountable for security risks to that data. That's why several government regulations and industry frameworks mandate third-party risk management practices. Here are some examples:

• AICPA SOC 2
• CCPA
• CMMC
• CSA CAIQ
• EBA Outsourcing Guidelines
• FCA FG 16/5
• FFIEC IT Exam Handbook
• GDPR
• HIPAA
• ISO 27001/27002/27036-2
• NERC CIP
• NIST SP800-53 & CSF
• NY CRR 500
• NY SHIELD Act
• PCI DSS

This is the point at which organizations realize they need a program, not a project. Only an ongoing, structured program can both proactively manage third-party risk and produce the required documentation for both external and internal audits.

Organizational characteristics that drive this type of program include:

• A middle-out approach, driven by government and/or industry requirements
• Has a specific compliance mandate for VRM
• Currently using manual processes to assess a subset of suppliers
• Suppliers are usually tiered by critical service or spend
• Has limited visibility into supply chain information security risks
• May already have a basic program that needs more definition and structure

Many regulations and frameworks require external, continuous risk monitoring in addition to periodic vendor risk assessments. See the table on our compliance capabilities page to learn more about specific requirements for assessments and/or monitoring. For simplicity, Prevalent offers the Prevalent Compliance Framework (PCF) questionnaire that enables you to map the answers to any number of regulatory or control frameworks, which greatly simplifies the compliance reporting process.

3. Risk-Driven VRM

The most mature VRM programs are driven from the top-down by strategic risk management programs, with compliance being a natural byproduct of these initiatives.

Organizations with risk-driven VRM programs tend to have a good grasp of who is in their vendor ecosystem and can usually quantify their risk to some extent. They intertwine vendor risk management frameworks with broader GRC/IRM programs, and they often secure the services of one of the Big 5 audit firms for outsourcing or program management. However, these organizations often still wrestle with manual processes, limited analysis capabilities, and silos that can hamper risk-based decision-making.

Typical characteristics of risk-driven VRM programs include:

• A top-down approach, driven by a strategic business initiative
• A big-picture program vs. a tactical project
• Executive-level sponsorship that considers VRM integral to managing risk
• Risk managers have a handle on the number of suppliers and are able to quantify risk
• Often still relies on manual processes to assess a percentage of vendors

Truly risk-driven vendor risk management programs are rare outside of large, highly regulated organizations with sufficient resources, vision and scale. These programs usually achieve optimal levels of VRM maturity with a hybrid solution comprised of a unified, automated third-party risk management platform backed by assessment services and professional services.

Organizations at this level often go beyond core assessment and monitoring, leveraging their TPRM solutions to handle vendor performance management, address data privacy challenges, and conduct internal risk assessments