Vendor risk assessment is required to ensure that the use of external IT service providers and other vendors does not create unacceptable potential for business disruption or negative impact on business performance.
To accomplish this we need to know company details beyond the website. We need to understand the company’s financial position, if the vendor will do what they promise in terms of reputation. We also need to know how well the vendor is going to protect your data? Vendors that provide IT Services have additional risk assessment requirements. We need to make sure contract language includes the right to audit, data security measures, and data ownership. We need specific security considerations, incident response procedures, and for cloud-based IT service there are additional data security questions that need answers.
Ultimately, we as the people responsible for assessing vendor risk, must understand the vendor risk posture. Find that out by knowing some basic risk practices that can be implemented to better control vendor risks in your organization:
- Assess the risk landscape. Use tiered risk assessments that establish the likelihood and impact of a risk event from suppliers.
- Deploy comprehensive supplier reviews. Periodically review risk control practices of existing suppliers and a verification process to qualify new suppliers.
- Deploy risk metrics. Create Key Risk Indicators that you can use to alert your company to problems in the supply chain.
- Report on risks internally. Set up a process to monitor risks in your supply chain, collect the information about the risks and report on them.
- Improve continuously. Assess your risk monitoring and governance frequently and close gaps in those systems.
Company boards are expecting more proactive efforts in developing a holistic view of supply-chain risks. The presence of effective (enterprise risk management) ERM programs can help assure those directors that disruptions are being kept to the barest minimum.