Vendor risk assessment needs to be an ongoing initiative at your organization, not just a one-time project. In other words, it should be part of your culture rather than simply an add-on program. How do you manage your vendors’ risk? Here are some tips you can implement to ensure proper risk management:
Tip 1: Get senior management buy-in and approval for the whole vendor management process.
Tip 2: Don’t treat every vendor the same. However, this should come after classifying your vendor. Use classification ratings to identify how much or how little work you need to do for each vendor relationship.
Tip 3: Look for independent verification of controls. One common, independently verified source for credit reports is Dun & Bradstreet Reports.
Tip 4: Watch out for Force Majeure Clauses (Acts of God). This is one of the things that you need to plan for. Ask vendors to provide their Business Continuity and Disaster Recovery plans.
Tip 5: Integrate vendor management with the business impact analysis (BIA) process. When you’re doing a BIA, you should be documenting your different business units and all the key dependencies in order for them to do their job, which include vendors/third parties. Without integration, very often the BIA will uncover some vendor management program that many didn’t know existed in the organization.
Tip 6: Provide management risk ratings and options to manage third-party risk. Give them a path of action to mitigate the risk. It’s not good enough to simply identify vendors that are high risk; you need to go through those vendors and decide a clear path of action for your senior management. Provide some options that can be implemented.