Vendor risk-assessment needs to be an ongoing initiative at your organization, not just a one-time project. In other words, it should be part of your culture rather than simply just something like add-on program. How do you manage your vendors’ risk? Here are some tips you can implement to ensure proper risk management:
Tip 1: Get senior management buy-in and approval for the whole vendor management process.
Tip 2: Don’t treat every vendor the same. However, this should come after classifying your vendor. Use classification ratings to identify how much or how little work you need to do for each vendor’s relationship.
Tip 3: Look for independent verification of controls. One common independently verified source for credit report that many have used is Dun & Bradstreet Reports.
Tip 4: Watch out for Force Majeure Clauses (Acts of God). This is one of the things that you need to plan for. Ask vendors to provide their Business Continuity and Disaster Recovery plans.
Tip 5: Integrate the Vendor Management with the Business Impact Analysis (BIA) process. When you’re doing BIA you should be documenting your different business units and all the key dependencies in order for them to do their job, which include vendors/3rd parties. Without integrating the Vendor Management into the BIA, very often BIA will uncover some Vendor Management program that many didn’t know existed in the organization. So, integrate both Vendor Management and the BIA process.
Tip 6: Provide management risk ratings and options to manage 3rd parties risk. Give them a path of action to mitigate the risk. It’s not good enough simply in identifying vendors that are high risk, you need to go through those vendors and decide a clear path of action for your senior management. Provide some options that can be implemented.