Understanding Vendor Risk Management (VRM) + Best Practices
Vendor risk management (VRM) helps you manage and reduce the risk of vendor relationships disrupting operations or compromising security. When implemented within the broader third-party risk management (TPRM) program, VRM focuses on third parties that present significant cybersecurity risks.
To help guide you through your compliance journey, we’ve put together this briefing with everything you need to know about vendor risk management, its implementation, and VRM best practices.
What is Vendor Risk Management?
The days when companies ran every business function in-house are long gone, replaced by business services and cloud applications that integrate to varying degrees with internal systems. With greater integration, however, comes greater risk. Today, networks are more nebulous and vulnerable to the weaknesses in their vendors’ security systems.
Vendor risk management is a process for assessing, monitoring, and mitigating the risks introduced by an organization’s external business relationships. By controlling these risks, VRM helps reduce the risk of these vendors disrupting the business.
How Does VRM Differ From Third-Party Risk Management?
Some organizations may not distinguish between vendors and third parties. For example, startups may lack the resources for sophisticated approaches to vendor risk. In this case, “vendor” and “third-party” are interchangeable. One risk management system will oversee every business relationship, from consultants to caterers to cloud service providers.
Larger, more integrated vendor ecosystems require risk policies that distinguish vendors from other third parties. One definition of vendor is a company that sells IT hardware, software, or services. These companies’ products integrate with the enterprise network and introduce cybersecurity risks. Billing or payroll services providers fall under this definition since they can access sensitive information.
A VRM program handles vendors that expose the company to this kind of cybersecurity risk. Other third parties would fall under the company’s overall third-party risk management system.
The Importance of Managing Vendor Risk
Your business’s overall risk increases whenever you onboard a vendor. Hackers can use a vendor’s network to penetrate your defenses, or supply chain attacks can turn your applications into attack vectors.
Even without an attack, a vendor’s security system becomes an extension of your security system. A small change by the vendor could compromise your company’s compliance with industry frameworks and domestic or international regulations. Any security breach or compliance issue caused by a vendor could cause significant financial, legal, and public relations damage.
That is why having formal processes for managing vendor risk is so important. Implementing a VRM plan lets you:
Proactively address vendor-related risks.
Control vendor access to sensitive information and resources.
Monitor and enforce vendor compliance with risk policies.
Improve your compliance with standards and regulations.
Manage vendors more efficiently.
How to Implement an Effective Vendor Risk Management (VRM) Plan
How you implement a vendor risk management plan will depend on the structure of your organization, your industry’s security frameworks, and your company’s overall risk tolerance. A general path to VRM would follow these seven steps:
1. Adopt Security Frameworks and Develop Policies
In many cases, your industry will determine which security frameworks to adopt. HIPAA governs how hospitals handle patient records. Federal contractors must follow NIST guidelines.
Companies that collect the personal information of EU citizens must comply with GDPR. These and other frameworks include requirements for managing third-party risk. Once you have the relevant frameworks, develop the policies and procedures for managing vendor risk.
2. Audit Your Existing Vendors
Identify every business relationship that falls under your vendor risk management policy, then estimate the potential impacts these relationships could have on your business.
Use those estimates to decide how to assess each vendor’s risks. A security questionnaire may be enough for low-impact vendors. High-impact vendors, on the other hand, could cause enough damage to justify security audits or penetration testing.
It can be helpful to create a tiering structure to guide what security requirements and depth of review should be completed for different vendors. For example, vendors with access to customer data could fall into the highest tier which requires the most scrutiny, whereas a catering vendor falls into the lowest tier.
3. Develop Internal Controls
Your audits may identify issues within your own systems. They may also reveal vendor risks that your existing systems cannot detect or monitor effectively. Developing internal controls will mitigate these risks and make managing your vendors easier.
For example, you might require SSO be used for user access to all vendors that fall into certain risk categories.
4. Require New Contracts With Clauses for Risk Compliance
Consider modifying your contracts to include service level agreements, performance metrics, security requirements and other requirements for vendor compliance with your VRM policies. The contract should clearly define a vendor’s responsibilities, causes for termination, and off-boarding expectations.
5. Continuously Monitor and Review Vendor Risk
Point-in-time vendor assessments become out of date quickly. Any change to a vendor’s system—new firewalls or newly-discovered vulnerabilities—could compromise your systems. Continuously monitor each vendor’s risk profile and adherence to the terms of the contract.
Conduct regular performance reviews with your highest risk vendors that include VRM compliance evaluations. When you create action plans to address unsatisfactory performance, clearly explain the consequences of continued poor performance.
6. Thoroughly Off-board Vendors
Your vendor risk management plan should include explicit policies for disengaging vendors from your business. Terminate all system and user accounts. Revoke the vendor’s physical access privileges by changing codes and recovering identity cards. Require proof that any documents and data have been returned or destroyed.
7. Regularly Review Your VRM Policies
A vendor risk management plan cannot be a static document. It must evolve with your business, vendor ecosystem, and the nature of your risk exposure. Improve the process by learning from every compliance and security incident. Periodic top-down reviews of your VRM system will keep it aligned with your business strategies.
What is the VRM Lifecycle?
Once you have a VRM system in place, your vendor relationships will follow this consistent, four-stage lifecycle:
1. Vendor Selection
You will select new vendors based on the policies and criteria you used to migrate your existing vendor base. When you invite vendors to bid on an opportunity, make your compliance questionnaire part of the RFP. You may require more intensive assessments of high-impact vendors as part of the proposal or make the final contract contingent on passing a security audit.
2. Contracting and Onboarding
Upon selection, the vendor will sign a contract with the compliance expectations you set for your existing vendors. The new vendor must mitigate any issues identified in the previous stage. At the same time, you must create any internal controls needed to manage that vendor’s risk potential.
3. Monitor and Review
As with your existing vendors, continuously monitor your new vendor’s compliance with your VRM policies. Automated systems will help proactively identify and address compliance issues while documenting the vendor’s performance.
Make VRM compliance part of the vendor’s regular performance review—but don’t wait for an annual review to address poor performance. Fix problems when they happen or end the risky relationship quickly.
4. Termination and Off-boarding
Whether a vendor relationship ends naturally or due to non-compliance, you must eliminate your risk exposure. As discussed above, disengage the vendor from your systems and ensure they no longer possess sensitive information.
Understanding Vendor Risk Management Maturity Levels
You won’t create a vendor risk management plan overnight. Effectively developing and implementing VRM takes time, during which your organization will pass through six maturity levels:
1. Square One
Companies without a proper understanding of risk, especially startups, evaluate their vendors solely by business criteria such as cost and delivery performance. Risks are addressed silo by silo—IT addresses the network’s cybersecurity risks, legal protects against lawsuits, etc.
Company leadership understands that they need to address risk systematically. This revelation may come after a vendor-caused security breach or when a new customer requires security compliance. Vendor risks are addressed case by case as word of the leaders’ intentions spread within the company.
A vendor management team has selected appropriate security frameworks, defined the company’s risk tolerance, and formed risk policies. This team will have engaged with stakeholders throughout the company, so awareness is high, but managing vendor risk remains an ad hoc activity.
A vendor risk management plan is in place, and the company is bringing its existing vendors into compliance. Since no plan works perfectly the first time, the vendor management team will frequently iterate policies and procedures. As internal controls take effect and vendors address security issues, the company’s risk exposure will rapidly decline.
With the VRM system in place, new vendors get selected and onboarded within established VRM processes. The vendor management team monitors vendor compliance and proactively addresses emerging security issues.
6. Continuous Improvement
Vendor reviews, incident reports, and other feedback opportunities let the organization learn from successes and failures. The VRM team will adapt these lessons to improve the vendor risk management program.
Every organization’s experience will be different, but following these best practices can shorten the implementation period, improve efficiency, and reduce your company’s risk exposure.
Identify every vendor: Be sure to find every vendor relationship, including shadow IT, to understand your entire vendor ecosystem.
Risk is recursive: Your vendors’ third-party relationships can compromise your security. Include fourth-party risk when evaluating high-risk vendors.
Be consistent: Applying consistent policies across your vendor base reduces administrative overhead. At the same time, consistency makes it easier for your employees and vendors to understand risk policies.
But not too consistent: Group vendors with similar risk profiles and apply policies or controls that address their common risks. Vendors that do not handle customer credit cards, for example, do not need to meet the same requirements as your payment processors.
Assign ownership: A cross-functional vendor risk management team must own the policy development process. Vendor managers should have assigned responsibilities for assessing, monitoring, and reviewing vendors. Clear ownership promotes accountability and ensures the effective execution of your VRM plan.
Today’s vendor ecosystems blur the boundaries of enterprise networks, creating cybersecurity, legal, financial, and other risks. With the right tools in place, a vendor risk management system lets you bring these risks under control.
Compatible with SOC 2, HIPAA, and other security frameworks, Drata’s automated platform simplifies the monitoring of your security, risk, and compliance programs. Schedule a demo to see how Drata can support your team.