One of the early stages of effective vendor management is performing a vendor risk assessment.  This article will help you skip past the complex terminology and get you right into understanding what a vendor risk assessment is and how you can perform one in three simple steps.

What is a Vendor Risk Assessment?

A vendor risk assessment is a process to illuminate any risk your organization will face by outsourcing a product or service to a third party.

Think of it as buying a new smartphone. Unless you are a talented engineer, you will likely decide to outsource by purchasing a smartphone instead of making one yourself.

Once you make the decision to buy, your next step is to assess the smartphones you are considering: Will this smartphone make my life easier? What is the reputation of the company that makes this device? Does the smartphone have a good battery life? Does the phone use a reliable network? Based on your answers to questions like these, you can determine if a smartphone is a good match for you.

In a way, conducting an official risk assessment for your organization's third parties is like selecting your next smartphone. Your goal is to use what you know about a vendor to ensure the vendor is a reliable and suitable partner for your organization.

How to Perform a Vendor Risk Assessment

When it comes to performing a vendor risk assessment, try this three-step approach:

  1. Define a common set of risk categories.
  2. Set a scale to measure vendor risk.
  3. Answer three questions.

Step 1: Define a common set of risk categories.

Categories give you a standardized approach when evaluating vendor risk. This uniformity offers two benefits:

  • Uniformity provides comparable results, as you are evaluating the same areas for each of your vendors.
  • Uniformity saves time, as you are not rewriting the expectations for each vendor risk assessment.

If you work for a financial institution, some categories are already recommended for you. Each of the federal banking agencies (i.e., FDIC, FRB, OCC, and NCUA) have published their own guidance on types of risk to consider. While there are minor variations, some core risk types to consider include strategic, operational, transaction, credit, compliance and legal, and reputation. Download the Vendor Risk Category Resource for more information about each of these categories and tips for how you should think about them in your risk assessment process.

Step 2: Set a scale to measure vendor risk.

Setting a risk scale provides a classification method, which offers viewers an idea of one vendor's risk in comparison to others. Some commonly implemented scales include numerical scales (e.g., "1," "2," "3," etc.) and ranking scales (e.g., "Low," "Medium," "High," etc.).

While a scale can be a useful tool in any risk assessment process, it should be noted that simply selecting a level from the scale is not a risk assessment, in and of itself. You could say a vendor's risk is "Medium," "15.75," or even "Orange," but without justification, a level alone cannot fully convey the implications of a vendor's risk.

Step 3: Answer three questions.

Defining risk categories and setting a scale to provide the structure you need to assess risk. Step three guides you through understanding and making decisions on what to do with the risk.

When conducting a vendor risk assessment, there are three questions you should answer for each of your defined categories:

  1. How much [category] risk do you think the organization will assume by implementing this vendor service?
  2. What information influenced your answer to the previous question?
  3. What do you think the organization should do with this information?

These questions should be answered for each of the defined categories. In doing so, you can label the vendor's risk, justify your assessment, and make an action plan.

When finished, it is helpful to document an "Overall" rating, to condense the information across the categories and call special attention to any notable conclusions.

Example

Let's see an example of this three-step vendor risk assessment process, using Tandem Vendor Management as the vendor service.

  • Step 1: For simplicity's sake, this example will use only the "Compliance and Legal" risk category.

  • Step 2: The scale for this example will be "Low," "Medium," and "High."

  • Step 3: An answer to the three questions could be written like this:

    1) The organization assumes a "Low" Compliance and Legal risk by implementing Tandem Vendor Management. 2) The Tandem software agreement addresses the vendor's compliance with applicable laws and regulations. Tandem does not use subcontractors and all data is stored within the United States. 3) Considering this information, I believe the organization can follow standard vendor oversight procedures for Tandem Vendor Management.

In an official vendor risk assessment capacity, this process would be repeated for each of the risk categories, resulting in a simple, well-documented vendor risk assessment report, ready to share with management, the Board of Directors, or any individuals assessing your vendor management program.

Take Away

A vendor risk assessment is a process to evaluate the risk that arises from the combination of vendor service and your organization's unique business requirements. Knowing how to conduct a risk assessment is a critical function of effective third party oversight, but like other aspects of vendor management, it may not always be as complicated as it seems. With the right tools and understanding, you can be confident in performing vendor risk assessments.