Are your low-risk vendors really low risk?

With over half of overall enterprise risks coming from a vendor portfolio, it's no wonder that vendor risk management is entering the spotlight in corporate board rooms.

With data breaches, ransomware attacks and supply chain disruptions now the norm, there is an increased interest in finding those high-risk vendors in the portfolio quickly and accurately. By risk-ranking your portfolio, you can focus scarce resources on the vendors that have access to your sensitive data, support critical business services or are more likely to cause reputational risk.

The traditional approach to risk assessment

The experts will recommend that you compile a list of all enterprise vendors, identify the vendor managers across the enterprise and have them perform inherent risk assessments for the vendor services provided. That assessment will involve applying a risk ranking based on your risk policy and using that ranking to determine a risk assessment and set ongoing monitoring criteria according to your risk appetite.

It sounds like a good approach, but unfortunately, more often than not, this strategy doesn't work. The process can either take too long, give you a false sense of security or point you in the wrong direction. A typical portfolio distribution may classify more than 70% of vendors as low risk. But how confident are you that the right vendors are included in that 70%?

Why traditional methods don't work

To understand the challenge of assessing vendor risk and identifying low-risk vendors using traditional methods, let's examine the typical process step by step.

Let's start with the first step: assembling the vendor list. It sounds straightforward, but in practice, where do you actually go to get the list? Accounts Payable is a great place to start, but you'll soon discover all kinds of missing vendors, such as software contracts that were in place before Source2Pay was implemented or indirect business arrangements coordinated through fourth-party relationships via resellers.

Once you track all those missing vendor contacts and add them to your vendor list, the next challenge is to identify all the contacts within the enterprise who are responsible for each vendor service. Each point of contact needs to understand and take responsibility for appropriately managing vendor relationships and applying inherent risk assessment to evaluate how their particular service is being used.

In practice, these points of contacts—if you're able to find the right ones—are already busy with the day-to-day requirements of the job and unlikely to welcome the request to accurately fill out yet another burdensome questionnaire.

These are just a few of the potential pitfalls that can reduce the effectiveness of the process. Gathering accurate and complete information in a timely way requires a culture change and the establishment of a strong central function and a robust TPRM platform. That takes considerable time and significant funding—a combination that's hard to get support for at the leadership level. As a result, the directive is often: "Just get it done faster and cheaper," which results in low-risk vendor lists that are of subpar quality and full of misclassifications and false negatives.

Even if you manage to accurately classify the low-risk vendors in your portfolio, it's often impractical to assess these vendors across the key dimensions of financial, regulatory, information security and business continuity risk. Most TPRM programs struggle to assess vendors in higher-risk tiers, and as a result, the re-assessment of low-risk vendors continues to get pushed back year over year. Given the combination of inaccuracies in the list and the lack of resources required to assess the entire vendor portfolio, a significant systemic risk is introduced into the overall supply chain across many industries.

For many of those industries, it's a regulatory requirement to ensure that all vendor engagements are assessed using a risk-based approach—not just those that are high risk. The sheer volume of vendors to be assessed and monitored in a typical vendor portfolio, coupled with the large disparity between the level of risk each vendor represents, can result in a significant weakness in the risk posture. Failure to appropriately assess and monitor the risk for these vendors that often have access to your sensitive data, support your critical business service, and talk to your customers can easily result in a situation where your firm ends up on the front page of the Wall Street Journal—not a fun experience.

A better way to assess vendor risk

Unfortunately, there are no shortcuts when it comes to setting up an effective vendor risk management program and correctly aligning vendor lists according to regulatory requirements and corporate risk appetite. To achieve the goal, TPRM leaders need to communicate clearly and honestly with leadership to ensure they understand what it takes to lift the risk posture of the vendor portfolio.

That said, there are emerging ways to conduct a vendor risk portfolio assessment that can improve on the traditional approach by accelerating the delivery, improving the quality of the outcome and providing a more holistic view of vendor risk. The new approach can quickly and cost-effectively add numerous risk dimensions to every vendor, highlight potential areas of concern and provide a solid risk assessment approach for vendors that qualify as low risk.

While there is no substitute for reviewing the inherent risk of each vendor engagement individually, a great starting point is to understand risk dimensions across the following data points:

• Financial health ratings according to multiple financial health rating providers
• Outside-in cyber security ratings and potential weaknesses across information found in the public-facing security perimeter or on the dark web
• The relative likelihood of a data breach according to back-tested statistical models that use publicly available information
• Fourth parties that may also be high risk
• Location risk across key dimensions of political, operational or environmental risk
• Negative news that may point to important gaps in risk posture

Once an initial determination is made based on an overall aggregated review and risk hot spots are determined, the next step is to develop a deeper, fit-for-purpose assessment for those vendors that are confirmed to be a higher level of risk and require further review.

Finally, be aware that point-in-time control assessments are no longer sufficient, and need to be supplemented by continuous monitoring across many of the points outlined below to deliver a significant uplift to the enterprise risk posture.