How To Assess The Risk Profile Of Vendors?


Introduction

I am writing this post in middle of pandemic, when employees are working from home and organizations have been forced to hire third party vendors to do myriad of jobs ranging from print services to purchasing software to enable remote login for employees. This happened so quickly that not many companies had the time or capacity to take a risk based approach.

Irrespective what what kind of product a vendor provides, you always want to assess the risk profile of the vendor organization and the product that you are or will be using. Why is it important? It is important to know what would be the impact to your business if something were to happen to the Vendor tomorrow and you are no longer able to use the product or service from few hours to few days to permanently. How dependent your business operation is going to be on the vendor's business operation. If you don't know the risks, then you are inviting a lot of trouble that you can easily avoid by assessing the risk beforehand. If you know the inherent risks, then you can create backup plan in case the primary measure fails or decide not to do business with them. There might still be some residual risk that would remain even after the mitigating factors, and which is normal.  The line of business then needs to decide whether they are willing to accept that risk. Residual risk would usually be minimal and a much better state to be in, instead of not knowing about any risks at all. You create options for the smooth operations of your business activity, which is a big responsibility your organization has given in your hands.

What factors must be considered?

Short answer is that there are a lot of factors and it depends your what kind of client organization are you representing. Risks are different for different type of organizations. 

Questions to ask yourself:

  1. How large is my organization?
  2. How many employees do I have?
  3. Where are my offices located worldwide?
  4. Where are my employees located worldwide?
  5. Would we be sharing customer data? if yes, then what elements, how much volume?
  6. Is the vendor product going to affect a small portion of my business, or would it be enterprise-wide?
  7. Are we outsourcing a critical business activity that has very low appetite for downtime?
  8. Is my organization in an industry that is heavily regulated? e.g. Banks, Telecom
  9. Are there regulatory requirements that I need to meet?
  10. Most importantly, why are we outsourcing? why can we not do this activity inhouse
  11. What is my breakeven point if we do it inhouse?
  12. Is the vendor required due to an audit finding or a regulatory requirement?
  13. What is the financial impact if the service goes down?
  14. What is the reputational impact if the service goes down?
  15. Is this my core business to do what the vendor is doing?

Questions to ask Vendors

  1. Why type of solution are you offering? Is it a service, software, hardware, something else?
  2. Is there a cloud solution involved? If yes, whether it is private, public or hybrid cloud?
  3. What kind of system data would the vendor have access to? Confidential, Critical, Restricted, Internal, Public? volumes?
  4. What kind of customer data would the vendor have access to? Do they have access to PII? Do they have access to European, UK, APAC, US customers? Are they compliant with respective country's Privacy Laws such as PIPEDA, GDPR, HIPAA, COPPA?
  5. What kind of Employee data would they have access to? Ask the same compliance question
  6. Where is the data going to be stored? 
  7. How would the data be transferred between the two organizations? Is it over a secure connection, FTP, private leased line?
  8. Where is their Data Center located? 
  9. Where is their DR located? are they in the same seismic zone? same region different zones or different regions and different zones? What is the RTO, RPO?
  10. What is the committed SLA? Is it 99% or 99.9% or 99.99%? Each 9 increases significant investment that the vendor has to make in their infrastructure.
  11. How much time and money investment would it take to replace the vendor if needed?
  12. Have they conducted business ethically in past? This is in itself a very large subject that could include any type of unethical behavior such as bribing, tax evasion, manipulating accounts, money laundering, etc. the list is huge.
  13. Is the vendor going to have a direct impact on your financial statements? e.g. Auditors
  14. Would they have physical access to your technology assets?
  15. Is the vendor using a cloud solution? e.g. Private, Public or Hybrid? Where is the data hosted? is it with Public cloud providers such as Amazon or Azure?
You then need to decide what factors are more important than others for your organization and then assign scoring respectively. Based on the ratings define a high risk vendor, a medium risk vendor and a low risk vendor. There is no one right way to do the scoring, you'd have to consider which of these factors would be in favor of your organization and which could hurt?

The organizations that had a mature Third Party Risk Management Program were easily able to navigate in the pressures of pandemic. If you are starting the journey now, it's never too late to start building the risk based approach towards vendor relationships.

Summary

Taking a risk based approach will enough armor in hours hands, you'd have far more knowledge about the vendor, their products, your own risk appetite, risk mitigating factors and you'd be able to only take on the risks that you are ready to accept. Ask questions around vendor product, vendor operations,  are they capable of doing the job, associated legal risks, what are you putting at risk if the vendor doesn't perform the job well. Everyone loves a Disney ending, but in real life we all know it comes with planning.

I'd love to hear your comments below. As usual, if you like my content, please subscribe and visit my blog frequently. If you love my content, consider donating for my knowledge and time :)

Post a Comment

2 Comments

  1. 1) Should also ask what type of audits due they adhere to ? Soc1 (type 1 or type 2) and/or SOC 2 (type?).

    2) Identify and disclose the P1 and P2 INC in the last 6 months and what was the SLA time to resolve.

    3) Identify and disclose the data retention and distruction policy

    4) Provide references of customers that are similiar to yours.

    ReplyDelete
  2. Thank you stranger for your comments. Those are important too, i agree

    ReplyDelete