In order to get due diligence right, you must get vendor risk assessment right. Period.
Yet today, most organizations manage vendor relationships in an informal, ad hoc fashion, relying on the vendor to manage the relationship. Read: risk assessments, a critical step to vetting vendors and other third parties, are often overlooked. This results in:
Without a system in place to actively manage and monitor vendor performance and communicate concerns, you will lose vendor alignment with your business objectives.
Opportunities are missed to save money with service bundle discounts, economies of scale, and new and improved vendor offerings.
Without clear communication points and set escalation pathways, organizations may find it difficult to overcome consumption barriers and/or poorly negotiated contracts.
According to a Vendor Risk Survey by InfoTech, the average business loses between $84,000 and $108,000 for every hour of IT system downtime.
Yet, 66% of organizations do not formally manage IT risk.
Every IT vendor carries risks that have business implications. Legal, financial, security, and operational risks can (and will) inhibit business continuity. The importance of vendor risk management goes beyond financial implications. You cannot wait until an issue arises to address it.
Of 450 investigated global data breaches, 63% were a vendor’s fault. And over 90% of organizations consider vendor risk to be highly important, but only 40% are satisfied with their approach to assessing and managing it.
The truth is this: you can outsource the task, but you can’t outsource the responsibility.
Vendor risk management must start with vendor selection. Your reputation is on the line, you need to be confident with your vendors.
And to help you do just that, we’ve curated a vendor questionnaire.
1. Program governance
Do you have a governance framework in place to address vendor risk management?
2. Policies, standards, procedures
Do you have policies, standards, and procedures in place for vendor selection, onboarding, offboarding, and transition?
Are vendor contracts being managed appropriately based on risk, spend, and classification?
4. Skills and expertise
Is there a qualified vendor manager / team in place with oversight of process, security, and performance?
5. Communication and information sharing
Is there a centralized point of contact for vendor management that departments can contact for information relating to vendors?
6. Tools, measurement, and analysis
Are the costs and benefits for each risk response analyzed over multiple years?
7. Monitoring and review
Is there periodic monitoring scheduled for vendors? What aspects are covered in your organization’s periodic review of the vendor?
8. Vendor risk identification and analysis
Is there a structured due diligence process to ensure critical vendors and risks are not missed?
Making intelligent decisions about risks without knowing what their financial impact will be is difficult. Risk impact must be quantified. You don’t know what you don’t know, and what you don’t know, can hurt you.
Make a conscious decision whether to accept the risk based on time, priority, and impact. Correctly identify and enact defined vendor management processes that determine spend categories. Appropriately evaluate potential and preferred suppliers.
Ensure you accurately assess the partnership potential.
Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.
To help identify what security protocols you should be implementing, check out our latest survey here: THE STATE OF CYBERSECURITY