Anatomy of a Risky Vendor – 7 Signs You Shouldn’t Ignore
Assess your vendors, monitor for changes and pursue mutual transparency, advises Ryan Mayika from OneTrust, otherwise you burden your business with unnecessary risk
For an organization to grow and maintain its focus, it must turn to the help of others for various services. But how can you identify which vendors are going to help and which will hurt? Assessments and audits provide the answers but first you need to know what questions to ask.
We invited Ryan Mayika, a third-party risk solutions engineer at OneTrust, for a discussion on assessing vendor risk, the red flags to look out for and how to maintain transparency and trust with vendors already in your network.
Can the Vendor Demonstrate Business Resilience?
In addition to the typical information gathered during a standardized information gathering (SIG) questionnaire, organizations are increasingly concerned with vendor business resilience, how it can be measured and how it is reported.
Mayika defines business resilience as, “The ability an organization has to quickly adapt to disruptions and maintain continuous business operations, while safeguarding people, assets, and overall brand equity.”
A vendor demonstrates business resilience in order to reassure prospective and current clients that they will be able to smooth over any bumps in their operations and provide a reliable continuity of service.
When questioning or auditing a vendor, said vendor should be able to demonstrate plans for how they would respond to significant business disruptions: natural disasters; geopolitical instability; price hikes; transportation failures; data breaches and – as we have seen in recent times – health crises.
While not all businesses can possibly account for all eventualities, a vendor who demonstrates a robust, documented and accountable “plan for the worst and hope for the best” approach to their operations puts their clients at far less risk than one that is laying the tracks in front of the train.
Are the Vendor’s Data Transfers Up-to-Date with Current Laws and Regulations?
Shared vendor risk assessments – such as Vendorpedia from OneTrust – provide a platform where vendors can share assessments with all users of the platform.
Instead of having to constantly receive and send out assessments, vendors can simply direct prospective or current clients to their page where the most recent assessments are available on easy-to-read, standardized presentations. The vendor can then quickly respond to any gaps that a particular client may need filled or look at how similar vendors are approaching their assessments. The transparency enabled by Vendorpedia and similar platforms makes it easy to find reputable vendors, access the information required and eliminate any bad actors
Does the Vendor Utilize a Transparent Assessment Sharing Platform?
Shared vendor risk assessments – such as Vendorpedia from OneTrust – provide a platform where vendors can share assessments with all users of the platform.
Instead of having to constantly receive and send out assessments, vendors can simply direct prospective or current clients to their page where the most recent assessments are available on easy-to-read, standardized presentations.
The vendor can then quickly respond to any gaps that a particular client may need filled or look at how similar vendors are approaching their assessments. The transparency enabled by Vendorpedia and similar platforms makes it easy to find reputable vendors, access the information required and eliminate any bad actors
Is the Vendor the Right Fit for Your Risk Categories?
Before establishing whether a vendor is appropriate for your risk categories, you must first establish what your risk categories are and in what order you rank their importance.
“It’s important to start looking at risk very differently,” says Mayika, “not just looking at privacy and security but also strategic risk, financial and operational, and regulatory and compliance.”
Mayika emphasized the need for flexible tools that allow an organization to assess their own risks, write questionnaires to establish the vendor’s approach to these risks and then share this information internally and externally with a consistent scoring methodology. “Have a range of different ways that you define and address specific risks,” Mayika advises. “What methodology are you using? What’s the probability and impact for your organization? Do certain risks need to be weighted differently based on the answers that you receive back from the vendor?”
Are You Aware of all Third Parties Linked to the Vendor?
Due diligence when assessing a vendor does not just apply to that vendor, it also applies to the vendors that they use and so on, throughout the entire chain that an organization relies upon for their services.
Third parties (or fourth, or fifth) are a common blind spot when assessing the risk of a vendor supply chain. Organizations must seek full visibility of a vendor’s network so that they are aware of who has their data, why they have it and what risks are potentially elevated. All of this must be fastened in a contract.
Within this network, there should be reporting and notification procedures so that all linked parties are aware of any incidents that take place or risks that might affect them. Should any new parties be added to the network, all existing parties must be informed.
Are the Vendors Responsive (and Have You Made it Easy for Them)?
While organizations have a responsibility to request large volumes of information from their vendors, they should also bear in mind that such information gathering and reporting is time and resource-intensive.
Organizations can make this process easier for vendors by providing third party tools from recognized sources, utilizing online portals where vendor assessment can be uploaded and shared and by making any questionnaire materials easy to download in the expected formats.
By making assessments, audits and the associated communications as easy as possible for the vendor, any excuse for poor responsiveness is removed. If all tools are provided for the vendor to respond swiftly and they do not, consider it a red flag and look elsewhere.
Can They Agree to a Process for Keeping Assessments and Contracts Up-to-Date?
A reputable vendor will agree to regular and ongoing monitoring of any agreement between them and their clients.
“You want to continually update details,” says Mayika. “Do you still have the same contract? Have the risks changed based on something they haven’t renewed, like certification? Are you starting to process more sensitive data with them? Are you keeping track of the certificates they said they had two years ago? Have those been updated?”
There should be a process in place to ensure such questions are asked and answered via formal assessments and constantly updated records. If the vendor is reliable, this will not be a source of tension, as they should be regularly updating and sharing all relevant information without having to be chased for it.
As a final note, Mayika encourages organizations to have a collaborative, transparent relationship with their vendors and vice versa: “There’s no way to be 100% immune to hacks and breaches. But I think the most important thing is having very clear transparency with the vendors that you use,” says Mayika. “Have a playbook in place that says, if [an incident] happened, these would be the expectations from us as a business and this is what you should expect from us in regard to responding to it.”
