Vendor risk management is becoming standard operating procedure across many organizations as client and/or regulatory pressure is increasing. A key to success is to simplify the security assessment process through iterations so it is sustainable. Taking a step back to understand your organization’s perspective before rushing to execute this requirement can go a long way.
1. Thoroughly research content options.
Before sitting down to develop an assessment, research some of the options that already exist. There are numerous organizations who develop agnostic and/or industry focused assessment content. While some of this content is pay per use or licensed for non-commercial use only, it can provide a baseline for the types of questions that should be asked at a minimum. If your risk management team is small or doesn’t have the extra time to develop an entirely custom assessment this approach can help you hit the ground running.
2. Assess yourself.
If you are using an assessment today, or your organization has settled on a standardized assessment to leverage, answer it yourself. Capture information around how long it took to complete, specific questions that were tricky to answer, and which risk areas seemed to lack coverage. Not only will this completed assessment come in handy for future questionnaires you may receive, it will give you a better understanding of what you view as an acceptable answer for each question.
3. Tailor your assessment and expand the conversation.
There are often debates of utilizing standardized assessments or developing custom assessments that are in line with your organization's policies and risk profiles. Adhering to any one framework is difficult – and adherence to overlapping frameworks is often necessary. Further, your enterprise likely has talented individuals with independent views on the greatest potential risks vendors may pose to your organization. Expand the conversation beyond just the team working on the assessment then add, edit, or remove questions based on the feedback received.
A risk management program must be developed in-house and unique to your firm. Executing these three steps before assessing a single vendor can help your organization create a more impactful risk management program. Never forget, Risk is contextual; it must be measured through the lens of each organizations’ risk tolerance. There will be overlap across companies and even industries, but aligning your vendors risk profiles to your own is imperative for long-term success of your vendor risk management program.