How To Rank and Prioritize Your Vendors For Effective Vendor Risk Management
Your vendors are more than just service providers. They’re partners in delivering a strong customer experience. Yet they also expose you to risk.
Here’s the thing: compliance can be expensive, but non-compliance can break your business. Since 2009, regulators in the U.S. and Europe have imposed $342 billion in fines on businesses that fail to meet compliance standards. And yet, 40% of businesses don’t perform annual risk assessments.
To remain competitive, you need to be one of the 60% of businesses that runs annual risk assessments. A key part of the process is ranking and prioritizing vendors. Here’s why it’s essential and how to do it right.
Why You Need to Risk Rank Vendors
Even though we refer to vendors as if it’s a blanket term, not all vendors are created equal. The reality is that some vendors are more critical than others, and some expose you to more risk. It’s not just because of risky behavior, either–any vendor that’s deeply involved in your essential business practices introduces more risk.
You still need to manage risks for all of them, of course. The problem is that you only have limited hours in the day. This is where vendor ranking becomes essential. It allows you to focus your vendor risk management efforts in a way that generates the best returns for the effort.
Types of Vendors
The first step? Stop referring to vendors as a blanket categorization. Before you ever consider ranking vendors, you need to group them into categories. This will ensure you’re not ranking by comparing apples to oranges. This is especially important if you’re a large business with multiple vendors providing related services.
The most effective way to do this is by organizing vendors based on the service they provide. For example:
Service providers / Consultants
If you have a group of vendors that don’t fit into one of those categories, or if you discover you’re lumping a highly diverse group under “service providers” (lawyers and paper shredders, for example) you can further split vendors based on their skills, such as legal advising or customer service representatives.
If you’re a relatively small company without a large vendor inventory (i.e. you use one vendor for one service and call it even) then you should categorize vendors based on their level of access.
This is where criticality categorization starts to come into play. If you’re a large business, you’ll group vendors by service type and then subcategorize based on access. If you’re a small business, you’ll categorize based on access right off the bat.
The simplest way to do this is by using criticality levels. For example, you might have something like this:
Level 1: Critical (core service providers)
Level 2: Significant (vendors who play an important role but only have intermittent information access)
Level 3: Non-Essential (vendors without any access to data)
You can be even more specific with levels if you’d like. Just make sure you have a clear boundary line between levels so everyone who ranks will rank vendors based on the same objective yardstick rather than a subjective guess.
How to Risk Rank Vendors
Once you’ve gotten that far (and collected all the information for your risk assessment) you’re ready to rank your vendors. At this stage, you’ve already done a lot of heavy lifting just by categorizing your vendors. Trust us–it might not feel that big, but it is.
At this stage, you’re ready to assess vendors individually rather than in groups. Here’s an example workflow that your team can try.
Yes, you’re going to assess criticality twice, even if you’ve already applied a basic criticality assessment. Remember, your earlier assessment was a blanket assessment of how much access the vendor has. This is when you get into the weeds.
When assessing criticality at this level, you’ll need to ask a series of questions, such as:
How much data can the vendor access?
What kind of data can they access?
How frequently do they access it?
Do they have persistent access across the network, or is it localized?
How critical would that data be if it were compromised?
What is the vendor used for?
How central is that function to your operations? (i.e. could you operate if they vanished tomorrow)
Critical vendors are those with a lot of access, frequent access, broad access across the network, access to critical data, or any combination thereof. Not all vendors meet these criteria. You want to focus on those who are highly critical first, then moderately critical.
Once you’ve identified a vendor’s criticality level, you have to assess the vendor itself. Or rather, their security posture.
First, you have to assess their security measures for thoroughness. The vendor should have already provided this information as part of the risk assessment, preferably using a standard, data-driven set of security metrics.
Second, you have to assess how well the vendor deals with problems when they arise. Look at the number and severity of security issues they’ve had in the past (hint: you want few and mild).
At this point, based on the combination of criticality, security practices, and performance, you can weigh the risk for a given vendor. A critical vendor should have strong performance on security. This should be expressed in a number, not an opinion, so make sure you have a standard scoring rubric ready to go.
Keep in mind that you should already have standardized rules about what your organization qualifies as acceptable risk. That’s the metric you’ll use to assess whether a vendor’s risk outweighs their benefits.
Take Charge of Your Vendor Relationships
If you successfully complete this process, identify vendors that give you the best benefit, and continue to apply your risk management best practices, you’ll have a successful vendor relationship.
The trick is making sure you apply third-party risk management consistently. That’s where we come in. We make it easy for businesses to ask the right vendor the right question at the right time–without dedicating a full-time job to it.
So if you’re ready to tackle vendor risk management the right way, get in touch today to learn how we can help.