Vendor Risk Management II: How to Carry Out Vendor Risk Management

Vendor Risk Management (VRM) is an aspect of vendor management that identifies, analyses, monitors, evaluates, and mitigates the risks that third-party vendors might pose to an organisation. Such risks could affect cybersecurity, regulatory compliance, business continuity, and organisational image and reputation. It involves due diligence before signing a contract and risk assessment for each contractor, vendor, supplier, and service provider that partner with the company.

Due to concern over information security and data privacy, which could jeopardise the business, many enterprises have institutionalised vendor risk management programs to help avert future occurrences. 

For companies or businesses that wish to incorporate vendor risk management into their system, the steps below will be helpful. 

  1. List all vendors your organisation works with. Prioritise these vendors based on the importance of their service to your company, the kind of service they render, and how much of a security threat each poses to the organisation. This allows you to coordinate your internal resources best and tackle the high and critical threats first.

  1. Create documentation of the vendor selection process and criteria, available vendor details, and audit reports of every review. 

  1. Ensure the vendors have a security framework that aligns with your organisation.

  1. With the help of your legal team, prepare a contract detailing the business relationship between your organisation and the vendor.

  1. Conduct a periodic review and audit of clauses included within the contract and ensure they are met. These reviews ensure that the vendor meets regulatory standards for the industry and that certain parts of the contracts that are outdated or unfavourable to the parties involved can be changed.

  2. Collect fourth-party vendor details and assess your vendor's policies for its vendors. Don't just assess your vendor; also evaluate your vendor's vendors, as their activities could have a spiral effect on your company.

  1. Document risks identified in the process and proposed mitigation plan. This way, certain risks will be avoided in the future.

  1. Educate employees about the importance of the process and ensure a clear line of escalation for any red flags.

Risk Management Questions to Ask Your Vendors Before They Are Onboarded.

Provide a vendor risk management questionnaire to each potential vendor your firm is considering. The vendor risk management questionnaire should be detailed in a way that will provide all the essential details that you need from the vendor. However, a selection of crucial questions to include in your list are as follows:

  • Is there a disaster recovery strategy in place? If yes, how often do you apply it? This will help you to know how prone they are to disaster and how capable they are in handling such situations.

  • Do you have a security policy and skilled resources to manage security within your organisation?

  • How do you ensure your security guidelines are carried out throughout the organisation?

  • Do you have a cybersecurity policy, and have you used it to assess cybersecurity? Here, you can request the result of the assessment to ensure that they are being honest with you.

  • Are there monitoring tools for the network and software used within your organisation? Please share the tools.

  • Do your employees have access to sensitive data in your possession, and are they allowed to access software without permission?

  • What is your breach notification policy? Do you notify the customer whose data has been breached? Or do you inform all customers?

  • Do you work with other vendors? Can you provide a list of these vendors? This way, you can investigate these vendors to ascertain their credibility and legality.

Many organisations rely on external vendors for critical services, products, or components. However, any disruption or failure in the vendor's operation can directly impact the organisation's ability to deliver its products or services. SARA PROCUREMENT SERVICE IS THAT CREDIBLE VENDOR THAT YOUR ORGANISATION NEEDS.  

Visit our physical office space at 3 Fatai Irawo Street, Ajao Estate, Airport Road, Lagos, Nigeria, or any of our warehouse touch point locations worldwide to learn more about us and utilise our services. 

Our 247-email correspondence is 

We are equally social, and you can find us @SaraProcure on your favorite channels: Twitter, Threads, Facebook, and Instagram.


Please log in to leave a comment.