Vendor Risk Management – Where to Start

Vendor management gets a lot of attention these days, but have you considered the risk associated with your vendors? When was the last time you conducted a vendor-related risk assessment? Is vendor risk management (VRM) even a part of your Business Continuity Program?

All organizations are interconnected. This is especially clear for large organizations with considerable numbers of vendors, particularly those with multiple locations or global operations, but even a small businesses with only local suppliers should consider the vendor-related risks to their organizations.

Definition of a critical vendor:

• Any vendor/supplier whose missed commitments might cause the organization to be unable to achieve a stakeholder’s mission.
• Any vendor/supplier crucial to recovering from a crisis event.
  • Key vendors may not be critical for day-to-day operations, but their criticality may increase during crisis events.

Let’s look at the why of Vendor Risk Management:

1. You have vendors that your organization relies on to function. A vendor may be a supplier of critical goods or services, such as a grocery chain product vendor, or the SaaS provider that runs critical applications.
2. Your vendors are dependent on other critical vendors to provide services or goods.
3. The goods or services provided by critical vendors may not be readily available or easily obtainable by another vendor in your required time period.
4. You may be subject to regulatory requirements, such as FFIEC Appendix J.
5. Your customers may require it.

Here is a checklist of items to consider related to Vendor Risk Management:

1. Understand the criticality and impacts of your business functions. Your vendor impact cannot be completely understood unless you know the criticality of the business processes that are dependent on those vendors.
2. Inventory and prioritize your vendors. You may be surprised how many vendors you have. Understand what goods or services they provide, and how the loss of those can impact your operations.
3. Know who your critical vendors are. For example, you may have a critical SaaS provider that is running on IaaS servers and storage. Are they using a best of breed company or a start-up?
4. Understand each critical vendor’s business continuity strategy. Have you tested it? What components have you tested and verified?
5. Understand how vendors will be able or willing to increase support to you during a crisis event.
6. Review and understand the terms of the contract. What is the actual remediation for missed SLAs or commitments? Often it is only a refund, with no consideration of other costs – which could be substantial.

Some challenges that may arise:

1. Vendors may not be willing to share information related to their business continuity strategy.
2. Actual vendor criticality is often difficult to determine.
3. Vendor percecption of your organization’s importance. Your vendor may be critical to you, but you may not critical to them.
4. Lack of perceived need within your organization; relying on contract terms without verification.

Your BC and DR plans may be functional and effective, but if you vendors cannot support your organization as expected, all those preparations may not be enough. Even basic assessment and remediation efforts related to critical vendor risk can go a long way to providing functional recovery of critical goods and services similar to your own BC/DR efforts.