Acuity Risk Management

Customer Portal

Guarding your organization against vendor risk: A systematic approach 

Image representing supply chain/vendor risk and interconnectedness

Security breaches through third parties have become increasingly common, as hackers seek vulnerable entry points to an enterprise’s information. In fact, more than half the companies surveyed recently in a report cited in Security reported data breaches by third parties. Yet many organisations need to rely on vendors to create the innovative products and services critical to success in today’s marketplace.

It’s one thing to guard against risks in your corporate operations and infrastructure. It’s another to protect yourself from risks emanating from your vendors. What do you do? Hope you can trust your partners to stay safe? That’s a nice sentiment, but not really a satisfactory answer in 2021 or the years to come. 

Luckily, there is a methodology that can go a long way to managing the risks you run with your vendors. Here’s how: 

Start with quantifying the financial losses a vendor poses 

It’s best to determine your vendor risk in financial terms – not low, medium or high risks but an actual amount. You want to have a clue about both what the losses may come from and what would cause them. For example: 

  • A cloud-based payments processor might trigger losses from a data breach involving personal data, fraudulent transactions, etc. 
  • A contractor maintaining cash ATMs could cause losses if its employees tamper with the machines, steal cash, etc. 

Both could represent significant financial exposures, but calculating the risk involved is done by assessing how well each organisation is controlling it. For the cloud-based payments processor, the risk is primarily with its IT defences. For the ATM contractor, the risk is primarily with its employees. Each will have a different method for addressing those risks. The payments processor will use security-focused applications and processes, whereas the ATM contractor will use screening and checks of employees.

Either way, using these vendors requires a thorough understanding of how they intercept the inherent dangers of their business activity. You need to know: 

  • The controls they have in place to address these potential loss scenarios and evidence that these controls are effective  
  • Details of any loss events where the scenario has played out – specifically, incidents affecting the vendor itself or their customers

Gathering more objective assessments of your vendors: ISO 27001’s value 

Of course, a certain amount of this information requires you to rely on the vendor’s word. And while that’s a good starting point, ideally you want more objective evidence of that they’re doing what they claim to be doing in terms of controls. If they’re handling matters involving security, for example, you might ask them to share the results from their own threat-intelligence tools.  

A great way for vendors to prove themselves trustworthy is to show an ISO certification of meeting the requirement for the services they are offering. Attaining the ISO certification involves passing a rigorous set of tests, including a site visit by the testers, to verify compliance with the standards for a given activity. Please note: the ISO certification should be for the services or products you’re contracting with them, not just a general certification of adherence to the standards for a broader category of risk protection. 

Of course, you can’t expect all your vendors to attain an ISO 27001 certification. Your caterer might represent a risk by serving bad food or spilling wine on your guest of honour, but they’re hardly prepared to go through the process required to attain the ISO certification. Nonetheless, you have other ways of checking on third parties. The caterer may have been subject to prior legal actions, reprimands from the health department or overwhelmingly critical online reviews. (Who knows? They may be serial wine spillers!) 

Assemble all the information and assess vendor risk 

With all this data collected, you can estimate the probability of loss from the vendor over a given time period and compare it to your risk tolerance for that activity. You can also aggregate data from all the vendors and do the same. Either way, you want to ensure that individually or collectively, they’re not exceeding your tolerance level. 

This is a relatively straightforward exercise for smaller organisations, but once your company has grown, you’ll need to do these assessments efficiently and systematically. This involves: 

  • Centralizing the data on a platform like STREAM, capturing the information gathered in vendor questionnaires, data feeds (e.g. security ratings tools), etc. 
  • Automating the risk processes with such actions as: auto-prompting loss scenarios for different categories of vendors, auto-mapping loss scenarios to controls, auto-triggering workflows, auto-capturing and linking data, auto-updating changes.
  • Quantifying using analytics such as Monte Carlo analysis to auto-assess and aggregate the risk and compare it to company’s tolerance 
  • Reporting the vendors or combinations of vendors that exceed tolerances, raise actions and monitor progress 

That’s a lot to understand if you’re just beginning to explore vendor risk. But our experts have been consulting with organisations of all sizes for many years on keeping vendors within their tolerance. Get in touch and we can discuss your vendor issues and how STREAM can help. 

Interested in a more in-depth exploration of vendor risk management? Join our webinar with the Institute of Risk Management this Thursday, 30 September, at 2pm BST. Register here