Having a third-party risk assessments process is critical to vetting and monitoring risks posed by vendors and other third parties. This process is ongoing so that you can identify the changes in your risk exposure arising from the relationship over time.
A comprehensive risk assessment ensures the vendor provides all the required information together with supporting evidence, explanations so that you have a clear picture of the inherent risk posed by each supplier to your business and operations. This information will allow you to perform risk based due diligence on the vendor’s policies, processes, procedures and controls to help you arrive at the residual risk rating which will enable you to decide whether the vendor meets your risk appetite.
Getting the third-party risk assessment process right is key to getting the due diligence right. We have put together 7 best practices below to help you successfully assess and manage you Third Party Vendor Risks:
Risk identification and alignment– When creating the assessment, you should be clear on the risks you are aiming to assess, align your 3rd party vendor risk assessment directly with risks being managed through your vendor risk management program. The questionnaire should all your key risks to strategy, operations, regulations, information, financial, reputation and so on.
Relationship ownership– Depending on the hierarchy and size of your organization, the vendor relationship should be owned by the people who negotiate the contract and interact with vendor on a daily basis. For small and medium enterprises that may not have a separate procurement function this might be the individual within the business requesting the service or product. These primary owners will be the initiators of the risk management process and provide the vendor contact and intake information as the first step.
Centralized coordinated efficiency– Bringing together disparate stakeholders from various departments and ensuring a consistent approach to risk management should be done centrally – The Vendor Risk Management Office (VRMO) or some appropriately authorized person(s) will help coordinate all parties and can provide independent timely quality risk assessment. Leaving this process to relationship owner’s results in some stakeholders being missed and things being overlooked in haste to onboard a vendor. The VRMO can also help ensure nothing is missed by reviewing the draft contracts before the deal is signed.
Experts and Stakeholders– The person(s) looking for a vendor will often be purely focused on obtaining the product or service as quickly as possible and will not have the expertise about the enterprise risk implications of onboarding a vendor. Bringing in key stakeholders and Subject Matter Experts (SMEs) when relevant is important; a function that can be facilitated by the VRMO.
You Vendor's vendors– In addition to knowing your vendors, it is key that you know your vendor’s vendors and the criticality of their role in your vendor’s ability to deliver their product or service. Third party risk management extends beyond your third parties and it is important you perform appropriate due diligence on these fourth parties.
Automation is key– performing 3rd party risk assessments manually is inefficient, time consuming and fraught with risks. Using Excel and Word leads to data degradation, loss of data integrity and duplication. Data is also exposed as access cannot be controlled. A vendor management solution would solve these issues and allow the team to focus on managing the risks identified by the solution. No organization as an excuse not to use automation as there are several good affordable solutions available in the market today. Know in detail what are the best practice framework for 3rd party risk management automation
Repetitive process– Once the vendor has been successfully vetted and on boarded, they will require to be monitored on an ongoing basis with the frequency of follow-ups depending on their criticality. Managing contract renewals, SLA’s, changes in regulations and internal policies also need monitoring. A well-defined repetitive third-party risk assessment process will make this effort immensely easier especially with the aid of a good vendor management solution.
If your organization is considering implementing a vendor or third-party risk management solution, we invite you to explore the Maclear GRC Suite™ by visiting https://www.maclearglobal.com. Our comprehensive ranges of solutions are designed using best practices with built-in integration to reduce risk, improve performance, and enable strategic decision-making.
To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to firstname.lastname@example.org..
Share This Blog
What should a good GRC framework and architecture include?
The pandemic has shown how businesses are complex, interconnected and constantly evolving.
How to Build a Strong FCPA Compliant Compliance Function – 8 Core Components
All businesses irrespective of size face some degree of compliance and it has never been...