What is VRM and why is it important?
Businesses are becoming more dependent on vendors. A vendor is a third-party business that provides services to other businesses. Working with a vendor comes with great advantages such as getting help from subject matter expert (SME) without having to internally hire full-time employees. Ultimately, this will save the business additional cost, reducing the time it takes to complete tasks, as well as sharing responsibilities and risks associated with tasks performed and service provided by a vendor. While all those advantages will make your life easier and help you stretch resources in a more cost-effective way, there are also disadvantages that you need to consider before jumping into working with a vendor – whether that vendor is a small business or a well-known business.
The Other Side of Shared Responsibility
Sharing responsibilities means that you will lose some control of the process of how vendors perform their work, as well as the result of their work, which can lead to potential security, financial, compliance, and reputational risks. How can a vendor possibly bring that kind of risk to your business? Ultimately, you are responsible for the people you task to perform work on your behalf, because they are acting as an extension of your team. For example, outsourced work may involve a vendor’s processing sensitive data that belongs to your business or your clients. You don’t have innate visibility into how securely that data will be handled and managed by the vendor, or how secure their environments truly are. That is why Vendor Risk Management (VRM) is so important and necessary for any businesses that outsources their work to vendors – regardless of their product, service, location, company size, and industry. There are a lot of factors and steps = involved in VRM but simply put, it is a way to understand and strategically manage risks brought by vendors.
Managing risks within your own business environment takes a lot of work. Since vendors are essentially extensions of your team, you will want to view them that way. So, when you consider that your business may have statutory requirements, contractual requirements, and industry-specific regulatory requirements you are obligated to comply with, you will want to extend those requirements to your vendors to affirm their policies and practices will not put you in harm’s way. Additionally, there are best security practices to be implemented to ensure that your business’s valuable assets, reputation, and relationships with clients are protected appropriately. All of that also applies to your vendors, as well. You need a way to verify that they are doing everything they can to avoid becoming an avenue for a supply chain attack that would compromise your good standing.
Where do I start?
Prior to handing over tasks to a vendor, you need to analyze what requirements the vendor already needs to comply with on their own that could help satisfy your organization’s obligations, what the vendor is doing right, and what gaps need to be addressed. A number of differing validation methods could be utilized to learn this information. There is no one size fits all method to VRM. Depending on the vendor’s industry, location, and services they provide, there could be various requirements such as HIPAA, PCI DSS, ISO 27001, NIST CSF, NERC CIP, SOC 2, GDPR, and CCPA. They may provide certification or audit reports from an official auditor, a report of a risk assessment performed by a third-party security firm, an internal security audit report and proof of efforts they have made to improve their security, information security policies, procedures, and standards to prove that they have a good understanding of their requirements. Ultimately, though, you want to ensure that the vendor not only has a good understanding of what is required of them, but also that they are doing everything that is required to be compliant, remain compliant, and continuously making efforts to improve their security.
What if I Discover Issues?
Most of the time, you are going to find something that makes you a little uneasy. That is when you really need to be able to categorize the risk, decide if it is acceptable or not, and come up with a compensating control if it isn’t. In these cases, it may be a good idea to work with a third-party cybersecurity firm that provides compliance services. They can help you perform a risk assessment for your vendors, developing information security policies and procedures, and even better, establish and run a vendor management program for you that covers not only the initial assessments, but also a continuous management so your business can focus more on your business.
TRUE provides a managed Governance, Risk, and Compliance (GRC) services and help businesses across the country with their compliance requirements and vendor management. Give us a call to discuss how we can help your business manage your vendor and their risks.
