Resources
WolfPAC > Resources > Vendor Risk Assessments: Do I Really Need to Assess ALL of These Vendors?
Back to Resources

Vendor Risk Assessments: Do I Really Need to Assess ALL of These Vendors?


Vendor risk assessments are a crucial component of any organization’s risk management program. They’re also one of the most daunting if not approached strategically. How many vendors does your organization have? If the answer is “I’m not sure, the number is always rising” or “too many to count,” you’re not alone! Some organizations have hundreds of vendors.

How well you manage these relationships can make or break your business. But where do you start?

Each one of your vendors brings a unique mix of benefits and risks to the table. Unfortunately, this can make the prospect of conducting a risk assessment for each of them feel overwhelming. You might worry that you don’t have all the resources you need to tackle this.

Here’s the good news: You probably don’t, and that’s OK! But how do you know which vendors warrant a detailed risk assessment? These three tips will get you moving in the right direction.

3 Tips for Better Vendor Risk Assessments:

Tip #1: ID Your High-Risk Vendors

All vendors aren’t the same. For example, look at your gardener and your core provider. Each one delivers a distinct set of services. They also pose a drastically different level of inherent risk to your organization. But unfortunately, the differences aren’t always so apparent.

Want to determine whether a vendor is “high-risk”? Ask yourself the following questions about each of your 3rd party relationships:

  • Are they a new vendor for your organization?
  • Do they:
    • Have a material financial impact on your organization?
    • Perform a critical function?
    • Store, access, or send sensitive customer information?
    • Market financial products or services?
    • Perform subprime lending or card payment transactions?
    • Increase risk to earnings or capital?

Answering “yes” to any of the above questions should trigger an alarm to assess the vendor in question. Your gardener? They don’t fit the bill. So, while they should be on a centralized list of vendors, they don’t require an assessment – least of all, every year!

Tip #2: Assess Your Riskiest Relationships First

Tighten up your scope as you’re figuring out where to start with your vendor risk assessments. Focus on your highest-risk vendors first. These relationships could do the most damage if something goes wrong.

Starting here is the best way to protect your reputation and your bottom line. Then, as you complete your high-risk vendors, move on to your medium-risk providers.

Tip #3: Be Realistic with Your Monitoring & Assessment Frequency

Resource allocation is the key to a successful vendor management program. As a result, you need to deploy resources where they’re needed most, and inherent risk is the best way to gauge your needs. Your vendor risk rating will help you determine how often monitoring activities should be:

  • Completed,
  • Checked, and
  • Assessed.

The higher the risk rating associated with a vendor, the more often you’ll want to check in on them to ensure that they’re following through with their contractual obligations.

Remember, as your needs change, so does the nature of the vendor relationship and its potential impact on your security.

  • Expect to conduct vendor risk assessments for  your high-risk relationships annually,
  • Low-risk providers usually don’t need to be revisited for 2-3 years.

Do you have more questions about third-party risk? Contact us to chat.

Related Reading: