Risk Assessments | Effective Vendor Risk Management
Vendor risk management (VRM) is the process for contracting with and managing vendors that provide goods or services, identifying and periodically re-evaluating the potential business and regulatory risks that could result from outsourcing to these vendors, implementing processes and controls to minimize the identified risks, and monitoring vendor compliance with contracts and agreements.
What Does Effective Vendor Risk Management Look Like?
A robust, effective vendor risk management program for risk assessments should include the best practices listed below.
- Document vendor risk management policy and procedures which includes the criteria and standards for vetting and managing vendors and implement processes and controls to manage vendors and mitigate vendor risks.
- Establish board of directors’ and C-suite responsibility and oversight of the vendor risk management program, including review and approval of the vendor risk management policy and procedures. This review should be performed, at a minimum, on an annual basis and when there are changes in legislation, regulatory requirements, industry practices and accounting standards that impact the business.
- Implement a contract management program in which vendor contracts and agreements (i.e. Service Level Agreements and Business Associated Agreements) are centrally managed. Contracts and agreements should include the requirements and duties of all contracted parties and should be reviewed and updated at time of renewal.
- Create and maintain a current list of vendors and categorize vendors based on the evaluation of both their business (critical or non-critical to operations) and regulatory risk (high, medium, or low) profile
- Implement a system for risk assessments to re-evaluate risk associated with vendors based on their risk profile.
- Establish due diligence procedures, based on the product or service provided by the vendor and associated risk profile, for monitoring and testing compliance with contracts and agreements and ensuring risk-mitigating controls are working appropriately.