Trends in Third-Party and Vendor Risk Management

by | Jul 2, 2018

Trends We’ve Seen

Over the past 4 years, Security Risk Advisors has been helping define, create, and manage Third Party/Vendor Risk Management Programs for clients across financial, healthcare, and security industries.  In that time, we’ve observed several trends that plague organizations when it comes to organizing and publishing a Third-Party/Vendor Risk Management (TP/VRM) Program.


Trend 1: Struggle to Achieve Repeatability

One of the challenges for organizations is creating a repeatable process for determining inherent risk, assessing vendors, and monitoring vendor relationships throughout their lifecycle. This is typically a result of a new TP/VRM process or vendors are not properly managed as a result of poor vendor record keeping.


Trend 2: Lack of Ownership

These issues also relate to a secondary trend when developing TP/VRM Programs: a lack of defined ownership for TP/VRM processes. Without an executive stakeholder overseeing the program, escalation of low-level issues become tedious and lead to endless requests with third parties. Poor ownership can lend itself to further issues such as potentially leveraging non-compliant third parties for critical business processes which may expose your organization to additional risk.

With these potential pitfalls in mind, SRA has developed new functionalities to better handle the TP/VRM lifecycle including creating vendor risk profiles, developing notification workflows, and conducting vendor risk assessments.  SRA has assisted clients in implementing a methodology to move organizations from a manual, decentralized process to an automated, scalable process. Through the use of GRC tools (e.g., RSA Archer, Prevalent, ServiceNow) and industry-recognized questionnaires (e.g., SIG 7) SRA has also built custom applications to develop dashboards, executive metrics, and assessment progress reports. A robust TP/VRM program is pivotal to categorize, assess, and monitor risks over an entire third-party/vendor lifecycle.  As automation increases through advanced workflows, workloads are reduced for end users while also centralizing reporting functions.


TP/VRM Methodology

Through developing multiple TP/VRM programs SRA has created a robust methodology that can be used to both mitigate risks associated with Third-Party/Vendors as well as increasing efficiencies in an existing program. The methodology has four primary components: Vendor / Risk Profiling, Assessment Planning and Execution, Assessment Reporting, and Continuous Monitoring.




Methodology Phase

What does this mean?

Vendor / Risk Profiling ProcessA vendor risk profile is a quantitative evaluation of an organization’s risk based on defined criteria. Risk profiles are derived from a set of standardized questionnaires to tier vendors based on risk level which is translated to qualitative risks based on thresholds (for example: Low, Medium, or High).
Assessment Planning and Execution
Vendor assessments are performed to validate that security controls are in place for an organization. Assessment execution should include the following at a minimum:

  • Standardized information security questionnaire

  • On-site interviews with IT and security stakeholders

  • Review of security documentation (e.g., policies, procedures)
  • Assessment ReportingAssessment Reports are a culmination of the results throughout the Vendor Risk Assessment process. Reports should include gaps associated with the completed vendor questionnaire, corrective action plans, results from on-site interviews, and the review of technical scans and/or security documentation.
    Continuous MonitoringOngoing monitoring of Vendor/Third-Party relationships is important when dealing with compliance and/ or legal requirements. Improved operational and security efficiency benefits of continuous monitoring include:

  • Improved identification of issues and proactive planning

  • Continuous visibility of issues that drives improved risk prioritization and response to issues

  • Leveraging of common control providers

  • Current security frameworks often require a process to manage and oversee third parties/ vendors on a regular basis; implementing a defined TP/VRM process such as Security Risk Advisors’ methodology enables an organization to more effectively manage external risks while simultaneously meeting compliance requirements and providing valuable insight to senior leadership.

    For more information on how Security Risk Advisors can assist in TP/VRM program development or execution, contact us at