Starting Your Vendor Risk Management Strategy From Scratch

Where Do You Start and What Do You Do

You’ve heard that vendor dependencies are ripe for malicious abuse and you have read the stories where vendors were used to exploiting and infiltrating their customers. Now, you’ve been put in charge of ensuring your vendors, third parties, contractors, and supply chains are at least as secure as you are: Welcome to Vendor Risk Management (VRM).

First, recognize that VRM is all about reducing overall risk to your organization, and in particular, cybersecurity risks since much of how we interface with vendors is via digital interactions. Second, recognize that it’s going to take a system to do it. VRM isn’t a process that scales well-using paper and verbal interviews.

Here are the other steps and phases along the way:

Get Executive Management Support

Make sure you have executive management sponsorship. VRM programs will take time, people, and money. You likely have executive support if you are already exploring how to do a VRM program; but if not, it is essential that senior management is on board supporting the program and for the expenses involved. A VRM system can easily lead to a situation where someone’s existing or newly selected favorite vendor is being denied access to interoperate with your systems or data. Denials to move forward can strain relationships and bring emotions into the mix. You need solid management support so that if, or when, the tough decisions need to be made, everyone understands the reason for the VRM program in the first place. You want everyone on your team pulling in the same direction—pulling for the vendor to remediate their critical issue instead of blaming you for interrupting an existing or new process. Everyone always claims they are on board until someone can’t get what they want to meet their own project deadlines. You will need the backing of senior leadership to assist in these instances.

Don’t do it alone.