What is Vendor Risk Management?

An organisation’s relationship with its vendors comes with numerous risks. If you don’t pick the right partner, you could suffer data breaches, incur business disruption and face regulatory compliance problems.

These issues are more common than you might think. According to a Ponemon Institute report, between 2020 and 2022, half of organisations suffered a data breach caused by a third party.

To mitigate the risk, organisations must review vendors’ practices before working with them, and repeat those assessments on a regular basis. The process for doing this is known as VRM (vendor risk management).

The benefits of VRM

VRM helps organisations mitigate an array of threats. Your focus may well be on information security risks, in which the confidentiality, integrity and/or availability of information is compromised.

This is most likely to occur as a result of a cyber attack or human error, such as an employee improperly disposing of sensitive information.

However, there are other significant risks that VRM can help you identify. Compliance risk, which relates to events in which the vendor’s actions result in regulatory failure, is especially important if you are subject to the GDPR (General Data Protection Regulation).

Under the GDPR, data controllers can be held accountable for security incidents caused by third parties. As such, it’s essential that organisations have utmost confidence in their vendors’ compliance practices.

VRM also helps identify strategic risks, which arise when the board makes poor decisions that result in failed business objectives.

Organisations can also use VRM to address operational risks, which can occur when a vendor doesn’t implement appropriate measures to counteract disruptive incidents.

Likewise, VRM mitigates transactional risks, which are errors that have financial ramifications throughout the supply chain.

Securing the data supply chain is challenging. Under the GDPR, data controllers are liable not just for their own compliance but also for that of third-party processors.

Contracts and questionnaires, while valuable components of any due diligence process, are necessarily limited.

That’s why organisations must conduct GDPR audits to ensure that risks are adequately identified.

Read Third-Party GDPR Audits – Conducting due diligence to find out more. 

Creating a VRM programme

A VRM programme will help organisations identify and address risks quickly and effectively. You can implement a programme by following these five steps:

1. Develop governance documentation

The documents you need for your VRM programme will depend on the complexity of your organisation. As a starting point, you should have a policy outlining how your organisation will manage vendor risks.

2. Create a vendor-selection process

The most important part of VRM is selecting the right vendor. This begins by issuing an RFP (request for proposal), after which you can compare vendors.

3. Establish contractual standards

You don’t want to have to draft new contracts every time you work with a vendor, which is why contractual standards are often necessary.

The terms will probably need to be adjusted on a case-by-case basis, but having a template ensures that vendors appreciate the standards that must be met if they are to work with your organisation.

4. Conduct periodic due diligence and ongoing monitoring

Organisations should continue to monitor vendors’ practices on a periodic basis. How often that occurs will depend on the level of risk.

High-risk vendors should be re-evaluated annually, whereas those that present fewer risks should be subject to reviews once every few years.

Remember that due diligence isn’t just about reviewing documentation. You must also look at significant changes in the way the vendor operates – whether that’s in its operations, the types of information it stores or the third parties it works with.

5. Establish a robust and comprehensive reporting process

Your VRM programme is only as effective as your ability to document and communicate your findings.

Take the time to ensure that reports are consistent and concise. They should include specific items, such as a high-level summary of your vendor portfolio, as well as a summary of the risk assessment and ongoing due diligence.

How to get started

If you’re looking for more support managing vendor risks, DQM GRC is here to help. Our third-party risk management solutions provides essential guidance identifying and addressing third-party weaknesses.

DQM GRC’s experts can help you with a range of VRM activities, as well as risk assessments, due diligence checks and support securing your supply chain.


  • Luke Irwin

    Luke Irwin is a former writer for DQM GRC. He has a master's degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

    View all posts

Add a Comment

Your email address will not be published. Required fields are marked *