The Components of a Vendor Management Process

There are likely several vendors you work with that help you manage various aspects of your business, such as an IT company, accounting firm, manufacturers, and more. Implementing a vendor management process can help you evaluate your vendors upfront to ensure they’ll be able to meet your business’s operational and security needs during normal business times and when they unexpectedly experience an interruption in the service they provide. A vendor management process can also strengthen your vendor relationships, help mitigate security risks, and standardize your processes for selection, onboarding, and performance evaluation.

Components of a vendor management process include:

• Classifying your vendors and assigning a risk rating.
• Creating a standard list of vendor questions.
• Vetting each vendor prior to signing a contract with them.
• Continuing to regularly evaluate each vendor on an ongoing basis.

Classify your vendors

The first step in creating a vendor management process is to identify who your vendors are and assign them a classification using a risk-based approach. Your vendor classification system will help you determine the amount of oversight each vendor may require based on the service they provide.

Here are a few sample classification indicators:

• Business criticality: Is the vendor or service critical to your business to provide service to customers?
• Data sensitivity: Will the vendor or service host your business’s sensitive or confidential data?
• Regulatory impact: Will the vendor or service influence your business’s ability to meet regulatory requirements?

Using the indicators above, assign a suitable risk rating:

• Critical risk: Critical to your business. Failure of this vendor could result in failure of your business or cause exceptionally grave damage to your revenue and reputation.
• High risk: Vendors who have access to your sensitive data and that your business is highly dependent on operationally, including regulatory compliance.
• Moderate risk: Vendors who have limited access to your sensitive data and/or the loss of service WOULD be disruptive to your business.
• Minor risk: Vendors who do not have access to your sensitive data and the loss of service WOULD NOT be disruptive to your business.

Do your due diligence

The next step is to develop some due diligence questions. These questions are crucial when onboarding and reviewing existing vendors. Systemic vendor reviews ensure that your vendors maintain quality standards without causing any risk to your business and your customers.

Create a standard list of vendor questions

Here are a few questions you may want to consider.

• Can you share your SOC reports?
  • SOC 1 – Focuses on the internal controls that could impact a company’s financial reporting. This is particularly relevant if the vendor’s service impacts your financial statement like payroll processing.
  • SOC 2 – Outlines internal controls related to security, availability, processing integrity, confidentiality, and privacy. This report focuses on ensuring the vendor has the proper controls in place to protect your information. If a vendor does not perform a SOC 2 audit, requesting the Information Security Program document would be a good alternative
• Are you subject to any regulatory requirements? Can you share recent regulatory audit reports?
• Can we review your privacy statement? Can you describe your efforts to protect our privacy?
• Can you send us proof of insurance, including cyber and other relevant insurance?
• Can you send us documentation of your incident response, business continuity, and disaster recovery plans?
  • When evaluating the vendor’s documents, think about your recovery time objective (RTO), which is the maximum amount of time your business is comfortable with a system outage. If your RTO is 24 hours, determine if the affected system could be restored within that time.
  • You should also think about your recovery point objective (RPO), which is measured in time and indicates how much data you can afford to lose. If your RPO is 24 hours, it means your business has decided it can tolerate losing data up to that point in time.
• Can you send us a recent financial report?
• Do you have access controls such as MFA, SSO, and password requirements?
  • This information is often included in the SOC 2 report or organization’s Information Security Program document, but asking separately may make it easier to reference.
• Can you send us documentation of security assessment reports, including vulnerability and penetration testing reports?

Prioritize and adjust your questions to meet your business’s needs

Your list of questions and how often you review them with each vendor may vary depending on the way you’ve classified the vendor. For example, if you own an online-only boutique store, you may consider your e-commerce and online payment service vendors as critical vendors, which means you might review these questions with them more often and have a lower tolerance for answers that aren’t satisfactory.

In general, it may be helpful to review your critical vendors at least annually or more often if you discover aspects during the review that may call for more frequent evaluation. This could include:

• Lawsuits or negative publicity against the vendor.
• Vendor recently suffered a security breach.
• Lowered agency ratings such as BBB, Moody’s, etc.
• Unstable financial standing.

Organized, in-depth vetting and management of your vendors can help you make informed choices, build stronger relationships with your vendors, and put your business in a good position to keep risks in check.