Vendor Risk Assessment: How Often is Often Enough?

The need to go beyond calendar based assessments.

The frequency of vendor risk assessments is generally driven by the level of risk associated with the type of services provided by the vendor. A good approach for companies to follow is the approach taken by most financial institutions who review critical/ high risk vendors annually. This approach will adequately address the need for periodic assessments, but may not be sufficient to address the need for “event triggered” assessments.

The need for an assessment can be triggered by events outside the scope of your relationship with the vendor. A merger, acquisition, change in management, or a data breach are all examples of “external” events that could trigger the need to conduct an interim assessment of the vendor. At the very least such events require some level of scrutiny and due diligence to determine if they have an impact on the services provided by the vendor.

Contract provisions which require vendors to proactively notify you when certain changes occur can help identify these events. Unfortunately, many contracts do not contain provisions that address these issues, or provide for timely notification of the event. Therefore, it becomes important to consider the implementation of your own monitoring program to be able to identify the need for, and respond to, changes in the vendor’s environment that could trigger the need for an additional assessment. The question becomes what type of monitoring should you consider to help you identify when these events occur?

There are several steps you can take, in addition to proactive notification requirements in your vendor contracts, to significantly increase your ability to identify “triggering events”:

  • Subscribe to a service that monitors geographic based events. Companies who provide these services monitor geopolitical, environmental/weather related incidents as well as incidents related to infrastructure failures
  • Monitor news services for business announcements concerning these vendors
  • Monitor changes in regulations that could impact your vendors or the services they provide
  • Monitor social media, Internet sites and discussion forums for comments related to your vendors or the services they provide

Essentially you should include your critical/high risk vendors in the same monitoring you perform for your own institution in these areas.

Make sure that your vendor risk assessment process includes the monitoring necessary to identify events involving your critical vendors; and, that your vendor contracts include the right to conduct additional assessments based on these events. Doing so will help you avoid unexpected operational interruptions, unanticipated revenue loss, and the potential for negative impact on your reputation.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad