5 Steps to Selecting a Vendor Risk Management Framework

By Michelle Wu

Posted on Jun 11, 2019

It’s often worth it to take on some risk when it comes to your third parties — third parties are an essential part of your business ecosystem. They’re your vendors, partners, and contractors. They improve efficiency, extend your reach, and make it possible to deliver the best possible products and services, but they also bring with them a significant amount of risk.

Misconfigurations of a third-party’s cloud can lead to supply chain data breach risks.  These common third-party risks can cost an organization — in reputation, legal fees, and lost revenue.

What are the data breach risks within the supply chain

Managing your supply chain becomes increasingly difficult as you add more Software-as-a-Service (SaaS) applications to streamline business operations.

The 2019 Data Breach Investigations Report found

  • “Hacking” caused 52% of data breaches
  • Social engineering caused 33% of data breaches
  • Denial of Service (DoS) attacks were the number one incident type
  • Web applications were the primary “hacking” attack vector

Ponemon’s 2018 Cost of a Data Breach report found

  • $13 per compromised record: increased cost of  breach arising from third-party actions
  • $8 per compromised record: cost savings from deploying an AI security platform

The data breach risks and costs often come from a control failure in the supply chain. According to Ponemon’s 2018 Data Risk in the Third-Party Ecosystem report:

  • 59%: respondents who experienced a data breach arising from =third party actions.
  • 61%: US companies who experienced a data breach arising from third party actions.

That risk can be managed, however. A solid third party risk management framework will help you understand the risk you take on with your third parties and limit your liability. Here’s what you need to know when choosing a risk management framework.

5 Steps to Selecting a Vendor Risk Management Framework


1. Review your compliance risk

Before you start the process of selecting a vendor risk management framework, you need to remember that it doesn’t matter if the fault is not your own. When a member of your extended ecosystem exposes you to risk, you are liable. Under most U.S. data protection laws, the data owner rather than the data holder is liable for breaches and exposure. The same is true under the General Data Protection Regulation (GDPR), which requires companies to track and protect the data they process, even if that data is being stored by a third party.

To minimize your liability, you must be able to prove you’ve done your due diligence. That’s where a risk management framework comes in.

2. Understand risk management frameworks

A third party risk management framework provides a set of benchmarks, policies and standards for an entire organization, including the extended enterprise. Such a framework focuses on the third parties and the activities which pose the greatest risks to an organization

Most frameworks require an organization to do the following:

  • Take inventory of an organization’s third parties
  • Catalog cyber security risks to which the third parties can expose the organization
  • Assess and segment third parties by risk
  • Focus on critical activities
  • Develop rule-based diligence testing to stay focused on the third parties with the highest risk
  • Establish a decision-making group to own governance
  • Review critical activities to set a benchmark for the third party risk management framework
  • Define three lines of defense including business owners, third party oversight, and an internal audit team

There are several risk management frameworks, however, making  it difficult to choose the right one.

3.  Know which frameworks apply to your organization

Not every risk management framework will work for every organization. Some frameworks are designed specifically for certain industries, while others are used in certain geographical areas. Many can be used together.

The two most widely used risk frameworks are the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO). Meanwhile others, such as Control Objectives for Information and Related Technologies (COBIT), are often used in Europe. Some standards are used as the basis for regulations, such as the NIST 800-53, which is the foundation of many federally regulated cybersecurity requirements.

Knowing which frameworks apply to your organization depends on your industry as well as your size. Since most incorporate a risk-based approach, you need to review third-party risk, but you also may find that the requirements change based on your company’s unique needs.

4. Be prepared to use more than one framework

In some cases, it may make sense to use more than one risk management framework in tandem with another. If you’re using more than one framework, you’ll want to make sure the frameworks you use are mapped to one another, so they’re assessing the risks and implementing controls based on your organization needs without leaving any gaps in compliance.

The criteria you use for choosing your framework (or frameworks) will depend on your company’s specific needs. For example, if you are a healthcare organization, you need to meet the Healthcare Portability and Accountability Act (HIPAA) compliance requirements. However, if you accept payments, you also need to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.  

When incorporating multiple third-party vendor risk management frameworks, you need to start with your business objectives to ensure that you choose based on the compliance requirements necessary to meeting these business goals. You’ll also want to consider the people to whom you’re accountable, such as shareholders, board members, or regulatory organizations.

5.  Manage third party risk intelligently

The way companies look at risk is changing. According to Deloitte’s 2018 extended enterprise risk management survey, organizations are increasingly using extended enterprise risk management to “exploit the upside of risk,” using their partnerships with third parties to enhance organizational effectiveness and brand confidence, while becoming more innovative and agile.

A good third party risk management framework protects an organization's clients, employees, intellectual property, and business operations. Implementing one is not about completely eliminating risk, but knowing where the highest risk is, and managing it appropriately.

How SecurityScorecard enables intelligent third-party risk mitigation

From developing questionnaires to collecting data, due diligence can be labor intensive. To minimize the amount of administrative time spent managing third party relationships, consider a tool that automates parts of the process.

SecurityScorecard’s Atlas uses machine learning and advanced artificial intelligence to streamline the third-party risk management process. Using our platform, organizations can upload  vendor responses to questionnaires. Our machine learning compares those answer to previous questionnaires and the platform’s analytics, verifying vendor responses almost immediately. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your Board of Directors with the necessary documentation to prove governance over your vendor risk management program to meet the increasingly stringent cybersecurity compliance requirements.


Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!