Learning Center June 12, 2018

How to Conduct a Vendor Risk Assessment [5 Step Checklist]

Organizations conduct due diligence into the third-party ecosystem, but to truly protect themselves, they must perform regular vendor risk assessments to ensure vendors are properly managed and monitored over time.

Not only do organizations audit their vendors, but standards and regulations increasingly require even more of company vendor management programs. Organizations need efficient vendor risk management audit processes that feature assessments that allow for complete and secure third-party vendor management.

Most organizations rely on third-party vendors, suppliers, and partners to support their operations and enhance their capabilities. However, with this collaboration comes the need to assess and manage third-party risks. Third-party risk assessment is a critical process that helps organizations evaluate the potential risks associated with engaging external entities, ensuring business continuity, data security, compliance, and overall operational resilience.

Threats move fast. We move faster.

What Is Vendor Risk Assessment?

A vendor risk assessment is the process of identifying and evaluating any potential risks that stem from a vendor’s operations. This assessment identifies hidden risks that otherwise may have been overlooked during M&A or vendor onboarding. More broadly, third-party risk assessment is a systematic evaluation of the potential risks and vulnerabilities introduced into an organization’s operations, systems, and processes through its interactions with external parties. These external parties expand beyond key vendors and can include suppliers, contractors, service providers, and other external parties.

The types of vendor risks and vulnerabilities include those related to compliance, reputation, finances, operations, and strategy, as well as an organization’s cybersecurity. Performing a vendor risk assessment is a part of the due diligence process and ensures that your business doesn’t begin to work with a vendor that could potentially harm or have a negative impact on business operations.

When to Perform a Vendor Risk Assessment

An organization should not engage with a third-party vendor until they have performed a vendor risk assessment. Once an assessment has been conducted and the vendor is approved, then the third-party can be deemed safe to work with. A business should then perform regular risk assessments on an ongoing basis and make checks when red flags occur. Regular assessments help to maintain business standards and provide visibility into vendor security. In our opinion, the more frequent, the better.

How to Conduct a Vendor Risk Assessment and Audit in 5 Steps

Here are the steps your business should follow when conducting a vendor risk assessment and auditing vendor risks. Use this as a checklist to ensure you’ve covered all of your bases.

Step 1: Assess vendor risks

The first step in the assessment process involves identifying all third parties that have access to the organization’s systems, data, or processes. This includes suppliers, vendors, contractors, cloud service providers, and any other external entities.

Internal audit managers know that in order to assess a vendor’s risk, they must perform a vendor management audit. Successful audits begin by establishing an audit trail. The operating model, or living documents that guide the process, includes vendor categorization and concentration based on a risk assessment that uses an approved methodology. Next, organizations must supply vendor report reviews providing ongoing governance throughout the vendor lifecycle.

Additionally, businesses should evaluate the different risks associated with third-party vendors within their audit.

Identify Types of Vendor Risk

__ Cybersecurity Risks

__ Operational Risks

__ Compliance Risks

__ Reputational Risks

__ Environmental, Social, and Governance (ESG) Risks

__ Financial Risks

__ Strategic Risks

Step 2: Create vendor risk assessment framework

Before reviewing third-party vendors or establishing an operating model, companies need to create a vendor risk assessment framework and methodology for categorizing their business partners. In the end, your organization should have clear criteria for vendor tiering.

This process includes aligning business objectives with vendor services and articulating the underlying logic to senior management and the Board of Directors. When auditors review risk assessments, they need documentation proving the evaluative process as well as Board oversight.

For example, organizations choosing a software vendor for their quality management system need to establish risk tolerances. As part of the risk assessment methodology, the auditor will review the vendor categorization and concentration.

Risk Assessment Qualitative Documentation

__ Vendors are categorized by service type

__ Access needed to internal data

__ Nature of data categorized by risk (client confidential, private data, corporate financial, identifiers, passwords)

__ Data and information security expectations

Risk Assessment Quantitative Documentation

__ Financial solvency baselines

__ Contract size

__ Beneficial owners of third-party’s business

__ Location of headquarters

__ IT Security Ratings

Step 3: Manage the vendor lifecycle

Traditionally, vendor lifecycle management incorporates five primary categories: qualifying, engagement, managing delivery, managing finances, and relationship termination. However, as data breach risk increases, companies need to include reviewing information security as a sixth category in the life cycle. Due diligence during the qualification step incorporates information security management. However, threats evolve continuously meaning that organizations need to review information security over the entire lifecycle, not just at a single point.

Before documenting activities, companies need to plan their supplier relationship management process from start to finish. As regards the audit, companies need to ensure that their supplier relationship management policies, procedures, and processes address each step in the lifecycle.


__ Process for obtaining and determining cybersecurity insurance, bonding, and business license documentation

__ Benchmarks for reviewing financial records and analyzing financial stability

__ Review process for staff training and licensing

__ Benchmarks for evaluating IT assets


__ Contracts include a statement of work, delivery date, payment schedule, and information security requirements

Information Security Management

__ Baseline identity access management within the vendor organization

__ Baseline privileged access management for the vendor

Managing Delivery

__ Scheduling deliverables

__ Scheduling receivables.

__ Organization defines stakeholders responsible for working with the vendor

__ Establishing physical access requirements

__ Defining system access requirements

Managing Finances

__ Establish invoice schedule

__ Establish payment mechanism

Terminating Relationship

__ Revoking physical access

__ Revoking system access

__ Definitions of causes for contract/relationship termination