By Jared Ezzell
Any time you’re outsourcing work to vendors or suppliers, you’re exposing your business to risk. Even the largest, most secure companies fall victim to data breaches or security threats, no matter how reliable they are or how strong your relationship is with them.
As a business, it’s important to be aware of the types of vendor risks you may be exposed to and learn how to manage them effectively based on your company’s risk appetite.
In this article, we’ll go through how you can establish a vendor risk management program within your procurement team and what types of risk from third-party vendors you should be looking out for, so you can protect your business continuity and profits.
9 Types of Common Vendor Risks
Third-party risk management (TPRM), also called vendor risk management (VRM), involves assessing vendors’ risk levels for several risk categories and formulating appropriate responses.
Here are the types of risk you should be aware of:
1. ESG Risk
Environmental, social and governance (ESG) risks can result in regulatory compliance as well as reputational issues.
When you work with a global supply chain, it’s important to be aware of how ESG risks vary from one place to another, as not all countries have the same standards.
Keep in mind the U.S. Securities and Exchange Committee (SEC) plans to require public companies to disclose GHG emissions and climate risk, including energy consumed by the company. That’s why it’s a good idea to understand your vendor’s ESG strategies and monitor their ongoing compliance with SEC ESG regulations.
2. Strategic Risk
Strategic risk happens when the vendor's actions or strategies pose a risk to your business objectives. An example of this could be a decision by the vendor to merge with another company in a riskier country. In this case, you will need to conduct due diligence checks on the merging company. If it poses too much risk, you may need to look at other vendor options.
3. Reputational Risk
Damage to your reputation can occur when you work with vendors with questionable media coverage, a history of bribery or fraud or sanctions. If you’re associated with a vendor with a bad reputation, it may affect yours as well.
Beyond initial onboarding, reputational risk can be mitigated by continuous monitoring — regular follow-up risk assessments as you learn more about a vendor. For instance, if a vendor is investigated for fraud, you could decide the reputational risk is too high to continue the business relationship. For example, Ultra Electronics Forensic Technology was prosecuted in Canada for bribery. The reputations of those doing business with them could be vulnerable.
4. Legal and Compliance Risk
This risk category relates to questions like whether the vendor adheres to regulatory or compliance requirements or if they have the right insurance or certifications to protect against legal proceedings. If a vendor has liability coverage gaps or legal issues, your company can be at risk.
For example, if you use a vendor software company that collects your customers’ information, but they don’t comply with GDPR (General Data Protection Regulation) and / or CCPA (California Consumer Privacy Act) regulations, this could put your customers' personal data at risk.
5. Environmental Risk
Environmental factors include incidents or activities that could affect your supply chain. For instance, you may use a supplier that operates in a country that commonly experiences natural disasters (ex., hurricanes). You could mitigate such risk by multi-sourcing and bringing on other suppliers from different areas of the world so that your supply chain resiliency is managed.
6. Political Risk
Similarly, if you use vendors located in countries that have some political instability or are known for corruption, this could affect your business. Often, political instability can affect the local currency or result in unpredictable local taxes and regulations. You might need to closely monitor the political situation in your vendor's jurisdiction to see if it’ll affect you.
For example, since the invasion of Ukraine, the U.S. government (and others) has imposed sector sanctions on Russian and Belarusian individuals and companies, meaning U.S. companies can’t work with them or companies they own.
7. Operational Risk
Operational risks come from the vendors' internal systems and procedures. Examples of operational risk include not monitoring equipment or software or not training their employees to a high standard. This can put your finances and security at risk in return for a subpar end result.
It’s often difficult to mitigate operational risk since you can’t control what goes on in another company. However, you can gauge it by assessing vendor performance. If they fail to produce on time or deliver poor-quality products or services, their internal processes may not be up to your standards.
You can ask questions about suppliers’ internal policies or standards and compare them with your expectations. For example, the supplier may have a health and safety standards policy document which outlines how equipment should be used and what type of training is required in order to use it.
8. Financial Risk
This risk category can directly affect your bottom line overnight. If the supplier is in a financially unstable position, they may not be able to provide you with what you need, leaving you with incomplete projects and delayed or canceled orders. Not only do you have to spend resources replacing them, but the vendor may have trouble reimbursing you. Depending on the country the vendor operates, you may be able to leverage data partners to view company financials to verify if they have sufficient capital.
Cybersecurity risk includes vulnerabilities to cyberattacks and data security breaches. This could happen if the vendor uses weak or outdated policies or software. Too much cyber risk can leave sensitive data vulnerable to being hacked, placing your customer’s information or business information at risk. If you collect sensitive information and data, you need service providers with watertight software and appropriate information security.
Steps for Ongoing Vendor Risk Management
Vendor risk management strategies, when set up well, can be a huge competitive advantage for you and a powerful tool to avoid issues in the supply chain, strengthen vendor relationships, and protect your business from reputational damage or other risks.
Here are a few steps to follow for successful vendor risk management:
Establish Your Risk Appetite
Your risk appetite is the amount of risk you are willing to take on in order to meet business objectives and protect against business vulnerabilities. It sets your boundaries and helps you make decisions about working with vendors. You can create risk appetite statements that outline how much risk your business can realistically take on for different risk categories.
For example, a vendor may have had a previous data breach. If your business has a very limited tolerance for security risks due to the sensitivity of the information you store, then working with this vendor may be completely off-limits for you.
Do Your Due Diligence for All Vendors
Before you agree to build partnerships with a potential vendor, you need to do your due diligence through a thorough and careful vendor selection process.
Vendor selection could first mean meeting with a potential new vendor to make sure they’re offering pricing structures and deliverables that provide value to your company. Once a vendor seems to be reliable and suitable to work with, you can do some light research such as reading reviews or testimonials and searching for any potential issues such as negative press attention.
If the vendor appears to be everything that they say they are, you can start onboarding them. You can streamline your onboarding to limit errors, automate / limit unnecessary manual intervention , and develop an efficient process that effectively flags any risks to your business. Use a digital platform that generates workflows and notifications when you need to request a certain document or conduct ongoing due diligence checks. Include a questionnaire that dynamically adjusts to risk signals in the onboarding process so you can get a full picture of who you’re doing business with.
As part of onboarding, you’ll want to begin your vendor risk assessment process. This helps you collate all the information you gathered, such as who the vendor is owned by, which jurisdictions or industries they operate in, which software or databases they use, and how their managerial structure works. You can use this information to give the vendor a risk score in each risk category.
Based on your risk appetite statement and the risk level you have attached to each vendor, you can then decide how you’ll mitigate the risks of working with them and monitor any changes in their risk levels over the course of your relationship.