Vendor Risk Assessments: Why Scaling Feels Impossible (and What To Do About It)

Written by: Jason McLarney

Gone are the days of working with a handful of long-time, trusted vendors. Today, 60% of enterprises work with up to 1,000 vendors at a time, with 71% reporting that their third-party network has exponentially increased in just three years. That means more risk to evaluate and therefore more vendor assessments to parse through. 

The sheer volume of vendors in play and the length of traditional vendor risk assessments (often hundreds of questions) can make scaling this process feel impossible. 

Fortunately, with the right third-party risk tools and strategic vendor risk assessment processes, scaling is very achievable.

4 Steps to Help Organize Vendor Risk Assessments

Here are four practical steps organizations can take to get the data they need to make confident third-party risk decisions — quickly, efficiently, and accurately.

1. Prioritize

Traditionally, many organizations have evaluated all new vendors with the same level of scrutiny. Here’s the issue with this: Not all third-party relationships are the same. 

A third-party partner with no access to critical data (such as a catering provider) should not receive the same vendor risk assessment as one with extensive access to critical data (such as a payment processor). Due to the nature of the relationship — and what’s being shared — these two vendors pose a very different level of risk. This is a good thing because it means you don’t have to be equally thorough and meticulous with every vendor.

A Strategic Approach to Vendor Risk Assessments

Prioritize and tier vendors based on the unique risk they each pose to business-critical operations, environments, and data. Third-party risk pros can start by asking the following questions about their network of vendors:

• Does this vendor have access to sensitive datasets or internal networks? If so, which ones? What level of access?
• If this vendor experienced a breach, what material impact would it have on our business operations?
• Is a vendor assessment required by a regulatory body? (e.g., your payment processor must be PCI-DSS certified)
• What is the potential financial (and reputational) impact of a third-party breach through this vendor?

Based on those answers, organizations can start more effectively tiering their vendors into the following categories:

• Tier 1: Mission Critical
• Tier 2: High Risk
• Tier 3: Moderate Risk
• Tier 4: Low Risk

Think of it this way: If you were a 911 operator who answered two calls, one about a fender-bender and one about a 10-car pileup around the same time, you’d know where to send more resources.

Risk-based tiers are the basis that should dictate all engagement with that vendor — the risk thresholds you’re comfortable with, the compliance levels you require, how often you reassess them, and the level of communication you have with them. With vendors ranked in these risk-based tiers, teams can prioritize their efforts around the third-party partners most critical to their business — and the ones that raise the most red flags regarding potential impact.

That level of prioritization is exactly how organizations can go from treating 10,000 vendors exactly the same (and burning out the team, no matter how large) to using a streamlined team to focus on the riskiest vendors — without incurring unnecessary risk or feeling spread thin.

2. Get Data You Can Trust

In a market where scaling fast is the goal, risk professionals are starting to recognize they need to move away from solely relying on questionnaires. That’s because general questionnaires, which can sometimes have over 300 questions, often result in general (read: unhelpful) responses.

Effective communication with vendors relies instead on obtaining — and sharing — the right data, and only when necessary. Organizations need a source of intelligence they can trust to make better risk decisions, including whether they need to engage the vendor in the first place. For example, if a vendor meets all of your security and compliance requirements and is tiered as a “Moderate Risk” vendor, do you really need to issue them a questionnaire? It depends on your risk appetite, but likely not.

Organizations need a transparent, standards-based cyber ratings platform where they can see for themselves how findings and scores are assembled. That gives teams the reliable, concrete data they need to have meaningful conversations with vendors and collaborate effectively to remediate risk.

Security teams should also consider investing in a third-party risk management (TPRM) tool that provides:

• Reports on how to improve risk scores, step-by-step
• Identification of specific assets believed to be most at risk
• A space for transparent, two-way vendor communication

3. Save Time (and Money) With Automation

Baking in automation is the only way to scale your vendor risk assessment process. Manually sifting through questionnaires is not the solution; it only exhausts resource-constrained risk teams and introduces human error. 

Manual vendor risk assessments can take anywhere from two to eight weeks on average. For any other project, that timeframe might be acceptable. But digital threats evolve much faster than that. Within a few weeks, the risk landscape (either yours as an organization or the market’s at large) can undergo a seismic shift that rapidly changes priorities. Whether due to a geopolitical upheaval or a new business expansion strategy, risk doesn’t remain constant. 

With the right third-party risk automation tools, teams can reduce assessment cycles from weeks to hours. AI-driven engines can parse complex vendor documents (SOC2 reports, compliance policies, questionnaire responses, and more) and measure compliance with industry-wide frameworks such as NIST 800-53 R5, ISO27001, and more, giving you an immediate view into their risk.

That unlocks the ultimate key to scaling: Finding automated tools your teams can trust to work in the background while they handle more complex risk strategies.

4. Build Relationships with Critical Vendors

Regarding third-party risk, it can be easy for organizations to fall into the trap of only communicating with vendors during procurement and onboarding… and then only if and when an incident occurs. That’s not due to any personal failure but because it can be nearly impossible to effectively communicate with hundreds or thousands of vendors regularly.

With effective prioritization, risk teams can collaborate with vendors rather than having a reactive (and often unnecessarily tense) relationship. They can also minimize the total amount of vendor assessments they need to send — and shorten and focus the ones they do send — all the while better mitigating actual risk.

Double down on the vendors that matter most to your organization’s security, financial health, and business-critical processes. Check in with them on risk and security developments — and identify any shared risks or weaknesses that you might have with each other.

Move Away From the Unscalable

Effective scaling starts with moving away from one-size-fits-all, time-consuming, and manual methods and instead towards:

1. Upfront risk-based tiering and prioritization of vendors based on their materiality to business operations.
2. Relying on a trusted data set to inform prioritization and dictate when to engage.
3. Automation to reduce or eliminate manual questionnaire reviews and unnecessary vendor engagements.
4. Stronger vendor relationships based on clear, actionable improvement steps. 

These pillars make scaling possible and achievable, expanding your team’s reach and allowing you to double down on the value-adding tasks and relationships that matter most. However, all of these vendor risk mitigation strategies rely on one key factor: trustworthy, timely risk data. When organizations have data they can trust, they can prioritize, dial in their risk thresholds, and build out the third-party risk management structure they need to move ahead with confidence.

Scaling vendor risk assessments doesn’t have to feel impossible. With the right tools and processes, organizations can unlock efficiencies, strengthen their vendor relationships, and improve their overall risk posture. Black Kite Bridge™ makes collaboration easier by providing the trusted data and communication capabilities needed to drive faster, more meaningful vendor engagements.

If you’re ready to transform your approach to vendor engagement, don’t miss our eBook, Chaos to Collaboration: Transforming Third-Party Risk Response for Zero-Day Events. It’s packed with actionable insights to help you work more effectively with vendors during critical events — no download required.