Research recently published by the Online Trust Alliance discovered that 90 percent of the data breaches that occurred in the first half of 2014 could have been easily prevented. A statistic such as this confirms that risk, including vendor risk, can be identified and managed. Of course, not every risk can be caught, and not every incident can be prevented (hence, the 90 percent figure instead of 100 percent). However, organizations performing due diligence in working with their vendors can mitigate much of the risk that could turn into something more serious.
A risk management template is a tool many companies employ to determine vendor risk. This approach standardizes the questions asked of a third party during the assessment process. Such a template is important in assuring the right issues are being addressed, but using it is just one step in your vendor risk strategy. Here are some reasons why a risk management template can’t be the only answer:
Ease of Use
The benefits of a risk management template won’t be realized if it’s too difficult for you to understand or make changes to, or if your vendors can’t decipher what’s being asked of them. You might not get the answers you are seeking during the assessment process, which will affect your subsequent analysis and remediation decisions. Templates included with automated vendor risk management solutionsoften combine the thorough scope you seek with an easy-to-use interface that benefits both you and your responding vendors.
Returned Data Must Be Strong
The goal of a risk management template is to ask all the right questions in order to receive thorough answers en route to the best data possible. A completed screening will not save you time if you must go through the assessment, question by question, just to give you the pinpointed information you hope to gain through the process. Automated solutions that employ risk scoring can provide the strong data necessary for your analysis. With these ratings, risk can be broken down into major categories (e.g., control risk, business profile risk, relationship risk), and then be subdivided into specific subcategories as well. Want to know how well a vendor handles physical security? A risk management template combined with risk scoring can give you that focused data.
Returned Data Must Be Streamlined
Metrics can provide a deep delve into a vendor’s risk profile, but at the same time, they need to be easy to understand. After all, you don’t have time to compute these ratings yourself—especially at the comprehensive level set forth by a thorough template. Moreover, execs in other departments might see these assessments, so a basic score will facilitate their understanding as well. Many solutions use streamlined rating systems (for example, a scale of 1 to 1,000, with bigger numbers equating to more risk) and color coding to complement the data requested by the template.
The Assessment Is Just the Beginning
A risk management template gets the assessment process going. Your remediation decisions are the logical results of that process. If a template does its job well, you will be armed with the most complete data to embark upon a course of action that will reduce risk. The key is following through on what the assessments are telling you. The risk management template is merely one of the drivers of an entire vendor strategy.