Choosing your vendors can be a demanding task. From doing the proper vendor risk assessments, finding out the best prices, and if the personal connection is there – this process can be challenging. There are not many ways to mitigate it, but what you can do is organize it.

In this article, we will be talking about risk management when it comes to choosing potential vendors, business relationships between potential business partners, security controls, assessing vendors, and some remediation strategies you can implement to lower the inherent risks that come with vendor risk management.

With that in mind, let’s go over the templates we have prepared for you to make you're evaluating vendors that much easier.

But first, let’s find out the software we will use in our vendor management. Of course, there are plenty of potential software vendors, but we cannot recommend anything but Microsoft Office for this essential and precise task.

It is the single most popular piece of software ever created. It is being used by millions of people worldwide daily and for a reason. The sheer amount of potential that this software has is a force to be reckoned with. And additionally, it is one of the most reliable and easy-to-use software ever created, so you can easily send it out between parties and be sure that they can open it and work on the document you have provided.

So, if third-party risk management is important in your company and you want to focus on something reliable – pick Microsoft Office products. And to prove that, we will go over some completely free templates you can utilize for this particular task.

First up, we have the vendor risk assessment with some basic concepts of what could happen during the business relationship you are about to enter. Whether it’s an information security assessment or some deep insight into the company’s reputation, this template has no match for all basic purposes.

Of course, if you would try to create some extremely powerful tool to make much more advanced assessments, then this would probably not suffice, but for most uses, you can think of on your day-to-day basis – this is definitely a great template to use.

You can download this for free at SmartSheet.com.

Next, we have a pretty advanced tool that will be great for comparing all the third-party providers. This template is great for some risk mitigation on another lever. You have different categories for each task with an assessment of how well the vendors scale in each one of those.

This is for someone who needs to find low-risk vendors that will provide some great security posture and be an asset rather than a risk.

If this high-value assessment is something that you were looking for, then you should definitely give this template a chance. You can find it at Adb.org.

And finally, thirdly, we have more of a questionnaire for you to enjoy. This vendor assessment template can get you far if you want to find a good document that covers only relevant topics. With this assessment, you can reduce the risk of hiring a third-party vendor focusing on specific risks they could bring to your company.

It is best when covering some of the more critical and detailed vendor assessments, to get you some inside knowledge on the company's structure in question. If you like this one, be sure to download this for free at SampleTemplates.com.

So, now that we know what kind of software we should use, let’s go over the main topic of this article: vendor assessment. What exactly is it, and how should you go about it?

Well, it turns out, it’s a pretty interesting concept if you are looking to hire some third-party vendors and want to create a system of vetting them and continuous monitoring. That can help you create a low-risk network of partners and suppliers that will be the cheapest option on the market and the best in many other aspects.

Vetting starts with asking questions and looking for answers, so vendor assessments can also be called vendor questionnaires. You ask them such questions as – what your prices are, where your products come from, what are some ways of transportation used in your company, etc., etc. As with everything in life, the main goal is to buy low, and sell high, which can be translated for this purpose – get high-quality vendors for the lowest price possible.

Why is it important? Working with vendors and suppliers can get you far, especially when it comes to growing your business, but it is also a great liability that can put you down pretty easily. All the information going in and out of the vendor’s database, all the different elements of potential supply issues – choosing the right vendor can make or break your company, so be sure to choose the right one. And we will help you accomplish this task.

So, how does the vendor assessment work? Well, it’s pretty easy to describe. You need a vendor, you put out that need on the market, people are sending out their propositions, and you create an incredible offer for them, but first – you will need some knowledge of how they operate daily.

The best way to go about it is to create a methodology on assessing them. Some of the crucial elements for vendor assessment frameworks to keep in mind are:

• Data security

• Financials

• Potential risks

• Transportation options

• Other clients’ opinions

Those are the essential ones. Let’s now go over the question of the vendor assessment criteria that you should consider in your spreadsheet.

Vendor Assessment Criteria

There is a model that will suit most of your needs, invented in 1995 by the great Ray Carter. It’s called the 10C Model of Supplier Evaluation.

What does it include? Well, those are the criteria that can be useful for any potential vendor assessment. Those can be treated as a safe bet when getting a vendor in practically any branch of the economy. And those would be:

• Competency

• Capacity

• Commitment to Quality

• Consistency of Performance

• Cost

• Cash and Finance

• Communication

• Control of Internal Processes

• Corporate Social Responsibility

• Culture

Of course, it does not mean that you should be using those exclusively, as there are plenty of changes that you can make to your vendor assessment. But – if your vendor passes all the Cs listed here, then it’s likely that they will greatly benefit your company.

Clearing all these elements can make the hiring process almost risk-free, and the potential for fruitful cooperation is pretty high.

But, it is not only a process that goes before hiring a company. The ongoing monitoring of your vendors is a great way of keeping your business safe and without any potential incidents that can cause you and your company great harm.

Of course, we are not saying that you should do it every day, as it will eat up most of your resources and could end in a pretty negative light regarding a good partnership. Nevertheless, there are certain moments in the company’s life when creating a good vendor assessment is warranted and necessary. And those are those situations.

Audit

First up on our list is the audit. In the United States, it’s called Service Organization Control. It’s an independent audit created based on the criteria defined by the American Institute of Certified Public Accountants (AICPA). If the organization you are working with are experiencing some issues, then getting the right SOC report can show you the inner working of the company.

Essentially, we can talk about three types of SOC reports.

• SOC 1 does the general overview of all the financial reporting and accounting control

• SOC 2 is a control of a service provider for most IT vendors. All the information is tied to the Trust Service Criteria by AICPA. It’s mostly about privacy, security, and confidentiality. 

• SOC 3 is something similar to SOC 2, but for the less-technical audience with less detailed information; if you wanted to compare it, it would be something like a data reference but for the people who don’t know anything about it and you needed to create a spreadsheet that they will understand

Government Data Security Compliance

Another Data Security Compliance that you need to consider is the government compliance for possible data security breaches. The most important ones in this category are GDPR, HIPAA, and CCPA.

Of course, it will differ depending on your location. Whether it’s European Union, Asia, or the Americas, there will be different regulations that you will need to consider when vetting your vendors, and you will have to abide by those rules. And – be sure you will, as the fines for breaching any potential problems are among the highest ever created, so you will be on the hook for millions of dollars in loss!

So, now that we know vendor assessment, it is time to see the process from the backdoor finally. How can you create your own besides using the templates we provided? Are there any issues to take into consideration when making such an assessment? Is there a great need for that? We will go into all those details!

Foresee the Potential Risk

The first thing you need to consider is the potential risk your partner can get you into. Do they have a good public perception? Are there any legal issues that you need to be aware of? Did they have any problems with liquidity in the past? If you can understand all of those potential risks and identify them beforehand, you can easily mitigate them or change the vendor if it is just too much to handle.

Different Types of Risk

But what risks do you look out for when getting some third-party vendors? The list is long and windy, but some elements must be highlighted.

• Data Security – the first and, in this day and age, probably the most important type of risk in most companies; whether it’s a malware issue, phishing, or any other attack on your IT network, you can have some outstanding fines to pay if you will not secure your databases. To protect yourself, be sure that your vendors that are processing sensitive data are also protected against those attacks.

• Compliance Risks – those would be all the potential issues with the laws and regulations in your industry. Sometimes it’s even easier to pay those than reevaluate the issues with the vendors.

• Transactional Risks – it’s a risk that would include all the potential issues with transactions, from exchanging currency, some payment methods issues, and anything in between.

• Fraud Risks seem self-explanatory; whether it’s a fraud between you and your vendor or between the vendor and some third party, it is something to look out for.

• Operations Risks  – these would be all the risks associated with your business running smoothly: supplies, manufacturing, etc.

• Geographic Risks – the place you are in can also influence how you will run your business; it may be as simple as the security in your country, maybe some natural disasters that could happen – those are things you need to consider.

• IT Risks – technological elements in every company can be problematic in many ways, from seeing hardware problems with monitors to software issues, ending with the complete shutdown of everything.

Create Risk Criteria

So, now that you know all the potential risks you may fall into, the next step is to see all the things that can make those horrible things happen. And also – how much of them can you take? That is why you need to create what is called in the industry risk tolerance.

For example, if you are introducing a product that can be interpreted in some countries as illegal or some parts of it are illegal, like CBD oil in many countries, then it can be optimal to risk it and maybe gain some great profit. The worst-case scenario – you will need to pay some fines, so see the potential amount and deflate it as much as you can.

It may even be that the fine will be much lower than all the benefits you could gain from selling those oils. That is why tolerable risk is an important bar that you should set for yourself and your company.

Create a Vendor Catalog

After accomplishing all of the above, it’s time to create a vendor catalog, where all the best vendors will compete to become the no. 1 supplier for your company.

The vendor assessment process is long, so it’s best to be strict when choosing the company you want to work with. Whether it’s a current vendor or someone to work with in the future, a complete list will allow you to identify all the essential information on each vendor and help you choose the right fit for you.

Next, you want to create a vendor-leveling catalog, assigning different levels to different vendors based on how good the partnership would be for your company.

Vendor Levels

Here are some potential descriptions you can give to each level on your list.

• Level 1 – those would be the vendors that are essential for your company; you literally cannot work without their assistance, and they have a lot of your data that can be potentially breached;

• Level 2 – are the vendors who are not facing the customer but are still in possession of some essential information on your business;

• Level 3 – they may not have all the information like the vendors above, but they indeed face the customer;

• Level 4 – those support some of your company’s offerings but do not face the customers.

• Level 5 – those are all the non-essentials, as they say. They are not interacting with the customer and are mostly considered to be of some low-importance assistance. You can also add all the not-vetted vendors to this level.

Key Vendors

The next step on our list is narrowing down the list of key vendors to the absolute minimum necessary to make everything work the right way. Suppose you can evaluate vendors and find the most important ones in an easy and accessible way. In that case, you will be able to find the best possible vendor for your company and create a list where the second and third will be accessible for you to use.

The best thing you can do is to segment all the potential vendors into different categories of interest to you and the company as a whole and – that way – create a solid list. The vendor assessment questionnaire and your investigations can do it. The most important thing to consider is the report's fairness and not playing favorites. Sometimes people we expect the least out of are the most important in the long run.

Assessment Report

And finally – it’s assessment report time! Be sure to include all the necessary information in your report with branches for each potential issue you may come across in your evaluation. That way, you can create a sound system of seeing if an A factor is still important in your line of work or if things change, and now it’s something completely different.

That kind of check-up should be done regularly, even if you have been working with a vendor for a long time now and the cooperation looks excellent. The vendor’s risk level could go up with time, so it’s best to update your assessment report every few years and see all the prospective vendors you can have in place of existing ones.

Especially if some data breaches happened.

And here we are, at the end of our presentation. As you can see, the road to assess vendors and keep customer data out of the public eye can be windy, but it is an essential part of most modern companies.

Whether we like it or not, we live in the modern world, where you need to assess all the companies you are working with, not only when it comes to the price you will be paying for their services, but all the potential risks associated with their work. Whether those would be security risks or something more connected to the repudiation of both parties, initial assessment or ongoing assessment can mitigate many potential problems, especially if you are working with some sensitive data.

We hope you will find something informative in this article that will be useful to you in the future. Of course, there are many other ways that you can mitigate potential risks to your company. If you are interested in those topics, check out our other articles.

That’s it for today. We will see you in the next one. Stay safe!