> ... > Intelligence hub Risk management Vendor risk Assessment

Vendor risk assessment

Learn how to do a vendor risk assessment to help mitigate risks within the supply chain

What is a vendor risk assessment?

A vendor risk assessment is the process of identifying and evaluating potential risks that involve your vendors, that could have an overall impact on your organisation. A vendor risk assessment determines the effects of uncertain events, which then enables you to prioritise them. Potential risks could include security breaches, compliance, financial information, or the overall effectiveness of the operations. Once the assessment is complete, you’ll be able to mitigate and monitor the risks.

 

How do you do a vendor risk assessment?

Hide this title

Assess your vendors:

Start by cataloguing vendors by what they do for your organisation, how critical they are, their location and what data they handle.

Profile vendors:

Group vendors together that sit in the industry, this will help you to assess the risks easily as they’ll all have common risk factors. For example, group together all IT (Information Technology) vendors, insurance vendors or medical equipment.

Vendor questionnaire:

Send a questionnaire out to all your vendors to help determine their policies, procedures, and processes. Make sure that all questions are simple, objective and tailored to the real areas of concern.

On-site audits:

You may need to do an on-site audit, particularly if the vendor is high risk. This will provide an in-depth evaluation, which will enable you to identify potential risks. You’ll be able to get to grips with their culture and security measures.

Communicate:

Gather all your findings and compare the questionnaire to the on-site audit. You can get a third party or legal team to help you with your report. This will help you develop a dialogue with your vendors and to talk through concerns and opportunities.

 

Why is vendor risk management important?

As supply chains get bigger and often heavily reliant on outsourcing, vendor risk management becomes a key part within your organisation. Many third parties have access to sensitive data such as financial and personal data, which makes them more susceptible to security breaches. Vendor risk management helps to manage cyber-risk and ensures your third parties are adhering to regulations and compliance.

 

Examples of high-risk vendors

A high-risk vendor is a vendor that has access to your organisations sensitive information or handles financial transactions. These could include:

  • Heavily regulated industries: These could include the likes of healthcare, aerospace, or banking.
  • Vendors that have access to your data: Third parties that have access to your data are deemed as high risk, so you’ll need to put a plan in place to document useable data and ownership guidelines.
  • Third parties that access your finances: If you deal with a third party to process your financial transactions, it’s important to ensure that data isn’t compromised. These can include credit card companies, third party payroll, banks, and credit unions. Also understanding your vendors financial exposure and risk will support mitigation against their failure and impact on your own supply chain activity.
 

Risk mitigation

Procurement and supply organisations won't experience the same risks, but it's important to identify what they are and how to mitigate them.

Risk management key themes

Risk management Supply chain Supply chain strategy Ethical risk
Vendor risk Procurement fraud Counterfeit
Deloitte/CIPS Resilience report Risk assessment Commodity Risk Management

Become a CIPS member

Achieve your potential by becoming a member today. Whether you want to become a studying member or want to upgrade your membership to MCIPS, you’ll receive support and guidance whatever career level you’re at.
A smiling woman in a dark top stands with her arms crossed, looking away and slightly up. She is framed by two large blue concentric circles and a vibrant blue background with radiating orange-dotted lines.

CIPS Podcast : Risk management

CIPS Webinars - Watch the full risk management playlist here

Access the latest research, whitepapers and tools across a range of key procurement and supply topics.

Strategic procurement in risk management guide

Procurement’s profile in organisations is on the increase. We now have a wider spend remit and many internal barriers are coming down. This document will provide you with a greater understanding of strategic procurement and risk management.

An introduction to risk management guide

This paper explores procurement risk management and will give you a better understanding of the risks and opportunities your organisation may be exposed to.

Supply chain risk management guide

This document will provide you with a greater understanding of Supply Chain Risk Management (SCRM) by exploring types of risks that can occur and how best to mitigate them.

Expand your risk management skills

Icon of a web browser window with a warning triangle, representing risk or alert, on a blue circular background with abstract overlapping circles

Procurement Skills Training

Accelerate your learning and keep your knowledge and expertise up to date with our Risk Management training courses.

RISK MANAGEMENT TRAINING

On this page