Vendor Risk Assessments: 3 Common Mistakes to Avoid

Richa Tiwari

30 Jun 2023

Few organizations can perform their daily tasks and operations without vendors and third-party partners. And even if they could, successful businesses understand that working with others provides a better experience than doing it alone. 

The vendors and partners a business associates with matter. These relationships impact security measures, revenue, and brand reputation. When a vendor enters an organization’s ecosystem, they directly impact a number of critical functions, and often gain physical or digital access to sensitive company and customer information, and may even interface with clients directly on occasion. 

Vendor risk assessments should not be check-the-box endeavors. They are critical factors in ensuring you choose reliable, fiscally-healthy vendors and maintaining your own compliance and security. While vendor security reviews can be extensive and time-consuming, using the right tools will streamline and automate the process, saving you time, money, and headaches. 

What is a vendor risk assessment? 

In industries where regulatory compliance is stringent, vendor risk assessments are mandatory. These assessments ensure the companies you work with document and prove their security measures. Financial institutions in particular can be shut down if they lack evidence their vendors are secure. 

Vendor risk assessments are not just for those subject to regulatory requirements. They are part of larger security practices that protect business operations, data, and reputation. 

3 Common Vendor Risk Assessment Mistakes  

1. Not Requesting References

Many companies do not adequately vet their vendors, and one common mistake is failing to request (and then follow up on) references. 

Early on in the sales process, ask for client references. Sales teams should have references ready and be happy to connect you. Ask questions about their reliability, responsiveness, and capabilities. Be sure to focus on how the vendor works with the client’s security requirements and how responsive they are in providing updated policies.

2. Relying on Vendor Assessment and Security Questionnaires 

While it may be tempting to rely solely on vendor risk assessment and security questionnaires (SQs) to evaluate a vendor’s security posture, they should only be one layer of the overall review. 

While SQs can be useful in obtaining specific vendor information, they don’t cover enough for a full evaluation. SQs are self-reported, so organizations only receive the data the vendor wants them to see. Even if it’s 100% truthful, it will be biased.  

Combine security questionnaires with audits and external assessments. These assessments are more reliable and demonstrate a vendor’s security measures, providing you with more confidence in your partners.  

SQs are an important part of a comprehensive vendor review, but they shouldn’t be the only measure of evaluation. 

3. Overlooking Third-Party Dependencies 

Through the vendor risk assessment process, companies are naturally focused on the vendor at hand and often overlook dependencies those vendors might have on other third-party partners. Digging deeper before engaging with vendors can save your business considerable heartache in the long run. 

For example, if a company engages a payroll processor as a vendor, it’s crucial that you also evaluate how that processor handles operations and data. This ensures the vendor manages the data of your organization and consumers safely and in line with compliance standards. 

Additionally, understanding the practices and security measures of your vendors’ third parties is essential for a comprehensive assessment. Consider a data center where the vendor stores customer information. Knowing the data center’s policies and standards is extremely important, as it’s your data on the line.

Neglecting third-party dependencies can lead to vulnerabilities in the company’s ecosystem and can even affect a brand’s reputation. Customers may care about how a vendor or a third-party presents themselves and run their businesses from a moral perspective. For example, a retail company partners with a shipping vendor that has a horrible reputation with fossil fuel emission. A customer dedicated to environmental activism may decide to stop purchasing from the retailer to avoid a personal conflict.   

Best Practices for Vendor Security Assessments

Here are some real-world best practices for avoiding common vendor security review mistakes:

Verify Vendor Policies and Docs are Updated and Accurate

Ensure any vendor policy, document, or piece of information is accurate and up-to-date. It is not unheard of to receive policies that were last updated in 2014.

Set your own internal standard for how often you will request updated information. Some companies update their information multiple times a year, and it will be up to your teams and policies to determine if you need every update, a yearly update, or anything in between. Regularly assess the vendor’s policies and documents to confirm their security practices remain aligned with your business and industry standards.

Whatever you decide, the general rule is you want policies dated within the last year. Carefully monitor insurance certificates, as they can expire at any time, so obtain and identify exact dates. As part of vendor contracts, require them to reach out and provide new documentation when certificates expire. 

Outline a Clear Vendor Contract at the Beginning

When drawing up vendor contracts, include provisions that explicitly state the frequency and nature of sharing information between parties. This should include obtaining updated vendor docs and policies at least once a year. 

By defining these requirements upfront, your organization can avoid any claims that expectations were unclear. This will also prevent your teams from chasing and fighting for crucial information, or vendors resisting because it wasn’t in the contract. 

Leverage External Reports and Reviews

Before you make contact with a potential partner or vendor, look them up on the Better Business Bureau, Consumer Reports, and to learn more about others’ experiences with these companies. Customer review sites like Capterra and G2 are another way to learn about the customer point of view.

For a legal perspective, run OFAC checks (through the US Treasury Department) on executives’ names to ensure they aren’t involved in suspicious activities. SEC Action Lookup checks names to see if anyone has taken legal action against a person in the US and helps ensure the company is legit and credible. 

Vendor Security Made Easy with TrustCloud’s TrustShare 

The TrustShare platform simplifies vendor security assessments by streamlining the process for both companies and vendors. TrustShare includes a secure trust portal where companies may access compliance reports, program details, certifications, policies, disaster recovery plans, and controls which may alleviate the need for a questionnaire altogether.  

The TrustShare portal mitigates concerns around sharing proprietary information. Through TrustCloud, both parties can have confidence their data is safe through transfer, evaluation, and storage. Organizations can strictly define which users have access to what information. 

TrustShare cuts down on back-and-forth communication, saving valuable time, resources, and a fair chunk of sanity for both sides. 

Are you ready to revolutionize your vendor risk assessments? Get started with TrustCloud and TrustShare today.