How to Keep it Real When it Comes to Estimating Vendor Risks


By Quin Rodriguez
Vice President, Strategic Marketing

Until recently, vendor risk management took a back seat to enterprises managing increasing governance and compliance issues. However, forward-thinking organizations are starting to realize the dangers of failing to incorporate vendor risks as part of their integrated risk management strategies.

While today’s ever-changing risks are steering many enterprises in the direction of integration, some risk managers are still figuring out the best ways to improve and prioritize their vendor risk management processes.

Unlike governance and compliance, vendor risk management is not regulated, so there is less urgency to prioritize. However, potential vendor pitfalls can result in consequences that are just as troubling and costly as other risk types. That’s why it’s important to remain cognizant of vendor issues.

Be in the Know

There’s an old adage that states, “first know thyself.” While organizations must know their enterprise vulnerabilities, it is equally important to know the organizations with which they partner.

According to a recent Soha Systems’ Survey, third parties cause or are implicated in 63 percent of all data breaches. Recently, Huntsville Hospital in Alabama reported a third-party data breach that may have compromised social security numbers. Now patients and employees are at risk of identity fraud. Though technically the hospital was not at fault, they are still responsible for cleaning up their vendor’s mess.

Whether the partner is a courier company or an IT provider, your enterprise is exposed to new risks with every new contract signed. These intimate supplier and provider relationships involve exchanges of sensitive information, and security clearances that are normally exclusive for internal use. Business must carry on, but these compromising connections increase vulnerability.

Ensuring vendor security is air-tight is critical to protecting your consumers, employees and your brand. Today, enterprises need to thoroughly vet even the seemingly small vendors before contracts are signed. This will sift through the companies that are not aligned with your standards, and develop a more secure network of vendors.

Guilt by Association

Consumer perception is your brand’s reality. A brand can be destroyed in minutes by being associated with a bad business partner. In other words, the vetting process doesn’t stop at examining your vendors’ IT systems and practices. You also must know their collective company values and how they act on those.

In 2016, Nestle and two other major food companies were under fire for knowingly sourcing cocoa from the Ivory Coast, a country known for using child labor. These companies were accused of providing farmers with financial and technical assistance in exchange for cheap product and labor – thereby supporting child labor and poor work conditions. This vendor issue resulted in multiple lawsuits, which triggered heavy media coverage that stirred consumer, media and even politician reactions. Fortune Magazine reported that the media coverage of child labor attracted the attention of U.S. politicians, who then pressured the industry to tackle the issue, resulting in a costly recovery journey for Nestle.

Managers cannot afford to work with vendors that contradict the principles and values presented to their consumers. Otherwise, they risk losing business and support.

The Operational Hazards of Vendor Pain Point

Vendor risk management often leads back to operations. One vendor mishap can potentially throw off operations for days or even weeks at a time. That’s why it’s important to ensure your vendor risk management strategy can maintain business continuity in the event of a disruption caused by a vendor.

Operational-based vendor incidents can be the ultimate monkey wrench. For example, one South Carolina school district recently experienced a hiccup with report cards. The vendor produced report cards with inaccurate data, resulting in a major delay in the district’s distribution schedule. Though this misstep may have provided some students with a temporary reprieve, it ultimately inconvenienced teachers and parents.

Another recent vendor blunder occurred in Washington where county officials were under fire for sending voters ballot envelopes requiring postage. Voters were supposed to receive postage-free envelopes but according to the secretary of state, the contracted vendor mistakenly disbursed the erroneous envelopes instead. This caused a delay in voting and required the counties to re-disburse.

Small incidents like these show how easy it is to overlook vendor risk and, how even the smallest oversight can cause a major setback. With effective vendor risk management strategies, managers have a better chance of preventing these types of mistakes or, at a minimum, have the proper visibility into these incidents before they evolve into bigger issues.

Taking a proactive approach to vendor risk management does not mean micromanaging your partners. However, it does mean being more engaged in vendor processes and operations, knowing there are always direct and indirect effects on your business. Managers must create and uphold security standards to fight against breaches, align with vendors that share their brand values, and develop protocol for operational interruptions caused by vendors. These practices will ensure improved vendor relations.


  1. A very informative and enlightening article , I also think that with issues relating to vendor or even retailer risks , especially when it comes to shortfalls in IT or technological inadequacies as well as other logistical or regulatory weaknesses on their part , it will become necessary for Organizations dealing with such vendors to use their relatively stronger compliance attributes or IT acumen to compensate for their weaknesses and inefficiencies for as long as they are the most preferred choice in order to achieve the best possible results within the stipulated timeframe. .For instance in the case involving two financial institutions the stronger and the more compliance effective one could help in eliminating or greatly minimizing the risk factors of the other in the best interest of the former’s shareholders, customers or even staff members… nevertheless it’s perfectly important for all forms of risks to be well managed and possibly eliminated to achieve the best results in all sectors.

Comments are closed.