Vendor Risk Assessment Policy

DIGIGUARD can help your SMB manage the risk from third-party and fourth-party vendors (your vendor’s vendors), suppliers and outsourced service relationships. A Vendor Risk Management (VRM) or Third-Party Risk Management Program Policy (TPRM) identifies which vendors put your business at risk, and defines controls to minimize those risks. Companies increasingly rely on the increased efficiency of outsourced services. If your vendors lack strong safeguards, controls and restrictions, your organization could face operational, regulatory, fiscal and reputational risk. Regulatory standards hold companies responsible for the actions of their business partners and vendors and require effective third-party due diligence. Our experts can help you manage this risk with these services:

Governance and Policy Development

• Navigate risk, regulatory and audit requirements
• Validate risk appetite and TPRM VRM program components
• Identify and implement critical improvements for compliance
• Implement guidelines for access and control of sensitive information as per vendor agreement

Maturity Assessments, Training and Awareness

• Validate the maturity of your TPRM and VRM program
• Provide stakeholder training and awareness
• Identify gaps and areas that need improvement

Pre-Contract Risk Assessment

• Determine risks before vendor selection and contract execution
• Evaluate vendor third- and fourth-party controls to mitigate risks
• Identify and negotiate issue remediation plans
• Provide an exit strategy
• Draft contract language that outlines the business relationship
• Provide an objective view of residual risks, risk severity and risk exposure

Issue Remediation and Identification

• Identify third- and fourth-party issues and changes
• Validate the severity of issues
• Facilitate risk mitigation remediation
• Monitor resolution status
• Confirm adequate remediation

Periodic Risk Assessments and Compliance Verification

• Verify current scope of work
• Verify contractual terms
• Compliance with regulatory guidelines
• Maintain risk landscape
• Verify third- and fourth-party vendor controls

Third- and Fourth-Party Monitoring and Reporting

• Identify changes and new threats
• Ensure compliance and documentation of data security
• Monitor vendor's performance to ensure a properly executed contract
• Include the right to audit on all contracts

Third-Party Vendor Scope

The definition of a third-party vendor may vary by state, IRS or federal regulations. DIGIGUARD will review applicable regulations to help your business define and identify the vendor landscape. We will examine vendor and third-party relationship data compliance rules with the governing body that oversees your specific relationship such as U.S. government, state or international trade laws. Health and financial businesses may have additional data compliance rules. Here are some of the vendor relationships we examine:

• Service providers such as attorneys, real estate developers, designers, technology experts, analysts, consultants
• Manufacturers and suppliers
• Contractors
• Those with contracts of any length, or with a company email address

Scoring Vendor Risk

DIGIGUARD can define a risk scoring policy for your business. It’s essential to assign high, medium and low-risk tiers to your vendors to understand and accept risk. We help you communicate this methodology to potential partners and stakeholders within your company. Here are some of the risk factors our consultants examine:

• Critical role of vendor services in delivering your product
• Access to personally identifiable information for employees or customers
• Access to private information such as financial data, strategic plans, intellectual property
• Cost and length of contract
• Personal or prior relationships with the vendor that may warrant increased diligence

Contact DIGIGUARD today to help your business identify and address third-party vendor IT security risk.