Resources

Vendor Risk Management: The Risk of Third-Party Appraisals

Written by: Andy Lin

Every company relies on outsourced vendors to fill gaps, drive efficiencies, and enhance their products, services, processes, or programs. Although vendors supplement business operations, organizing the abundant risks associated with them can be complicated and burdensome. Since vendor risk environments are constantly evolving, financial institutions are increasingly turning to third parties to evaluate these vendors and assign risk ratings to each.

Vendor ratings give an overview of the severity of security and control weaknesses associated with each vendor, allowing institutions to analyze and prioritize them. Enticed by this seemingly “all-in-one solution” to vendor risk management, institutions usually use these ratings as a basis on which to build their vendor management frameworks. But overreliance on scores or ratings alone can be detrimental to preparedness and mitigation strategies, because these ratings don’t provide a holistic view of how those weaknesses relate to your specific risk strategies, how they align with business objectives, and the circumstances present at the time of the ratings.

Stagnant Valuation of Risk Assessments

Third parties that perform these vendor assessments will typically follow generic practices and procedures when identifying the risks. The algorithm used to create these risk ratings compares the vendor risks against common business models, usually ignoring the unique factors and situations of specific institutions. All of the measurable risks of the vendors found are combined and compared against other set variables that sometimes don’t have explicit relevance to any given institution.

Though these ratings offer comparable results, they lack significance when considering vendor-bank relationships on a case-by-case basis. The risk scores could also be misleading—showing low risk with vendors who are technically compliant with pre-defined specifications or regulations. Compliance is not synonymous with security. The outcome of the vendor rating can’t always be taken at face value without considering how it aligns with your institution as a whole.

These ratings also don’t consider how each vendor can present different types and levels of risk to each of its customers. Each institution needs to inspect these ratings while being aware of their own distinct exposures, requirements, and risk tolerances. Although you can outsource the execution of a risk assessment, you must evaluate the identified risks based on your specific circumstances in order to successfully identify severity, properly prioritize risks, and develop a strong vendor risk management framework.

Missing the Bigger Picture

Banks are often eager to use these ratings as the sole basis of their risk management frameworks. But this “score” doesn’t adequately capture the nuances of the vendor’s control environment in its entirety. Third-party risk ratings can’t tailor the risk analyses towards each individual institution. Forgoing these evaluations produces generalized risk scores that don’t account for the precise status of the individual institution.

Acting solely on these vendor scores without tailoring them to your specific risk management environment will produce misinformed decisions. Without reviewing these ratings within a more holistic view of the company, a risk assessment might produce a lower or higher rating than a vendor deserves—throwing off your management strategies for that particular vendor.

Institutions need to develop and perform due diligence processes that are appropriate for each vendor, and more importantly, for their own risk management environments. Implementing a thorough, customized due diligence program is time and resource consuming for any organization, but it’s good practice and will decrease long-term risk exposure.

The Bottom Line

Vendor scores aren’t irrelevant. The value-to-cost of these reports make them worthy as an important data source to inform your overall vendor management program. They can serve as an external perspective of the quantifiable weaknesses in a vendor’s control environment, and can provide a depth of knowledge on the inherent risks of the company. However, institutions should understand the limitations of these ratings, and acknowledge these ratings within the scope of their entire risk environment to avoid gaps in their risk management frameworks.

Institutions that are looking to better manage vendor risk should evaluate:

  • The details underlying a vendor’s security score against their own third-party risk rating for the vendor relationship
  • The expectations put forth by their vendor management and information security policies
  • Their overall risk tolerances

Also consider the scope of risks that the vendor scores attempt to quantify. How do these scores evaluate cybersecurity? Do they consider things like reputation risk, continuity risk, and legal risk? How are any additional criteria required by your policies being satisfied? Understanding these nuances will allow institutions to utilize vendor security scores to properly manage vendor risk and create an overall improved security posture.