Skip to content


What is vendor risk management?

By Matt Kelly

Corporate compliance officers have long understood that third parties can bring risk to your own company, but we need to pay attention to a subtle nuance here: the risks posed specifically by your vendors and suppliers.

Vendor risk is not the same as “traditional” third-party risk. In one sense it’s more narrow, because it only comes from your vendors and suppliers, not the other third parties your enterprise might have. At the same time it’s also broader, because vendors pose a wider range of specific risks that can threaten your business.

Simply put, vendor risk is a new challenge that requires a new approach from compliance and risk management teams. In this article we’ll explore what that new approach will need to accomplish.

What is vendor risk management?

As the name implies, vendor risk management is the process you use to manage all the risks that your vendors and suppliers pose to your business.

Wait, you say, isn’t that the same as third-party risk management? No, it’s not.

Vendor risk management (VRM) could be described as a subset of third-party risk management — but the tools, policies, and processes you need to address vendor risks aren’t quite the same as those for other third-party risks.

For example, overseas distributors and agents are always potential sources of corruption risk, so the compliance team needs to perform anti-corruption due diligence and monitoring of those third parties. Vendors and suppliers, however, pose different risks. Among them:

  • Financial risk, if the vendor suddenly increases its prices or doesn't deliver promised goods, and you need to source replacements elsewhere on the spot market.
  • Product liability risk, if the vendor provides dud parts that cause your goods to malfunction for customers.
  • Privacy risk, if the vendor handles confidential data on your behalf and suffers a breach.
  • Sustainability risks, such as the vendor polluting local water supplies or using forced labor to produce the goods you buy.

In theory a vendor could also pose corruption risks akin to distributors and agents, but in practice those instances are rare. It’s much more likely that your vendors will pose risks such as those listed above. That, in turn, requires a different set of risk management capabilities to address. For example, you’re more likely to involve other parts of the business (procurement, IT security, and finance) to perform vendor due diligence, and will need different policies and procedures to monitor your vendors over the long term.

Why is vendor risk management important?

That’s easy. Vendor risk management is important because in today’s highly integrated, highly interdependent business world, a vendor risk gone wrong can lead to significant disruption to your enterprise. The consequences can include monetary penalties from regulators, civil litigation, bad publicity and reputation harm, higher operating costs, and more.

Moreover, businesses today rely on more vendors, for more reasons, than ever before. At the same time, regulators around the world will keep expanding their reach, holding companies more accountable for more risks that might arise from your supply chain.

So it’s not enough that your company can manage the risks from one vendor, or one type of risk from all your vendors. You need a strong, flexible process to manage all the risks that might arise from your vendors — otherwise known as a vendor risk management system.

The pillars of vendor due diligence

Vendor risk management begins with effective due diligence. Not every vendor will need the same amount of due diligence as all your other vendors, but broadly speaking, you’ll want a due diligence program that can consider the following potential risks:

  • Financial stability
  • Security and data protection
  • Regulatory compliance
  • Product quality and operational capabilities
  • Contractual obligations
  • Business continuity and disaster recovery
  • ESG issues
  • Ethical conduct

As always, you should take a risk-based approach to vendor due diligence. For example, do you need to assess the financial stability of the vendor that stocks your on-site vending machines? Probably not, since lots of alternative vendors could fill that need if one suddenly goes bankrupt. But should you review the ethical standards of the company that staffs your corporate cafeteria? Perhaps so, since those employees might try to defraud your business, harass your employees, or themselves be victims of forced labor.

Vendors that provide technology or business services (data storage, payroll functions, climate control, logistics, and so forth) can pose even greater risk, especially around cybersecurity and business continuity. In those cases, you’d likely need to perform due diligence across all of the eight pillars listed above.

What is the vendor risk management lifecycle?

Most vendors will have an ongoing relationship with your business, which means due diligence isn’t enough to address those vendor risks. On the contrary, we can define a vendor risk management lifecycle, where due diligence isn’t even the first step!

  • Vendor selection. First, identify potential vendors based on your business needs. Locate potential vendors by conducting market research, publishing a request for proposal, or asking your existing vendor network whether they can recommend anyone that fits your needs.
  • Due diligence. Once you identify potential vendors, then comes the due diligence. As we mentioned above, you’ll need to take a risk-based approach based on the exact product service you’re looking to secure.
  • Contract negotiations. This can usually be handled by your corporate legal team, perhaps in coordination with other business units that will be using the vendor. This is where you should define service-level agreements that spell out what the vendor is obligated to do.
  • Ongoing monitoring. Your vendor will need to live up to its obligations. That means assigning someone to be “owner” of that vendor relationship, and following up to confirm that any reports the vendor is supposed to make to you actually are made, properly and on time.
  • Review and termination. Your contract with the vendor will eventually come to an end. When it does, you should have a formal process to review the vendor’s performance and then decide whether to renew or terminate the relationship. If you cease doing business with the vendor, be sure it fulfills any obligations such as returning equipment or destroying data in its possession.

Clearly that is a complicated process. Managing it with manual processes is futile, because you’ll inevitably miss at least some vendors or the true nature of the risks they pose. Hence the need for vendor risk management software.

How does vendor risk management software help?

A dedicated VRM software tool helps you bring order to all that chaos. It lets you develop disciplined processes for risk assessment, due diligence, monitoring, risk reporting, and data analytics. Without VRM software, you’ll end up spending far more time simply chasing down information about your organization’s vendors, rather than analyzing that information and deciding what to do about it.

That said, choosing the right VRM software tool is careful business. Consider the following as you weigh your options.

  • Set a clear scope for what you need the tool to do. For example, you might already have a strong in-house procurement team, and need help with risk analytics and reporting more than due diligence. (Or vice-versa if you have no procurement function.)
  • Consider your organization’s future growth plans and the risks that might arise. You want a tool that can scale with your growing operations, and one that’s versatile enough to handle new operations and new risks.
  • Look closely at the monitoring and reporting capabilities. Monitoring and reporting are crucial because they (1) alert you to anomalous events that need immediate attention; and (2) help you to identify larger, long-term trends that could indicate deeper troubles.

The need for strong vendor risk management capabilities is clear — and more important, that need is not going away. With the right tool, corporate compliance and risk management functions can give vendor risk the serious attention it deserves.

That, in turn, will improve your own company’s compliance posture, your standing with customers (since you are the vendor to them), and your strategic position in the market — which is, let’s remember, your most important corporate asset of all.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.