How to Implement Proper Vendor Risk Management

For the vast majority of organisations, key strategic imperatives involve the use of third party suppliers. To achieve processing efficiency and cost savings, among other objectives, there’s simply no other way. But, as much as sourcing and offshoring initiatives are beneficial, they’re not without their risks. And as supply chains become more extensive, complex and sophisticated, our vendor risk management must evolve with them.

What is vendor risk management?

Vendor risk management is concerned with protecting an organisation from any potential risks that a third party supplier poses. The risk could be to any facet of the business – general disruption, financial, reputational.

As outsourcing increases throughout the corporate world, VRM is becoming an increasingly important part of all risk management framework. We involve third parties to drive down costs and allow more time for us to focus on what we do best, but we must also ensure these vendors are behaving in a way that’s in line with our own standards, because whatever risks they are exposed to, so are we.

What risks can vendors expose you to?

Outsourcing arrangements have increased in complexity, which means the risks they expose us to have as well. These include:

Reputational risk

Damage to an organisation’s reputation can be extensive and extremely difficult to undo. Third party suppliers can pose reputational risks when there are interruptions to services or supplies, or when there’s an issue with safety or quality. However, the greatest risk to an organisation’s reputation can occur when one of their vendors is found to be in breach of adequate employee arrangements (think modern slavery).

Cyber security and data protection

This is a big concern when it comes to VRM. All organisations are fully aware that sensitive data – such as customer information – should only be accessible to those with approval. If there’s a breach due to poor cyber security, the consequences can be dire. And if the breach has occurred within a vendor’s operations, it may as well have been within the organisation itself, such are the ramifications.


Pivotal aspects of an organisation’s operations are often supplied by third parties. For instance, an IT vendor might be responsible for the running of an organisation’s online store. If there is a failure in their service, a core component of that organisation’s operations will be out of action – immediately and without warning. This is a good example of why the vendors’ operational integrity needs to be as good as the organisations using their products or services.


All of the above points lead to one destination: financial loss. Supplier failure or poorly managed contracts can hurt an organisation’s bottom line, either directly or through reputational damage. Proper vendor risk management is absolutely vital if the advantages that vendors offer are to be realised.

How to implement vendor risk management

The contract is an incredibly important document that provides the best defence against vendor risk – if drawn up appropriately. Here’s what you need to consider:

  1. Cyber security. The contract needs to contain stipulations that the vendor implements and maintains adequate security measures to restrict access to sensitive data to those with approval. References to any industry or regulatory standards that apply must also be included. Not only does this put in place important measures to protect sensitive information, it also provides demonstrable proof that the organisation has taken steps to do so.
  2. Consult Legal. The contract should be drawn up with consultation from the legal team to ensure the third part vendor adheres to any applicable laws and regulations. The legal team’s advice should also be sought on any insurance appropriate for the particular contract so the organisati0n has adequate financial protection in case of supplier failure.
  3.  SLAs. Service Level Agreements are a vital aspect of vendor risk management. The SLAs included in a contract should include performance metrics that indicate whether a third party has met the expectations outlined in the contract. The contract should also stipulate what penalties apply if the vendor is unable to meet the agreed standards.

Develop contracts that protect your organisation

Procurement plays a vital role in protecting the organisation through vendor risk management, a lot of which comes down to drawing up an appropriate contract. Academy of Procurement provides in-depth contract management training that covers all the relevant aspects, from SLAs through to corporate governance. Develop the skills so your organisation can reap the benefits of working with third party vendors without exposing itself to unnecessary (and potentially crippling) risk.

Free Capability Audit