Because change is constant, Vendor Risk Assessment is not a one-and-done activity.
One of the greatest perils of vendor risk management is that products and services change rapidly, sometimes without our knowledge. Aren’t you often surprised by how different a product or service is since the last time you saw it? Solutions may now incorporate new sensitive data or technology due to a seemingly safe revision. But that revision may get automatically installed and attached to your network—creating an unknown vulnerability. A Best Practice for Assessing Vendors is to periodically reassess.
Evaluating vendor products and services on a schedule is a difficult yet imperative practice to implement. Periodic reviews can uncover new vulnerabilities in your vendor risk profile in time to prevent disastrous consequences. However, you need the right vendor evaluation tool which will bring significant efficiency to an otherwise resource intensive process.
Trust, Yet Verify
Too often, we forget the old Russian proverb, “Trust, yet verify.” What powerful words they are. Re-evaluating vendor products and services regularly empowers you to stop new vulnerabilities from being introduced to your systems. Or, it enables you to mitigate their effects by discovering them early.
Doing regular vendor evaluations may sound daunting. In fact, to someone with experience on the front lines, it may seem like “a bridge too far”. I feel your pain. You’re thinking, “That’s all fine in theory, but it’s all we can do to evaluate new vendors. Now we need to do a vendor evaluation every 12 or 24 months?” I get it, but hear me out.
It can be a very resource-intensive process for your organization merely to accomplish initial evaluations of new vendors. Therefore, you believe you have too many vendors and not enough resources to review them regularly. It seems like re-evaluating vendors once every year or two is impossible. You’re not alone in that belief. According to a recent Ponemon study in which 554 healthcare IT and security professionals involved in vendor risk management were surveyed, “Two out of three respondents believe[d] that current manual risk management processes cannot keep pace with cyber threats and vulnerabilities…and only 27% assess all vendors annually.”
It’s Not Going Away
Unfortunately, failing to do a vendor evaluation or assessment creates a business-process gap. That gap is destined to plague your organization and your customers at some point with unwelcome surprises. It’s a challenge that’s not going away. You know this is the case, and more importantly, regulators and auditors know it’s the case.
A Smarter Approach
Since resources are already stretched thin, you need to find a way to work smarter, not harder. To solve this problem and bridge the gap, you will need a “lightweight” system. You need one complete with automation and enough smart vendor evaluation tools to leverage your efforts and create significant efficiencies. It’s also vital that any new system is sophisticated enough to integrate with other systems in your organization.
One important caveat: As explained in Mistake #1, finding a new vendor evaluation tool will not necessarily solve the problem. You need to take the time to fully understand your existing business processes. You need to learn how the new tool will integrate with your systems and impact your workflow.
Lightweight Vendor Risk Assessment Tool
A lightweight vendor evaluation tool must be affordable both in terms of cost and on the operational resources it requires. Systems using email to distribute spreadsheets seem inexpensive, since there may be little up-front cost. However, it’s extremely heavy on operational resource cost. Unfortunately, that is the de facto system in most organizations.
A truly lightweight vendor evaluation tool will be part of a system. The system will have the right interfaces for the varied users it will serve. However, it won’t consume more resources than it promises to save. Some systems are so full of features that you need to hire a team just to keep it configured correctly. Beware of these systems. If the initial price tag doesn’t sink you, the downstream clunkiness and expense will. Even the simplest new change that you need becomes a “heavy lift” and probably requires a new module. “We can do that! Let’s add that to the purchase order.”
Smart Automation for Vendor Risk Assessment
A good vendor evaluation tool will be part of a system that will automate the routine administrative tasks. This will leave your team with only the exceptions. A great system will do all that and also make it simple, efficient, and straightforward to manage exceptions. Look for a vendor evaluation questionnaire tool that can adjust each question asked based on answers to previous questions. Also, a tool that will automatically classify your vendors’ products and services according to types and associated risks. You will need a configurable workflow and scheduling, including prompts for review and approval of contracts. The system should handle business associate agreements, contracts, policies, and other important documents. Each user should be prompted for the next step required from her in the process. And, each user needs a dashboard to keep track of progress toward better KPI metrics.
Integration of Vendor Risk Assessment Tools
A comprehensive and sophisticated vendor evaluation system will integrate with certain existing systems, such as accounts payable, purchasing, and others. Integration with your active directory or other authentication system is a nice bonus too. A system that integrates well into your workflow is important. However, it’s important to note that almost any system will require some changes to your process workflow. Hopefully, the changes will result in significant gains in efficiency!
Fortunately, ConfidentVMS, properly implemented in your organization’s workflow, will automate many administrative tasks and reduce the resources required to:
- Establish and maintain a comprehensive and accurate vendor list,
- Perform initial vendor evaluations of products and services, and
- Initiate regular re-evaluation of vendor products and services.
First of all, you will need to establish and maintain a comprehensive and accurate vendor list. (We covered that in Mistake #1). Otherwise, you won’t understand the true scope of your challenge. Also, you need to perform initial vendor evaluations early in the vendor application process. (We explained that in Mistake #2). Furthermore, this article related that you need to evaluate vendor products and services regularly, because they change rapidly. In each of these three cases, you need a system that’s simple, straightforward, and efficient. You need to employ a vendor evaluation tool that automates the routine administrative tasks. That way, you can focus your efforts on the exceptions to your process.
What to do next
- Did you like the article? Please like, comment, or share with your network!
- Don’t get buried by administrative tasks. Learn how to reduce by 75% the resources required to lower your vendor security risk and increase your compliance. Request a demo or Contact us.
- If you haven’t already, read Mistake #1 and Mistake #2.
- Read more great, related articles on our blog
- Stuck on a problem with a project? Need help resolving an issue? Schedule a 20 minute “Let’s Hear It” eval. We’ll discuss with you ideas and approaches for a creative solution to problems you’re trying to solve.
- Please follow the ConfidentVMS company page for information and conversation about Vendor Risk Management.
Written by: Curtis Jones (LinkedIn)
Curtis has over 25 years of experience leading healthcare information technology companies. He helps leaders at healthcare organizations and their vendors manage their shared risk effectively, efficiently, and cooperatively.
About us: ConfidentVMS helps healthcare organizations reduce the resources required to lower vendor security risk and increase compliance. It makes it simple to achieve and maintain vendor HIPAA OCR audit readiness. Contact us for more information or to request a demo.