The Ultimate Manual To Vendor Assessment

Maximizing the value of vendor relationships can be highly beneficial to your organization. Conversely, working with the wrong vendor can expose your company to a wide range of risks. Vendor assessment can help mitigate those risks.

What is Vendor Assessment Anyway?

Vendor assessment, also known as vendor risk assessment, is the process of evaluating and approving prospective vendors or suppliers for an organization. The primary goal of vendor assessment is to form relationships with low-risk, high-quality vendors.

By assessing third-party vendors, you’ll have a greater understanding of how specific events can impact your business in a negative way.

Certain vendors put you at a higher risk for data breaches, regulatory compliance issues, and potential legal concerns. Vendors can even impact your operational efficiency, customer relationships, and public perception of your company.

In short, vendor assessment is a due diligence process that helps companies develop strong, long-term relationships with quality vendors.

How Vendor Assessment Works

No two vendors are the same. Even if they perform similar B2B services or supply identical products, the way they operate will always be different.

Vendor assessment goes beyond the surface level of the vendor’s offering. It dives deeper into how they operate, data security best practices, skills, financials, ongoing risks, and more.

There are several different vendor assessment frameworks, templates, and methodologies that you can follow. All of these apply the same basic concept—you’ll be analyzing vendors based on different criteria to determine whether the implied risk of the relationship is worth it.

One common approach is the 10C Model of Supplier Evaluation, developed by Dr. Ray Carter back in 1995.

The criteria are broad enough and applicable to nearly any vendor or supplier, regardless of what they offer. Using this framework, your company can assess vendors based on the following factors:

  • Competency
  • Capacity
  • Commitment to Quality
  • Consistency of Performance
  • Cost
  • Cash and Finance
  • Communication
  • Control of Internal Processes
  • Corporate Social Responsibility
  • Culture

Since these C’s are so broad, you can customize the way you evaluate each one based on the needs of your specific business.

For example, control of internal processes could mean lots of different things. Internal processes could range anywhere from managing inventory to operational efficiencies and data security. The way you assess vendors will vary based on your own goals and priorities.

While vendor assessment is most commonly performed before a business engages with a new vendor or supplier, it shouldn’t stop there—vendor assessment is an ongoing process.

Once a vendor passes the initial assessment and forms the working relationship, you should continue monitoring the vendor over time. The frequency of these evaluations will depend on the risk level and importance associated with the vendor in question.

High-risk vendors that interact with your customers and have access to customer data should go through an assessment more frequently than a supplier that doesn’t provide core services.

Certain events could trigger an unscheduled assessment with one of your existing vendors.

Let’s say the vendor is being sued, files for bankruptcy, or gets some negative press. All of these could be red flags that your business is exposed to a higher level of risk by working with this third party.

Example #1: SOC Audits

SOC is an acronym for Service Organization Control. An independent CPA performs SOC audits based on criteria defined by the American Institute of Certified Public Accountants (AICPA).

There are three different types of SOC reports:

  • SOC 1 — Overview of a company’s financial reporting and accounting controls.
  • SOC 2 — Rigorous report on the controls of a service provider, most commonly associated with IT vendors. The report is largely tied to the Trust Service Criteria established by AICPA—privacy, confidentiality, processing integrity, availability, and security.
  • SOC 3 — Publicly available report similar to SOC 2, but made for a non-technical audience and not as detailed.

It’s common for businesses to request a SOC 2 audit prior to working with an IT vendor that will be handling sensitive information or company data. This audit can help identify potential risks and data security gaps in the vendor’s internal processes.

Example #2: Data Security Compliance

Another vendor assessment scenario would evaluate vendors for industry or government compliance. GDPR, HIPAA, and CCPA are all common examples in this category.

For example, let’s say your business is bound by GDPR standards imposed by the European Union for customer data. There are clearly defined rules explaining how you can and can’t store customer data and personal identifiers.

If you’re working with a vendor to outsource your servers or data center, you need to ensure that the vendor in question is taking the necessary steps to protect your customer information. Otherwise, your company could be on the hook for hefty fines and penalties for GDPR non-compliance.

How to Get Started With Vendor Assessment

The vendor assessment process can feel a bit intimidating, especially if you’ve never been through it before. By following the tactical steps described below, it will make your life much easier as you get started with your first vendor assessment.

Step 1: Understand the Different Types of Risk

Before you start evaluating specific vendors, you need to take a look at your own business. What types of risk would put your company in a compromising situation?

These are the risks that you’ll end up prioritizing the most as you eventually start assessing different vendors and suppliers. If a vendor’s role overlaps with high-risk categories for your business, then those are the areas you would focus on the most during an evaluation.

While there are dozens of potential business risks, the following list is a good starting point to consider as it pertains to working with third-party vendors:

  • Data Security Risks — Malware, ransomware, phishing, and other types of cyberattacks on an IT network can cause significant damages to a company. Vendors that either have access to your network or provide network services must be carefully evaluated.
  • Compliance Risks — Legal penalties and fines associated with government laws or industry regulations.
  • Transactional Risks — This refers to the transaction itself between your business and the vendor. Factors like foreign exchange rate fluctuations or payment methods would fall into this category.
  • Fraud Risks — Types of vendor fraud include bribery, billing schemes, false payments, employee collusion, and more.
  • Operations Risks — This refers to the risks associated with your day-to-day business operations. It could include everything from supply chain management to production.
  • Geographic Risks — The physical location of your business compared to your vendors can pose potential problems. For example, if you have a supplier located in a region that’s impacted by severe weather in the winter, how would shipping delay impact your company?
  • Upstream and Downstream Risks — The term upstream refers to the raw materials or inputs required for production. Will your suppliers have enough materials if you have a sudden spike in business? Downstream refers to what you distribute—can vendors distributing your products handle your output in all economic conditions?
  • IT Failure or Disruption — The risks associated with the physical breakdown of IT hardware or software crashes. Assess how a complete failure or disruption would impact your organization.

Once you understand how these different risk categories can impact your business, it will be much easier to evaluate vendors and suppliers.

Step 2: Establish a Risk Tolerance Criteria

It’s important to understand that no matter how in-depth your vendor assessment process is, there will always be some risk.

Obviously, you want to limit these risks as much as possible. But certain risk categories are more important than others—it all depends on your risk tolerance.

For example, risks associated with sensitive customer data and compliance would fall on the “intolerable” end of the risk tolerance spectrum. In contrast, something like a delayed shipment of office supplies would probably be a bit more acceptable.

One way to establish your risk tolerance is by using an assessment matrix.

The matrix is based on two things—the likelihood of occurrence and the severity of the incident. You can create a 1-5 numeric scale for each of these and use that to determine your risk tolerance.

For example, let’s say that a certain event has a low likelihood of occurrence and an acceptable level of severity. It’s safe to say that this would be a low-risk event if it happened, and it’s something you can tolerate.

Conversely, an incident that is highly likely to happen and has an intolerable risk threshold would not be acceptable.

You can ultimately use this risk tolerance matrix to evaluate different criteria for vendors.

Step 3: Create a Vendor Catalog

Now that you’ve had a chance to evaluate things internally, it’s time to start looking at specific vendors. Start by creating a catalog of all current vendors, as well as prospective vendors for different needs.

The catalog should describe the role each vendor plays in relation to your company. Describe the interaction, and identify which vendors have access to essential information.

Once the catalog is complete, rank your vendors by level of importance. The ranking scale should be based on how critical they are to your operations. A vendor’s risk level should also be taken into consideration here.

For example, what would the impact be of an incident with the vendor in question? How long would it take you to recover? What would be the financial impact of the incident, and how would it affect your customers?

It helps to assign different level rankings to each vendor. Here’s an example:

  • Level 1 Vendors — Provide essential supplies or services. They interact with customers and have access to sensitive customer and company data.
  • Level 2 Vendors — Handle customer data and sensitive company information but don’t have any customer-facing interactions.
  • Level 3 Vendors — Don’t handle any sensitive data, but they interact with customers.
  • Level 4 Vendors — Support your company’s core offerings but don’t have access to data or customers.
  • Level 5 Vendors — Non-essential vendors that do not support core products and services.

You can use this scale to prioritize vendors that require a more thorough assessment and a higher level of monitoring.

For example, a supplier that delivers snacks to your employee break room would likely be ranked as non-essential. You can make this decision quickly without going through too much of a background check.

Step 4: Narrow Assessments to Key Vendors

Now that you’ve clearly established key vendors, it’s time to actually perform your assessments. You’ll want to create a process here that’s fairly standardized and repeatable.

The assessment procedure should be fairly similar for both current and prospective vendors.

Depending on the scope of your operation, it’s helpful to categorize vendors by the product or service that they offer. Segmenting vendors by category makes it easier to adjust the assessment criteria accordingly.

For example, manufacturers and suppliers could be one category. The assessment questions and criteria for this category would likely be different from a software services provider.

This also reduces the amount of “non-applicable” answers on a vendor assessment questionnaire that you’ll have. Questions related to inventory quantities, shipping times, delivery terms, and procurement details wouldn’t really apply to a SaaS provider.

Beyond questionnaires, assessments might also include on-site evaluations, third-party audits, documentation requests, and more due diligence.

Step 5: Create Assessment Reports and Compare Vendors

Each assessment should conclude with a formal report. This information can be passed to decision-makers within your organization to determine whether or not a vendor is suitable.

Depending on the vendor, certain components of the report may not make or break the ongoing relationship.

For example, let’s say you’re performing an assessment on a vendor that you’ve been working with for five years. The relationship has been great, but you’ve noticed a small red flag that could potentially put your company at risk for issues down the road.

Instead of just terminating that relationship, you could reach out and give that vendor an opportunity to rectify the situation. This will directly tie into the risk tolerance that you’ve previously established.

When you’re performing vendor assessments for new vendors, you can compare the reports side-by-side to see which option will be the best long-term partner for your organization.