© 2020 RSM US LLP. All rights reserved.
Vendor Risk Management
A vendor risk management (VRM) process examines your vendor base to reduce the risks they may bring into your organization.
If you outsource IT tasks to vendors, you may be exposing your data and assets to potential risks, depending on the vendors’ security programs. You want vendors to operate in a secure and compliant manner, for your peace of mind and also because certain compliance frameworks require you to report on whether your vendors handle data in a compliant manner. If you lack a formal or effective vendor management program (VRM), RSM can assist you in vetting vendors and assessing and handling degrees of vendor risk utilizing our turnkey vendor management tool. Our assistance helps you select new vendors and manage current vendors based on risk and impact to your business.
Our VRM clients get access to a tool that streamlines the vetting and monitoring process. Within this tool, your vendors complete security questionnaires assessing their compliance against industry standards and their risk to your organization. For example, vendors describe how much of your data they handle and whether they do so securely. RSM professionals with technical, security and management capabilities then help you monitor and analyze these responses, which can then be funneled back into the VRM program and your business operations.
Additionally, a good VRM program can assist in your compliance efforts. Payment card industry (PCI), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act require you to conﬁrm whether your vendors are handling your and your clients’ data in a compliant fashion. If your vendors mishandle your data, you may still be liable for any damages and ensuing penalties. While the effort of complying with some PCI requirements may be offloaded to vendors, the responsibility of validating that compliance still rests with your organization. A good VRM program can give you more confidence in the effectiveness of the validation aspect of compliance.