Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Vendor Management icon

Proactively Identify and Mitigate Vendor Risk

Promote a collaborative approach to vendor risk management and guard against regulatory, security, operational, and financial risk.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail


  • Daniel J. Enneking, Founder, Strategic Procurement Partners
  • Donald H. Hopkins, Adjunct Assistant Professor, Wright State University in the College of Business
  • Deepak Bansal, Director Vendor Performance Relationship, Management, Willis Towers Watson
  • Steve Jeffery, First Vice President Strategic Sourcing, SunTrust

Your Challenge

  • IT priorities are focused on daily tasks, pushing risk management to secondary importance and diverging from a proactive environment.
  • IT leaders are relying on an increasing number of third-party technology vendors and outsourcing key functions to meet the rapid pace of change within IT.
  • Risk levels can fluctuate over the course of the partnership, requiring manual process checks and/or automated solutions.

Our Advice

Critical Insight

  • Every IT vendor carries risks that have business implications. These legal, financial, security, and operational risks could inhibit business continuity and IT can’t wait until an issue arises to act.
  • Making intelligent decisions about risks without knowing what their financial impact will be is difficult. Risk impact must be quantified.
  • You don’t know what you don’t know, and what you don’t know, can hurt you. To find hidden risks, you must use a structured risk identification method.

Impact and Result

  • A thorough risk assessment in the selection phase is your first line of defense. If you follow the principles of vendor risk management, you can mitigate collateral losses following an adverse event.
  • Make a conscious decision whether to accept the risk based on time, priority, and impact. Spend the required time to correctly identify and enact defined vendor management processes that determine spend categories and appropriately evaluate potential and preferred suppliers. Ensure you accurately assess the partnership potential.
  • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out how to create a vendor risk management program that minimizes your organization’s vulnerability and mitigates adverse scenarios.

2. Assess vendor risk and define your response strategy

Categorize, prioritize, and assess your vendor risks. Follow up with creating effective response strategies.

3. Monitor, communicate, and improve IT vendor risk process

Assign accountability and responsibilities to formalize ongoing risk monitoring. Communicate your findings to management and share the plan moving forward.

Guided Implementations

This guided implementation is a four call advisory process.

Guided Implementation #1 - Review vendor risk fundamentals and establish governance

Call #1 - Review vendor risk fundamentals
Call #2 - Establish a risk governance framework

Guided Implementation #2 - Assess vendor risk and define your response strategy

Call #1 - Assess vendor risk and define your response strategy

Guided Implementation #3 - Monitor, communicate, and improve vendor risk process

Call #1 - Monitor, communicate, and improve vendor risk process

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Prepare for the Workshop

The Purpose

  • To prepare the team for the workshop.

Key Benefits Achieved

  • Avoids delays and interruptions once the workshop is in progress.




Send workshop agenda to all participants.

  • All necessary participants assembled

Prepare list of vendors and review any contracts provided by them.

  • List of vendors and vendor contracts

Review current risk management process.

  • Understanding of current risk management process

Module 2: Review Vendor Risk Fundamentals and Establish Governance

The Purpose

  • Review IT vendor risk fundamentals.
  • Assess current maturity and set risk management program goals.
  • Engage stakeholders and establish a risk governance framework.

Key Benefits Achieved

  • Understanding of organizational risk culture and the corresponding risk threshold.
  • Obstacles to effective IT risk management identified.
  • Attainable goals to increase maturity established.
  • Understanding of the gap to achieve vendor risk readiness.




Brainstorm vendor-related risks.


Assess current program maturity.

  • Vendor risk management maturity assessment

Identify obstacles and pain points.


Develop risk management goals.

  • Goals for vendor risk management

Develop key risk indicators (KRIs) and escalation protocols.


Gain stakeholders’ perspective.

  • Stakeholders’ opinions

Module 3: Assess Vendor Risk and Define Your Response Strategy

The Purpose

  • Categorize vendors.
  • Prioritize assessed risks.

Key Benefits Achieved

  • Risk events prioritized according to risk severity – as defined by the business.




Categorize vendors.


Map vendor infrastructure.


Prioritize vendors.

  • Vendors classified and prioritized

Identify risk contributing factors.


Assess risk exposure.

  • Vendor risk exposure

Calculate expected cost.

  • Expected cost calculation

Identify risk events.


Input risks into the Risk Register Tool.

Module 4: Assess Vendor Risk and Define Your Response Strategy (continued)

The Purpose

  • Determine risk threshold and contract clause relating to risk prevention.
  • Identify and assess risk response actions.

Key Benefits Achieved

  • Thorough analysis has been conducted on the value and effectiveness of risk responses for high-severity risk events.
  • Risk response strategies have been identified for all key risks.
  • Authoritative risk response recommendations can be made to senior leadership.




Determine the threshold for (un)acceptable risk.

  • Thresholds for (un)acceptable risk

Match elements of the contract to related vendor risks.


Identify and assess risk responses.

  • Risk responses

Module 5: Monitor, Communicate, and Improve IT Vendor Risk Process

The Purpose

  • Communicate top risks to management.
  • Assign accountabilities and responsibilities for risk management process.
  • Establish monitoring schedule.

Key Benefits Achieved

  • Risk monitoring responsibilities are established.
  • Transparent accountabilities and established ongoing improvement of the vendor risk management program.




Create a stakeholder map.

  • Stakeholder map

Complete RACI chart.

  • Assigned accountability for risk management

Establish the reporting schedule.

  • Established monitoring schedule
  • Risk report

Finalize the vendor risk management program.

  • Vendor Risk Management Program Manual