Study Finds Two Thirds Of Companies Conduct Risk Assessments On Less Than Half Of Vendors

Companies are cutting corners when it comes to third-party due diligence

It is no secret that inherent risk assessments are crucial to third-party risk management success, but are they being conducted?

During a recent IT GRC webinar, “Automating Your Third-Party Risk Management Program”, attendees were asked how many of their vendors have been given an inherent risk assessment during the onboarding process.

ProcessUnity Third Party Risk Assessment Study TPRM AutomationWhile any third-party risk management professional would be quick to say that they perform inherent risk assessments to determine the level of due diligence for a vendor, the survey revealed that two-thirds of companies are actually scoring less than half of their vendors.

That means most companies are potentially exposing their organisation to unnecessary and potentially damaging risks at a time when it’s most appropriate to keep the risk out. Risk managers know that contracting a vendor is the beginning of a new relationship – there are several unknowns and managers can expose their enterprise to risks that can have enduring consequences – and yet the numbers say differently.

While some may argue that assessing some vendors is better than a company forgoing inherent risk assessments altogether, once contracted, these vendors have could access to sensitive information. If they are compromised, then your data could be as well. Are you willing to take that risk?

Why are the large majority bypassing a major step in the vendor onboarding process? This is likely due to how tedious, manual and time-intensive the process can be. Traditional spreadsheet-based vetting processes take up a lot of time and require a lot of bandwidth that most companies frankly do not have. They’re not choosing to forgo due diligence, they just don’t have the resources to get it done.

But the good news is, there is an easier way.


Replace Inconsistent, Manual Due Diligence with Vendor Risk Management Automation

One of the initial key steps in onboarding a vendor is determining the level of inherent risk, as this determines the depth of due diligence the company must conduct on a vendor. Although all third-party vendors must be onboarded, they do not merit equal attention. Vendors that provide essential services, or hold sensitive data, carry a high degree of inherent risk, and must be scrutinised as such.


So where do you start?

Organisations must determine which third parties carry meaningful risk that requires more than a cursory review. This may consist of a simple, standardised internal questionnaire that helps to determine whether or not the vendor requires deeper due diligence. An intelligent intake process acknowledges differences in risk that merit different degrees of review, prioritises the vendors who require further investigation and reduces costly and time-consuming analyst input.

Although this sounds like a relatively simple process, many organisations make it unnecessarily complex by relying on manual process prone to error and inconsistency. From spreadsheets that cannot be easily consolidated to emails that fail to create a documentable trail of activity, the time-intensive processes that requires heavy manual analysis can play a large part in discrepancies and mistakes.

Assessment automation can help to not only streamline processes, but also provide necessary peace of mind to risk professionals, ensuring that all vendors have been properly assessed to the required level.


How can you improve your inherent risk assessment process?

DVV Solutions can help you to automate and streamline your program and ensure your company isn’t the next organization making headlines for a third-party data breach. Our Third-Party risk management services and software can not only save valuable time and money, but also can safeguard companies from potential weaknesses in their vendors that can lead to data extraction, financial and reputational damage, and more.

Our suite of consultative and managed services deliver significant improvements in

developing and maturing current risk methodologies and frameworks,

scaling resources to supplement and enhance existing risk assessment programs, and

delivering time and cost efficiencies through established best-practice and workflow automation

to enable risk assurance teams to spend more time on what’s important: eliminating control gaps, raising security standards and reducing risk in the cyber supply chain.


Contact DVV Solutions

To find out more about DVV Solutions, or information about our Third Party risk managed services and solutions please;

Call us on +44 (0) 161 476 8700, or

Complete our Contact Form



This article was originally published by ProcessUnity and is shared with their kind permission.