Vendor Risk Management (VRM)

What is Vendor Risk Management?

Vendor Risk Management is defined as the process of ensuring that the use of service and IT suppliers does not create an unacceptable potential for business disruption or negative impact on business performance. Organizations must assess, monitor, and manage their risk exposure from third-party suppliers that provide IT products or services, or that have access to enterprise information.


Nearly all organizations must work with vendors or third-party suppliers in order to achieve their goals. Vendors supply equipment and parts for products, provide software and applications for operations, and do much more for companies. Managing the risks posed to your business by a vendor or third-party is a critical part of running a successful business.

Common Vendor Relationship Scenarios

  • A seller provides equipment to an organization that is a vital part of their supply chain. For example, a technology company like Apple buys microchips and other internal computer components from third-party companies in order to complete the production of their own computers.
  • An individual sells their products or services to an organization for one-time usage. For example, vendors may provide a service like landscaping or grounds cleanup to an organization’s headquarters.
  • Anyone who provides a good or service to the organization itself. This can either be a companies or individual who provides services, supplies, consulting, and any other goods, either once, a few times, or for a prolonged period. An example of this would be an organization partnering with a third-party company to provide a piece of useful software to all of their employees.

Why is Vendor Risk Management Important?

Vendor Management is a company’s oversight of the relationships it has with vendors, from the first interaction to the evaluative process after a relationship has commenced. Vendor Risk Management is an important component of Vendor Management that dissects the relationships your organization has, and looks deeper into the risks these third-parties can impose. These risks can be financial, reputational, compliance-based, or even legal. Therefore it is always in a company’s best interest to protect themselves from vendor risks through the process Vendor Risk Management – before entering into, during, or even after the vendor relationship is completed.


Vendor Risk Management is an organization-wide process that defines and outlines the type of relationship the organization and vendor have agreed to. This can relate to acceptable behaviors, maximum access level, or a wide range of other contractual stipulations. This is vital for the company because it allows you to shape the relationship, and protect yourself from as much risk as possible. This process is also important because it allows you to directly define the risk you want with your third-party vendors. For example, a company tied closely to yours may offer more risk than a small company you use once for landscaping, but that company may provide valuable resources and be worth the risk that comes with a higher degree of partnership.


The Vendor Relationship Life Cycle

With any relationship your organization forms with a third-party vendor there is a life cycle. The seven steps to the Vendor Relationship life cycle are outlined below:

1. Determine and Define Needs

The first step to a vendor relationship is defining what you will need from a third-party vendor. This will determine what you each of you get out of the partnership, and will outline the relationship you will have going forward if a deal is struck.

2. Create Ethics and Rules of Engagement

After needs have been defined and determined, the ethics and rules of the relationship you desire need to be defined. How much access will the vendor have to your resources? How will the vendor conduct itself independent from your company? There are many questions that need to be explicitly answered here before the relationship may continue.

3. Search and Send Out Bids for Vendors

Once you have defined your needs and the ethical standards of the relationship, it’s time to search for a partner. In this step you look for suitable vendors and send bids out to these companies so they may review the attractiveness of the offer from their point of view.

4. Select Vendor(s)

Once bids have been sent out to vendors and preliminary interest is available from both parties, it’s time to select the vendor you look to partner with. This decision process is extremely important, as making sure the company is the best fit will define the success of the relationship.

5. Define Contract Terms and Time Frame

Once you’ve selected the vendor you wish to partner with, it’s time to define the terms of the contract. This step is all about translating the needs and ethics standards from steps 1 and 2 and making sure they are covered in the contract. This is also where you’ll define how long the relationship will persist, and the financial aspect of the partnership.

6. Monitor Relationship and Performance

After a deal has been struck, it’s time for both members of the partnership to fulfill their ends of the deal. As the relationship continues, monitoring the performance of both your organization and the vendor is very important. This step will show you if the relationship was beneficial, and whether you want to continue working together past the expiration date.

7. End of Relationship

At the end of the relationship it is important to decide whether you wish to continue the partnership with a contract renewal, modify or expand the contract with a new deal, or walk away from the partnership altogether. If you wish to continue with the contract you will jump back into monitoring with step 6, a brand new deal will land you back at step 5 with the same vendor in mind, and walking away will mean a fresh start with a new vendor.

Examples of Risks with Vendor Relationships

  • Breach of legal compliance regulations, especially with financial, government and military sectors. This is the risk of the vendor not following ethical or compliance standards that had been previously set.
  • Breach of HIPAA (Health Insurance Portability and Accountability Act). A breach of HIPAA would be the sharing of protected health information (PHI) that is expected to be confidential and secure.
  • General legal issues, which can result in lawsuits, termination of relationships, loss of work, or even more severe penalties.
  • Loss of intellectual property (IP). A risk here is a vendor stealing of hijacking your confidential information and IP and using it for their own advantage or presenting it as their own.
  • Data security, which is crucial because organizations must determine the data access level that a vendor has access to. This is one of the most common forms of risk that end up being abused by vendors.

Check Out Our Latest Posts