Skip to content

5 Tips for Maturing Your Vendor Risk Management Program

Sky rise building with geo map overlay

It wasn't long ago that most businesses were using manual, outdated processes to assess and manage vendor risk, but in recent years that has begun to change. According to research conducted by Whistic, nearly 60% of businesses are using a tool or platform built specifically for vendor risk management—a 43% increase from 2019.But that still leaves more than 40% of businesses that are using primarily email and spreadsheets to evaluate vendors or respond to assessments. There's a better, more efficient way for you to handle this that will help you close deals faster and decrease time to value for your organization. In this post, we'll highlight some easy things you can do to mature your program and take it to the next level.

1. Implement a vendor risk management tool if you haven't done so alreadyThe first and most important thing you can do is start using a vendor risk management tool. A good solution will help automate key processes, provide insights into the status of assessments, and allow you to focus on strategic initiatives rather than administrative tasks associated with the vendor risk management process. It can also help shorten the amount of time each vendor assessment takes to complete, while limiting the number of clarifications needed on your initial response. According to the 2021 State of Vendor Risk Management, it currently takes 6.3 days for vendors to respond to a questionnaire. If there's a clarification request, that adds another three days to the process on average.Taking steps to streamline and standardize the process will result in a better experience for vendors, the InfoSec team, and other key stakeholders.

2. Take a proactive approach whether you're a buyer or a sellerThe State of Vendor Risk Management report also found that more and more buyers and sellers are taking a proactive approach when it comes to vendor risk management. For buyers, they're being more proactive to protect them from potential risks or possible breaches. Sellers, on the other hand, are proactively sharing their security posture early in the sales process to build trust and stand out from the competition.One reason businesses have been reluctant to be more proactive about sharing their security profile proactively in the past is they were worried it wouldn't get accepted or there would need to be a lot more back and forth to make sure all of a customer's questions are answered. That's why we recommend building out a robust security profile that includes a number of common standard questionnaires along with all of your security documentation, certifications, and audits.One of the easiest ways for buyers to be proactive with vendor security is by making it a more integral part of the selection process, not just something that has to be completed before a purchase is made. If more businesses put security first in the procurement process, the likelihood of future breaches would decrease.


Read the 2021 State of Vendor Security report

In our 2021 report on vendor security, we highlight the current state of vendor risk management, identify trends we’re seeing in the industry, and provide recommendations on how to improve the process for buyers, sellers, and other key stakeholders.

Learn More

3. Limit the amount of time sales is involved in responding to assessmentsOne of the biggest pains your sales team experiences with vendor assessments is just how long they take. But beyond that, it takes them away from doing what they're best at—selling your product or solution. The State of Vendor Risk Management shows that sales are involved in responding to questionnaires in some capacity on 70% of deals. This takes up about 6.5 hours a month on average with 20% spending more than 10 hours per month. Every hour that a salesperson spends responding to a security questionnaire is an hour that they're not out actively selling and driving revenue for your business. A lot of this can be solved with step one in this blog post. If you implement a tool that integrates with other software you use, like Salesforce, and you can automate much of the administrative tasks sales contributed previously, you can keep them selling.

4. Adopt standard questionnaires when possibleAnother key insight from the State of Vendor Risk Management is there's no one Standard Questionnaire to rule them all, but that doesn't mean you shouldn't find a Standard that works best for your businesses.Whistic user data has shown that Standard questionnaires are accepted twice as quickly and have an acceptance rate as high as 90% compared to custom questionnaires.

5. Make your security posture publicly availableFinally, once you have that robust security profile that we mentioned in step two, you shouldn't just proactively share it directly with customers and prospects. You should also publish it publicly on your website and in directories like the STAR Registry and Whistic Trust Catalog. Publishing your security posture publicly enables prospects to answer all the concerns they may have about you before they even engage you and lets you make security your competitive advantage.

If you want to learn more insights about current trends in vendor risk management, you can download the full 2021 State of Vendor Security report here.

Third-Party Risk Management