The SC Labs team this month took a deep dive into vendor risk management (VRM) solutions. According to Gartner, VRM is the process of ensuring that service providers and IT suppliers don’t create an unacceptable potential for business disruption or negative impact on business performance.

Michael Diehl

While our team regularly looks at GRC solutions, this is the first time in a while that we’ve gone deeper into VRM  tools. With that said, VRM modules are often packaged inside a GRC tools – the ones we examined specialize in this area and offer a more in-depth solution set.

These tool sets leverage a fair share of information to score vendors risk, some data even reflects information on the dark web that may point to future risks posed by the vendor.

While a successful VRM program is critical, and often required, many organizations fail to understand its importance.

Historically, procurement has been a function of buying goods and services – now it has a much larger impact on overall business strategy. Companies must be concerned with getting the best value for their money from these organizations, as well as with the risks they may pose.

By conducting regular VRM assessments, organizations can examine a few key areas – the risks that can be mitigated, potential insight on optimizing performance thus reducing overall costs, creating and building loyal strategic business relationships, increasing administrative processes and onboarding speeds as well as taking the appropriate steps to protect customers and ultimately the brand.

For this round of testing, we sat down with vendors ask them about the market space and got insight on features that they feel are most important. We spent time in the lab with each product then worked with the vendors to understand their products better before performing a second round of testing.

We were really impressed with the richness of these tools.

All products are based on SaaS so the initial setup just required only that we obtain a username and password to each vendor’s portal.

Along with checking out ease of use, online documentation and how support stacked up, we sought out unique features, if any, that each vendor offered.

SecurityScorecard, for example, uses machine learning to handle a variety of tasks such as pre-filling out new questionnaires by reusing responses from previous applicable questionnaires.

When we tackled the questionnaire portion of each product, we found everyone offered a variety of pre-built questionnaires based on a compliance standard such as NIST, but not every vendor offered the option to customize questionnaires.

RiskRecon lets an organization create risk policies based on its specific risk tolerances while Whistic Vendor Security Management Platform features a questionnaire builder that allows the company to build a questionnaire completely from scratch.

Because these solutions are cloud platforms, the interfaces were at the forefront of our testing.

We wanted to pay extra attention to the organization and ease of use of these products – all the products exceeded expectations. It was easy to see that these vendors spared no expense on the talent to create intuitive user experiences.

These tools are extremely easy to navigate, and the features are organized in logical fashion.

We initially noticed a slight learning curve initially, but after further analysis we believe that this was only due to the large number of features offered by the software solutions.

For a look at all the March 2019 reviews please read on:

BitSight for Third Party Risk Management
CyberGRX Exchange
iTrust Cyber Risk Ratings
Panorays
RiskRecon Portal (SaaS)
SecurityScorecard
Whistic Vendor Security Management Platform