In this article
You might like
No items found.
Spending made smarter
Easy-to-use cards, spend limits, approval flows, vendor payments —plus an average savings of 5%.1
4.8 Rating 4.8 rating
Error Message
No personal credit checks or founder guarantee.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get fresh finance insights, monthly
Time and money-saving tips,
straight to your inbox
4.8 Rating 4.8 rating
Thanks for signing up
Oops! Something went wrong while submitting the form.
Table of contents

IT risk is finance risk. Seasoned CFOs know this. And it’s why they treat IT vendor risk management (VRM) with the attention it deserves.

Companies have been outsourcing projects—even entire IT functions—for a long time. In our digital age, vendor management has become more involved because vendors’ roles and responsibilities have evolved in sophistication and complexity.

And so have the risks that some IT vendors may present. Whether you’re reading this as an early-career procurement professional or a deeply experienced financial controller, this guide will help you to learn (and reinforce):

What is vendor risk management (VRM)?

Vendor risk management is the process of ensuring external IT service providers and vendors do not cause negative impacts on your business performance, according to Gartner. Some finance professionals and risk managers prefer to call this process IT VRM.

Why businesses must manage vendor risks

The short answer is that it’s one of several vendor management best practices. The longer answer? It’s just too costly to leave vendor risks to chance. In fact, a Deloitte report revealed organizations are more likely to face a ‘high impact third-party incident’ if they haven’t invested in managing vendor risks. Here are some of the risks that VRM can tackle.

The rise of Shadow IT

Companies are using more SaaS products than ever before. A recent study by Zylo found that most companies add an average of eight applications per month. Exacerbating matters is the ease of acquiring a new application. In most cases, you can sign up for a new SaaS application with just a couple of clicks and a credit card number.

This has led to what is known as Shadow IT, which is the event(s) of employees acquiring software and services outside the ownership or control of centralized IT organizations. As companies grow, so do the number of SaaS applications required to sustain the business. Finance teams struggle to manage the sheer volume of SaaS vendors, and even worse, IT departments face an uphill battle of securing a constantly-growing cloud-first environment.

Shift sustainable IT partnerships

Environment, Social, and Governance (ESG) risks are growing every day. Vendors who are irresponsible with sustainability, product sourcing, the environment, and industrial relations laws can open you up to myriad dangers. CFOs increasingly have their eyes on ESG and ‘Green IT’ is adding to these considerations. For example, businesses that still rely on data centers are now being encouraged to migrate to the cloud, both to tamp down energy costs and limit the risk of climate damage to data centers.

Prevent service disruption

Relying too much on a single vendor or set of vendors in one country or geographic region can be a big source of risk, too. VRM is not a replacement for a detailed vendor management strategy, although it can inform that process. For example, many tech-focused businesses engage developers in regions as diverse as Eastern Europe and Southeast Asia. Good VRM can help you identify potential repercussions from natural catastrophes, pandemic outbreaks, and geopolitical upheaval that can impact your company's reputation if it leads to service disruption.

Avoid regulatory breaches

Unfortunately, there is always a possibility a third-party vendor will break a law or regulation. Compliance rules have become more complex, and many organizations have spent more money to ensure they don't break the law. The Bank Secrecy Act (BSA) and the Office of Foreign Assets Control (OFAC) are just two areas that may apply to your vendor relationships.

Stop data losses and leaks

Information security (infosec) and cybersecurity matter, too. Even before many firms switched to remote and hybrid work, businesses have depended more and more on VPNs, cloud software, and sensitive data sharing. Data breaches, ransomware, and malware are all problems that are here to stay.

5 steps to create a vendor risk management program

For finance teams and SMB owners, most of the vendors you turn to are tasked with managing sensitive customer data, maintaining infrastructure or applications, and ensuring service uptime. As a result, you need a framework to assess their security and regulatory compliance capabilities and determine what (and where) your risk exposure is.

And you need that framework, even if the vendors aren’t technically engaged by the finance unit itself. This is why it's worth setting up a dedicated vendor risk management program. Follow the following steps to establish your own VRM program.

Step 1: Form a risk management team

Start by creating a risk assessment team.

  • Consider building this team around experts from finance, legal, IT, security, PR, and compliance.
  • A good cross-functional team will ensure the risk management process is informed by potential risks from across the organization.
  • Smaller businesses and startups can work with their own financial controller (or a fractional CFO) to map out risks.

This can keep risk management costs in check, especially if the fractional CFO’s risk areas are plotted to financial automation software.

Step 2: Review vendor contracts

Risk managers recently identified the ‘lack of pre-contract due diligence’ as their biggest challenge when managing third-party vendor risks, according to a 2021 report from Prevalent.

This is why contract lifecycle management — the process of proactively and consistently managing your contracts — is so important. Just as it can help you manage vendor negotiations and rein in vendor spending, so too can it help you stay ahead of common risks and move away from high-risk vendors.

Contract lifecycle management can help you set out your approach to the negotiation process, and your review and approval procedure. It will also set out how contracts are preserved and monitored.

Step 3: Check vendor references

Ideally, during the onboarding process you should be checking references before you sign a contract for services. But that doesn’t mean you shouldn’t also periodically review your existing vendor relationships with tools like a vendor scorecard, because key personnel can change, as can business models, along with your vendors’ owner-supplier relationships.

A company background check on vendors should include information such as criminal convictions of employees, bankruptcy cases, regulatory violations, corporate record verification, government sanctions, civil litigation, and social media reputation.

Step 4: Check insurance certificates

A key part of risk management is ensuring that your organization doesn’t bear all the responsibility for problems at a vendor, be they cyber attacks, workplace accidents, or injury to site visitors or the public. Ask vendors for certificates of insurance and be sure to do so on a regular basis. It’s not uncommon for smaller vendors to purchase insurance to clinch a large project, only to let it lapse after the initial term, leaving both your business and theirs open to the high risks the insurance was first purchased to prevent.

Step 5: Use charge cards to manage vendor spending

Payments to vendors are a key way to manage risk too. Longstanding accounts payable habits can take a while to shift, and for many businesses, there’s a temptation to actually move away from card payments as you scale. For some reason, invoices are seen as ‘safer’, even if they do slow down payment processing and collection time frames.

In fact, card payments can help you manage the risk of vendor overspending, by giving you the ability to limit spending on certain vendors or entire categories of vendors. Importantly, you can then also identify where vendors are being paid for services that are no longer fit for purpose.

What is a vendor risk assessment?

A vendor risk assessment is a thorough review of a vendor’s products, supplies, and services that they supply to your business. By assessing vendors for risks, finance teams can prevent problems before they arise by seeing if the vendor may later cause the business legal, security, or damage the organization's reputation.

How to conduct an IT vendor risk assessment

Here’s a simple run-through of how to carry out a vendor risk assessment:

Create a risk assessment scorecard

A risk assessment scorecard can help you rank any likely risks by their level of potential impact. The criteria and metrics the team uses should be based on the type of business you do, your priority areas, and customer expectations. Ensure that you use this scorecard for each evaluation you do so that this workflow remains consistent and transparent.

Compile a list of vendors

Here you should examine criteria such as what the vendor does for your organization, how important they are to it, where they are situated, what data they handle, and any potential hazards they pose. Make sure to cross-reference vendor lists from your AP department and procurement team to make sure you have a complete list. Regularly update this data.

Ask teams and departments about vendors

Once you have this list, you can then categorize your vendor networks correctly by speaking to the business units that engage them. Using a questionnaire, they can help confirm the vendor's location, whether or not their products or services are mission-critical, how much sensitive data they manage, and whether or not they'll have access to your computer network. For example, your business may have categories for insurance companies, accounting services, marketing consultants, and law firms.

Identify any vendor security risks

Now, you can assess each vendor at the company, product, and service level. A two-tiered approach to this risk assessment process will help you catch any gaps, vulnerabilities, and potential operational risks, further improving your company’s ability to choose the right vendor. To do this:

  • Cross-check vendors against key product areas to identify problems like over-dependency, foreign exchange risk, inflation, and in-country risks such as conflict or pandemic outbreaks.
  • Cross-check the services vendors provide to ensure they are not prone to the risk of fraud, regulatory change, or their own third or fourth-party suppliers.

Conduct an on-site audit

In rare circumstances, you'll need to conduct an on-site audit to get a more detailed assessment. Although on-site audits may be required for certain types of vendors when external regulators demand a yearly in-person review, consider broadening that pool to include other mission-critical partners who aren’t covered by the regulatory umbrella.

Develop a vendor risk management framework using finance automation

Despite the intricacies of vendor risk mitigation, 42 percent of professionals are still using spreadsheets for activities like vendor risk assessments, according to the Prevalent report. A third of people surveyed for the report said they were dissatisfied or disinterested with this approach.

Finance automation is one way to address this dissatisfaction and make VRM more structured. Ramp, for example, can help you set up vendor-specific virtual cards to control spending and prevent shadow IT with simpler vendor approvals. With these cards and approvals in place, you can protect your business should you decide the vendor relationship has gone awry.

Try Ramp for free
Error Message
No personal credit checks or founder guarantee.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Content Lead, Ramp
Fiona writes about B2B growth strategies and digital marketing. Prior to Ramp, she led content teams at Google and Intercom. Fiona graduated from UC Berkeley with a degree in English. Outside of work, she spends time dreaming about hiking the Pacific Crest Trail one day.
Ramp is dedicated to helping businesses of all sizes make informed decisions. We adhere to strict editorial guidelines to ensure that our content meets and maintains our high standards.


What is the difference between vendor risk management and vendor management?

Vendor management is the process of viewing and controlling the products, supplies, and services that you purchase to operate your business. While vendor risk management deals specifically with managing risk associated with vendors. This includes vetting potential vendors and continuous monitoring of vendors to avoid cybersecurity risks and other potential setbacks.

Why do you need vendor risk management?

Vendor risk management is necessary for businesses because the costs of not managing vendor risk can be too significant. Choosing not to manage vendor risk can lead to sensitive information breaches and service disruption. Ongoing monitoring is also a feature that can reduce a business’s financial risk as they grow and add new vendors.

How do vendor scorecards help with third-party risk management?

A vendor scorecard is a rating tool that helps companies evaluate vendor performance as well as streamline and systematize the vendor risk assessment process. Vendor scorecards help businesses understand how vendors stack up against each other and where vulnerabilities lie. You can use a vendor scorecard to help you determine which vendors you should work with and which contracts might need to be renegotiated.

How Dragonfly Pond Works leveled up expense management with Ramp

“Creating efficiency is an important part of an effective finance team. To scale you can’t only increase the size of the team. You have to complement with technology.”
Austin Mcilwain, CFO, Dragonfly Pond Works

How Girl Scouts of the Green & White Mountains saved 20+ hours per month with Ramp

"With the time we've saved with Ramp, we can do more of the analysis work and speed up essential processes like month-end close."
Stuart Rothberg, Finance Director, Girl Scouts, Green & White Mountains

How 8VC resolved accounting coding challenges, increased spend visibility, and cut time to close with Ramp

“With Ramp, we have complete control and governance over company-wide spend in real time...we can easily close expenses by the first week of the month versus the third or fourth week of the following month.”
Nichole Horton, Controller, 8VC

How Studs consolidated expense management, travel, and bill pay into Ramp’s single efficient platform

“Ramp Travel gives me the ability to set the controls I need, and employees the freedom and flexibility to book travel easily."
Andrew Clarke, VP Finance, Studs

How Mindbody & Classpass saved time, enhanced visibility, and improved usability with Ramp

“We were going to hold office hours, but it was so quiet that we never needed to. All the feedback was positive -- it was very easy to roll out.”
Heather Bruzus, Principal Accountant, Mindbody & Classpass

How Rarebreed Veterinary Partners prepared for scale with Ramp

“I can look in Ramp and see my spend for the month immediately. I don’t have to go on 14 different platforms. It’s all right there.”
Eric Chabot, VP of Accounting & Controller, Rarebreed Veterinary Partners

How Tomo drove efficiency and slashed time to close with Ramp

"Bringing our close timeline down by half has given us so much more time for projects and analysis.”
Eric Ho, SVP, Head of Finance, Tomo