Skip to content

VRM Program Development

Vendor Risk Management (VRM)

Organizations implement VRM programs as a formal way to evaluate, track and measure third-party risk, assess its impact on all aspects of your business, and develop compensating controls or other forms of mitigation to lessen the impact on the business if something should happen.  A formal VRM program provides consistency for managing vendors and establishes a methodology  to share risk information about them within your organization.    

Vendor Management Charter and Policy Review

Vendor management needs to be treated as a continuous program in order to be successful.  Articulating and documenting an executive leadership approved vendor management charter will establish enterprise expectations, define success criteria, and will serve as the guidepost for successfully developing a Vendor Management Risk program.  

A full review of the current Vendor Management Policies will be performed, and recommendations presented for their improvement.  In addition, we will assist in the creation and subsequent approval for standard provisions that every contract should contain related to cyber risk.  

Vendor Framework - Topology and Categorization

The vendor framework effort will create the definitions for the vendor categorization and associated topology framework for managing all vendors.  In addition, this exercise will establish the risk criteria by which a vendor is placed into one of the four categories; Critical, High, Medium and Low.  

This includes the creation of a roadmap framework to manage the contract termination/renewal dates and an action plan to update the contracts with the standard provisions on or near a contract event date.  

Risk Register

Cyturus will assist in establishing a Risk Register. A Risk Register is a tool for documenting risks to the business, categorizing by response strategy (Avoidance, Transferring, Mitigation, Acceptance) and the actions to manage and maintain the current status for each of the identified risks. The Risk Register is essential to the successful management of organizational risks.

Our VRM service is based on our proprietary Adaptive Risk Model (ARM) methodology. The Cyturus ARM identifies deficiencies, measures potential business impact, and recommends prioritized remediation actions across the entire enterprise. This service can be ingested into the Cyturus ARM framework for deeper examination and lateral impact as part of a future holistic engagement.

Does your organization have a formal VRM program? Do you need expert guidance in that development? Contact us to discuss your VRM strategy and program maturity.