No organization can be defensible if they do not make a centralized vendor list the foundation of their vendor risk management program. It is the most basic level of risk awareness and compiling this list is worth putting other vendor risk activities on pause. If there is no up to date list currently being maintained, going to Accounts Payable/Finance is the first step.
Below is an example of an email. Feel free to copy and paste.
We have started a process of assessing the risk of our vendors using a tool called S2Vendor by SecurityStudio®.This will ensure the safety of the information we handle both internally and for our customers.
Vendor risk management is a major initiative for our organization and we require your help in taking the first step towards defensibility – collecting all of our vendors in 1 place. Currently, there is no central list of the various vendors/ third parties that we use, and we cannot protect against what we don’t know.
A vendor/third-party is any organization (sole proprietor, LLC, non-profit, corporation, etc.) who provides any goods or services to our organization. Assuming that all vendors/third-parties are being paid by the organization, please pull a list of:
All vendors/third-parties being paid by invoice for good/services
All vendors/third-parties being paid via corporate credit cards
All vendors/third-parties being paid through expense reimbursements
If these vendors are associated with a particular business unit or employee, please indicate such next to the vendor’s name. This may be the person who approves the invoice.
We appreciate your cooperation in this organization-wide initiative. Please return this initial list by <month, date>.
Feel free to reach out if you have any questions about our new vendor risk management process.
Thanks,