Vendor & M&A Risk Assessments

Vendor Risk Assessments

VerSprite’s expertise in vendor risk encompasses many layers: operational, technology, security, compliance, and legal risk. We go beyond audit questions and checklists. Our methodology centers around a contextual risk analysis of vendor services to our clients, coupled with security risk management frameworks that are relevant to your control objectives.

Evidence Based Risk Analysis

VerSprite helps clients of any industry manage vendor risks by first addressing the scope of vendors to assess and determining the right impact level, cadence, and measures of analysis to be completed for each vendor. Beyond vendor security posture, we consider inherent threats associated with the service model, data model, technology scope, and impact to business goals.

Below is a visual on how we help clients prioritize a vendor prioritization queue for vendor risk assessments.

Likelihood

Consequences

Probability - How likely is the event to occur?

What is the potential finance damage or business impact (if the risk actually occurs)?

Insignificant

Minor

Moderate

Major

Catastrophic

Almost Certain

Expected in normal circumstances (100%)

Insignificant

Minor

Moderate

Major

Catastrophic

Likely

Probably occur in most circumstances (10%)

Insignificant

Minor

Moderate

Major

Catastrophic

Possible

Might occur at some time (1%)

Insignificant

Minor

Moderate

Major

Catastrophic

Unlikely

Could occur at some future time (0.1%)

Insignificant

Minor

Moderate

Major

Catastrophic

Rare

Only in exceptioal circumstances (0.01%)

Insignificant

Minor

Moderate

Major

Catastrophic

The complete range of vendor risk assessments for mergers & acquisitions include the following:

Vendor Tiering:

Managed service offerings around tiering client vendors and applying a custom security assessment to each tier, based upon vendor risk profiles defined by VerSprite and client groups.

Vendor Risk Assessment:

Individual vendor risk assessment engagements for client vendor(s) that may jeopardize physical and logical security for the client organization. We deliver an objective report to the client organization with risk analysis for findings and prescriptive remediation guidance.

Vendor Risk Reporting:

Create a tiered vendor risk landscape of all vendors based upon 30-point risk criteria. Provide guidance on the levels of assessment efforts and cadence that an internal vendor risk program should apply.

Vendor Contract Legal Assist:

Assist legal groups on reviewing vendor contracts in order to determine if the proper level of risk mitigation is being considered in the legal language of key vendor contracts.

M&A Security Assessments

VerSprite’s M&A security assessments provide a pre-acquisition risk analysis as well as a cost analysis on where gaps exist and how those gaps could introduce liabilities or business risks that are best discussed early in the engagement.

Unlike other professional service firms, VerSprite understands business and the financial impact that incongruent security programs can have on M&As. For this reason, our services include the following:

Assessment deliverable will leverage a security baseline of controls (NIST CSF, NIST 800-53, ISO 27002, CoBIT, etc.) in order to establish a security scorecard.

M&A security engagement will conduct the financial impact analysis on gaps identified. Cost estimates will be made for the lack of security controls observed as part of the assessment.

Process and technological control gaps will be aligned to prescriptive remediation cost values in order that the client organization can factor in the cost of security integration with the targeted entity to be acquired.

Let us build a tailored engagement for you.

We are an international squad of professionals working as one.

logos