This is a question that I’ve heard 50+ times over the past few years from a variety of companies that range in size and industry. It’s complex and there’s no easy answer but let me try my best to give some direction on this topic.

Let’s say that your company uses Salesforce and you use three of their products – Sales Cloud, Service Cloud and Mulesoft. Should you be doing an assessment on the company – Salesforce – or on each of the products that you use or the company AND the products?

I want to reference a Homeland Security (DHS) document entitled: Risk Management Fundamentals. In it, there are a few core principles that will guide me in my answer to this vendor risk topic. These principles are:

• Unity of Effort
• Transparency
• Adaptability
• Practicality
• Customization

These are all extremely worthwhile, but for this topic, adaptability is what stands out to me. In the “Adaptability” section, the author writes, “A changing world, filled with adaptive adversaries, increased interdependencies, and new technologies, necessitates security measures that are equally adaptable.”

When vendor risk is based on a set of dynamic inputs – how will you use a vendor and what is the nature of that vendor’s business – a company needs to be flexible and adaptable in how they approach their assessment.

For vendor risk management, you should never create a policy that has an unadaptable process given various vendors that you might do business with.

Given the example above with Salesforce, if your entire business is run with the help of Mulesoft and Service Cloud but you determine Sales Cloud is less important, then I would absolutely make the determination to assess both Service Cloud and Mulesoft, and possibly even Salesforce as a business.

However, if Sales Cloud is the only essential part of your business, it might make sense to only assess Sales Cloud and not Service Cloud, Mulesoft or Salesforce.

There is no hard and fast rule of whether you should assess a company or a set of products but going back to the DHS document, the author writes: “DHS and its homeland security partners must be flexible in their approach to managing risk.” You should consider the necessity of flexibility for your vendor risk program given various vendor use case scenarios.