In my experience building vendor risk management programs at several companies, there are five categories of “gotchas” that risk management teams must look out for. These gotchas include everything from not having simple vendor contact information, to not presenting the right risk metrics to the board. Each can lead to onboarding delays, missed risks, and compliance failures if not addressed immediately.
To help you avoid some of the same pitfalls that I have experienced, I’ve put together a checklist of questions to ask and areas to investigate.
1. Not Knowing Your Vendor Universe
If you don’t know who your vendors are, how can you assess them?
- How complete is your vendor universe list? Do you know your vendors and the total number of vendors?
- Are there multiple departments onboarding vendors? (e.g., $5,000 authorizations enable anyone to purchase a service.)
- Do you have point-of-contact details for all vendors?
- Who is the business point-of-contact?
- Who owns the risk in the vendor relationship?
- Do you understand the engagement with the vendor (e.g., what service they provide)?
- Can you “follow the data” of the service to the Nth party?
- Does your existing process lead to the perception that vendor risk management is a roadblock instead of an enabler?
- Are selection, onboarding and renewal decisions made with profiling, inherent risk, and residual risk data?
2. Program Deficiencies
Without must-have controls in place, what are you assessing against?
- What criteria are used to make tiering decisions? Spend, engagement, risk tolerance?
- What criteria are used to make due diligence decisions? By data that the vendor handles (e.g., sensitive, confidential, proprietary) or by category of service provided?
- How are you identifying and reviewing controls that matter to your business?
- Do you have a steering committee in place to help make decisions?
- Who are the control owners?
- What is the internal staff skill level? Is there a playbook in place to help them handle processes and incidents?
3. Complex Requirements for Due Diligence
How difficult and costly are your assessments?
- What intake/request management process do you have in place? Email? How are important vendor attributes captured?
- How transparent is the vendor request process?
- How many different questionnaires are being used to assess vendors? Are there opportunities to consolidate?
- How are you managing information overload? Is there a process in place to associate a questionnaire response with outside validation (e.g., threat scores or alerts)?
- Is due diligence used in procurement or sourcing for vendor selection?
4. Unclear Risk Scoring and Disposition
How are you harmonizing questionnaire results and vendor threat intelligence?
- Are impact and likelihood considered when calculating risk scores?
- Are thresholds in place to identify what risks require attention? (The alternative is that all risks are reviewed and require response from the vendor causing delay and waste.)
- Are risk remediation recommendations and timelines clear to all parties – assessor, vendors, etc.?
- How are risks tracked to closure?
- Are there identified business owners for risks?
- Is there an exception/disposition process or workflow in place?
- Is there a way to measure the effectiveness of risk reduction over time? (e.g., are risk indicators or milestones available?)
5. No KPI and KRI Metrics or Reporting
If it’s not reportable, how do you change the culture?
- Is the organization working in silos? If so, how is risk reporting bridging the divide?
- What key performance indicators (KPIs) are in place to measure the effectiveness of the TPRM program or of the vendors?
- Are service level targets communicated, understood, and met?
- Are key risk indicators (KRIs) in place to measure risk reduction real-time and trending over time?
- How are risks tracked and reported?
- Is reporting manually created? If so, what could be missing?
- What metrics and risk status is being presented to the board? Is it being used to support data driven decisions?
These gotchas and questions certainly aren’t exhaustive, but they represent the most common stumbling blocks many vendor risk management programs face as they evolve their processes.
Download our white paper, 5 Steps to Proactive Third-Party Risk Management, for more best practices – or request a demo to discuss your program requirements with our experts.