Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Supplier Risk Management Best Practices: 7 Critical Steps to Building a Proactive SRM Program

Most procurement and supplier managers face an uphill battle of manual processes and disjointed tools on their path to mitigating supplier risks. Use these best practices to overcome your SRM challenges.
Scott Lang
VP, Product Marketing
November 11, 2022
White paper seven steps srm 1022

Consider these scenarios: A cyber-attack takes a key supplier offline, hampering your company’s ability to produce goods. Layoffs at an IT vendor lead to diminished oversight of security controls and data safeguards. A natural disaster or geopolitical event disrupts your supply chain, delaying the release of a new product. A critical third party is cited and fined for an ethical lapse, resulting in “guilt-by-association” reputational problems for your company.

Each of the above supplier risk events can lead to cost overruns, jeopardize revenue, and damage customer trust. If these risks are being tracked at all, it’s being done in silos, which forces organizations into reactive mode when a disruption occurs. How can your procurement and supplier management teams get ahead of supplier risk before it impacts your organization? Here are seven ways to gain proactive risk visibility and control across every stage of the supplier relationship.

1. Build risk evaluations into supplier sourcing and selection

Given today’s complex business environment, basing supplier sourcing and selection solely on technical fit is a risky proposition. It’s now essential for procurement and sourcing teams to also confirm whether a potential supplier’s risk profile is acceptable. This means evaluating multiple dimensions of risk, including:

  • Demographics: Is the supplier in a region prone to natural disasters or geo-political instability?
  • Fourth-party ecosystem: Which fourth and Nth parties does the supplier rely on?
  • Cybersecurity: Has the supplier been breached and, if so, what type of data was impacted? What was their response?
  • Business and financial: Has there been recent merger or acquisition activity at the supplier? Does their financial or credit history raise any concerns?
  • Compliance: Has the supplier been flagged for data privacy, environmental, social and governance, bribery, or OFAC violations? Have they faced sanctions?
  • Reputational: Has the supplier been criticized in the media or other public communications outlets?

By seeking risk insights early on, you can compare potential suppliers beyond technical fit and establish a baseline risk level for each supplier that you select.

2. Include risk-based provisions in supplier contracts

Be sure to carry over any due diligence findings from the sourcing and selection stage into the contract lifecycle. Include key risk provisions in your supplier contracts and leverage an automated contract lifecycle management solution to:

  • Streamline each step of the contract lifecycle with workflow automation capabilities
  • Keep track of key attributes such as dates, values, reminders and statuses
  • Streamline approvals with reminders, overdue notices, and other task management capabilities
  • Ensure visibility with discussion tracking, document management and version control

Contractual provisions should address incident notification timing and require advance warning of events that could impact supplier relationships, so you can prepare sufficient contingency plans.

3. Stay on top of KPIs and KRIs

Effectively communicating supplier risk and its potential business impact can be challenging. Measuring and tracking Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) is essential to the SRM process, but unwieldy spreadsheets and overly detailed dashboards can make it difficult for decision makers to “see the forest for the trees.”

To provide some clarity around KPIs and KRIs, Prevalent created an eBook and scorecard that:

  • Clarifies the difference between KPIs and KRIs
  • Identifies four categories of supplier metrics to measure
  • Prioritizes 25 recommended supplier KPIs and KRIs to report to the board and leadership

eBook: 25 KPIs and KRIs for Third-Party Risk Management

The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.

Download Now
Feature kri kpi ebook

4. Take a consistent approach to supplier tiering and categorization

Not every supplier requires the same level of scrutiny, so tiering and categorizing suppliers based on risk will help you to prioritize and scope your ongoing risk assessment and monitoring initiatives.

For a more structured approach, consider grouping your suppliers based on three categories of risk:

  • Profiled Risk: To start, group your suppliers based on profiled risk, which is the risk associated with each group’s industry, criticality to business performance, location, and other high-level factors. This can typically be achieved by conducting a quick survey of internal supplier managers.
  • Inherent Risk: This is each supplier’s specific level of risk before accounting for any controls required by your organization. Use supplier questionnaires to gather information on their level of access to your operations and data, internal security processes, reliance on fourth and Nth parties, legal and regulatory obligations, and other company-specific factors. Resulting risks should be scored based on likelihood and business impact.
  • Residual Risk: Having a baseline inherent risk score enables you to then calculate residual risk, or the risk level remaining after controls are applied. You’ll be able to determine residual risk after working closely with each supplier to remediate or mitigate issues identified during the assessment process.

Tiering and categorization must be performed consistently to gain an accurate picture of your third-party risk exposure, inform further due diligence, and ensure that suppliers are assessed against the risks and standards that matter most to your business.

5. Devote the right resources to supplier risk assessments

Accurately and comprehensively assessing your supplier risk will likely require participation from experts from several disciplines across your company, including supplier management, procurement, IT security, compliance and privacy – not to mention your supplier contacts. A centralized SRM platform can help by delivering automated, relevant supplier risk assessments that drastically reduce manual labor while rallying both internal and external stakeholders around a single, cohesive process.

When it comes to selecting risk assessment questionnaires, you’ll need to consider two primary factors:

  • Content. Standardized or custom? Standardized questionnaires make it easier to compare suppliers. Custom content enables more precise evaluation.
  • Method. Should you do it yourself or outsource to a specialist managed services provider? Many organizations choose to devote their resources to managing risks, leaving the collection of supplier data to outsourced specialists.

Regardless of the content or collection method you use, be sure to have a remediation strategy to act on assessment results. There’s no sense in conducting risk assessments if you’re not willing (or able) to go the final mile.

6. Continuously monitor for supplier risks

At any time, businesses can fail, new products can launch, or mergers and acquisitions can occur. Questionnaire-based assessments are essential for gathering data from suppliers at specific points in time, but new risks will inevitably surface between periodic assessments.

You can bridge the gaps between assessments, keep risk scores updated and accurate, and know when further investigation is necessary by leveraging a continuous risk monitoring solution to scan public and private sources of supplier intelligence for:

  • Cyber exposures, such as data breaches, leaked credentials, and company data on the Dark Web
  • Business news, such as M&A activity and operational updates
  • Financial updates, such as public filings, annual reports, and profit and loss statements
  • Reputational issues, such as adverse media and executives on politically exposed person (PEP) lists
  • Compliance violations, sanctions, state-owned enterprises, and other conflicts of interest

If there is any best practice in this post that will help procurement and supplier teams become more proactive, it’s this one. Not only should you leverage continuous monitoring data to validate and update assessment findings, but also seek an SRM solution that integrates monitoring and assessment capabilities for maximum efficiency and visibility.

7. Don’t forget offboarding risk

A supplier’s risk to your business doesn’t just evaporate when the contract ends or is terminated. A supplier holding sensitive data must return and/or securely destroy that data; support obligations may outlive a purchase agreement; and organizations must ensure that any supplier access to internal systems is terminated.

Key considerations in your supplier offboarding strategy should include:

  • Centralized contract assessments to ensure that final commitments are met
  • Offboarding workflow to gain approval from all internal stakeholders before final sign-off
  • Reporting to validate compliance

While this may seem obvious, Prevalent research found that 43 percent of companies are not actively assessing supplier risks during offboarding.

Build a More Proactive Supplier Risk Management Program

Our best practices guide delivers a prescriptive outline for staying on top of supplier risk from onboarding to offboarding.

Read Now
Feature 7 stages proactive srm

Download the Best Practices Guide

To measure your current supplier risk management process against best practices, download Seven Stages to a More Proactive Supplier Risk Management Program. The guide examines:

  • The characteristics of a mature and proactive supplier risk management (SRM) program
  • How different risks should be managed at each stage of the supplier relationship
  • Key capabilities to look for in a solution that addresses multiple supplier risk types
  • Real use cases for companies that have successfully tackled their SRM challenges
  • Tips and tricks for securing buy-in across the enterprise

Contact us today to schedule a demo where we can demonstrate how to take your SRM program from reactive to proactive.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo