Fans of the story, Alice in Wonderland, will remember how the Cheshire Cat answered Alice when she asked him which way to go. He answered, “If you don't know where you are going, any road will get you there.” What the Cheshire Cat meant was if you lack an objective, then you have no destination in mind; if there is no purpose there is no goal.
The same can be said for third-party risk management (TPRM). When working with vendors, suppliers and other third parties, it is critical to define and agree on each relationship’s objectives and overarching goal (i.e., the “destination”) from the start. Following TPRM best practices during the due diligence and onboarding phases can help you predict whether a new third party is capable of delivering against their objectives – and hopefully avoid major headaches down the road.
Once you begin any journey, it’s important to regularly check your bearings to make sure you are on the right course. Unfortunately, many third-party relationships fail to reach their objectives after the initial contract is signed. To stay on track, it’s critical to monitor each vendor’s performance against objectives and service level agreements (SLAs) throughout the relationship.
Here are some practical steps for managing vendor performance and SLAs to ensure productive, secure and lasting third-party relationships:
This is the foundation. Each third-party relationship should have clearly defined and documented objectives and goals from the outset.
Some relationships are flat with a straightforward, singular purpose, while others are complex with several layers of contracts and SLAs. For example, one firm I advised had 5,000 suppliers across a total of 20,000 facilities – with each supplier having 1-50 facilities. In this case, both performance and risk were measured at both the supplier and facility levels. One the other hand, a global bank I worked with had an outsourcing relationship with a single service provider, but that one relationship had over 100 different contracts and service level agreements associated with it.
The next step is to clearly dissect the contracts and SLAs to establish and define key performance indicators (KPIs) to measure positive and negative delivery against the contracts and service-level agreements.
Risk, as defined in ISO 31000, is the effect of uncertainty on objectives. Once KPIs are in place, establish key risk indicators (KRIs) to monitor for control failures, adverse events and security exposures that might disrupt the third party’s ability to deliver on its objectives and/or adhere to agreed-upon service levels.
To provide value, vendor performance monitoring needs to produce real-time insights and metrics. Ensure your performance monitoring processes are backed by reporting and dashboards that delivery visibility into KPIs and KRIs in the context of specific contracts and service-level agreements. This will enable you to make better informed decisions and empower you to collaborate with vendors on making necessary adjustments to meet your objectives.
Following these steps will help your organization to be more agile and resilient. Agility enables you to scale and increase value from high-performing relationships, while resiliency enables you to minimize loss or damage in an under-performing relationship.
I recommend integrating vendor performance and SLA management with third-party risk and compliance assessments. After all, a vendor that delivers on contracts and SLAs might still expose your organization to data breaches or violate policies related to ABAC, ESG, Modern Slavery, or other business risks.
Strengthen your resilience against software supply chain attacks by implementing these best practices for increasing third-party...