What to Expect When Implementing a Vendor Risk Management Program

Best Practices

In today’s increasingly digital and “everything in the cloud” business landscape, companies are relying more and more on third-party vendors to achieve results quickly and competitively. Your delivery service might rely on a route planning application that you’ve purchased from a mapping vendor. Your online mortgage application website might rely on third-party document signing services. 

It’s true, why would organizations spend exorbitant amounts of time and money rebuilding the wheel when someone else has already built a machine that spits out wheels on demand? Using third parties vendors for services that are not core to your business, but important for your customer experience is table stakes today.  Delivering on the promised Customer Experience is what drives this need for third-party vendors, and it’s most likely that you’ll end up with more than a few. In fact, many companies use hundreds or even thousands of vendor to quickly and efficiently deliver their product and service offerings.  

A key component of a successful GRC/IRM strategy is to develop a good Vendor Risk Management (VRM) program. The challenge is always, what should you expect when implementing such a program? How do you get started? What is involved and how complex does it need to be? 

In a previous blog post, we outlined 7 Best Practices for Successfully Managing Third-Party Risk. We described the steps you should take in identifying your vendors and their details, evaluating the potential risk they could pose to your operations, business lines, revenue and brand reputation, understanding how the vendors themselves deal with such risks, and how all of this can empower you to build a plan to mitigate any potential damage to your company’s infrastructure or reputation. 

The first thing to expect in implementing a VRM program is that it’s all about gathering information. Knowledge is power, as they say. You cannot expect to waltz into a storage room blindfolded and make your way to the far exit without bumping into anything. 

In the same way, you cannot build and manage a business without knowing the details of all of the components that are working together to provide your product or service, and how any of these individual components could harm your business should it fail to perform as expected. 

Full knowledge of your vendors extends far beyond their contact details. You should know their policies and practices, and how these may or may not harmonize with your own. This often leads to asking specific questions, or for more general clarification. If you were only dealing with a handful of vendors, perhaps it would suffice to correspond by email. Of course, even with a limited vendor pool, you would want to have the responses stored in a central location such as a spreadsheet, so now you have to factor in that extra step. Expand this scenario to a pool of three hundred or even three thousand vendors, and now this important correspondence has become unruly and prone to errors and omissions.

Now you have collected a repository of detailed information on your vendors. What can you do with this information? The idea is to use it to determine what level of risk a vendor could pose to your operations, and what impact those risks could have on both your reputation and your bottom line.

Many organizations do their best planning when they can work with data visually. Does your database of vendor details offer you a way to collate the information as charts or graphs? Can you quickly and easily filter the information for better focus and clarity? Can you easily report to the executives, what holds a higher risk to the organization? Can you quickly tell management and the board where there are vulnerabilities and what you have done to mitigate? None of this bountiful information will help you put a plan in place if it cannot be presented to you in a meaningful way.

Many organizations use a vendor management portal as a central repository for all of their vendor details. There is no need to resort to email correspondence, unruly spreadsheets and unrelated databases. Look for navigable questionnaires of simple checkboxes, dropdown selections, date pickers and out of the box templates. The key is to find a vendor management solution that works for your organization.

Look for solutions that allow you to dynamically link specific responses to related questions or resources. For example, let’s say a vendor responds to a question that determines if they are compliant with a certain regulation that your company must adhere to. 

The response to that question can update the vendor’s compliance status in a separate document. Finding out which vendors comply with the requirements set out in that document could be as simple as opening the document and viewing the list of vendors with a status of “meets compliance”.

If you can visualize all of your centrally-collected data through charts, graphs and filtered lists, you will have the power to make great decisions about planning how to mitigate issues that might arise from a vendor’s failure to perform or comply. 

Ultimately, what you should expect from implementing a solid risk management program is to have a plan (or plans) in place that enables you to quickly and efficiently address worst-case scenarios in cases where a third-party vendor might have failed your company. In today’s world of instant news and social media, any delay in addressing such issues could spell doom for your company’s reputation and financial stability. Contact the experts at Iceberg today to find out more about how we can help set you on the right path.

Related E-Book: Exposure: Managing Third-Party Risk in a Digital World

Start your GRC journey.
We’ll be your trusted partner.

Start your journey