Intelligent Vendor Risk Management

Create the ideal risk program that aligns with business objectives and mitigates risk. Vendor Risk Management (VRM) is a critical element of third party risk and procurement programs. Carefully selected vendors are important resources for goods, services and innovation. But, often, these vendors bring additional risk to the business. This past year of ongoing Covid economic recovery has made ‘supply chain’ a household concern. Everyone understands that vendor and supply issues have impacted consumer availability of food, fuel, electronics, automobiles and more.

“Nearly two years after the world first learned of COVID, the supply chain is still experiencing an unfortunate series of firsts – a historic level of carrier unreliability, record high freight rates, all-time low warehouse vacancies and more.”

[For more on how the worldwide supply chain continues to be affected, read 5 Ways the COVID-19 pandemic has changed the supply chain.]

Manufacturing and supply chain teams have managed supply chain risks as long as the modern factory has existed. However, within the last 2-3 decades, the proliferation of global sourcing and ‘digital everything’ and supply has made it critical to also evaluate and consider indirect vendor risk.

It has also dropped the threshold where a company needs to be mindful of FCPA/ABC and other anti-fraud and corruption regulations. While these regulations aren’t ‘new,’ it’s no longer just big multi-national companies that are at risk of vendors or channel partners offering money or gifts to get work done – particularly in countries where such bribes are common. FCPA penalties can lead to jail time for company officers as well as significant financial penalties. 

Additionally, growth of the internet and ‘digital-everything’ has created privacy and security risks (both regulatory and breach) for almost all companies. It’s almost impossible for a B2B or B2C company to transact without collecting PII at some level. GDPR, CCPA and other regulations cast a broad net requiring all companies to comply or face potentially enormous fines.

Since January 28, 2021, European Union (EU) protection authorities have handed out close to $1.25 billion in fines for breaches of the General Data Protection Regulation.

Company leaders are negligent if they don’t implement an effective third party risk program including Vendor Risk Management (VRM). While all risks and regulations may not be a concern for all companies, most companies fail to understand and implement successful risk management programs until after breaches, fines, failures have occurred or as required by customers and third party auditors.

Build communication and partnership into your risk policy

It’s easy for a risk team to lose sight of its core purpose, which isn’t simply to eliminate all risks. That would quickly tank the business with friction and delays. 

It’s critical for risk and other back office teams to remember that they exist to ‘enable business success.’ At the same time, zero understanding and mitigation of risk typically leads the company to carry various risks that can easily lead to material business impact or failure. It’s important to find the right balance.

Business leaders who are tasked with product development, manufacturing or other service delivery understand keenly the impact of time and delays on their operations. When back office teams require processes that fail to support the ‘speed of business,’ the business has minimal tolerance or ability to comply. Because the business leaders understand the value of time, they often ignore policies and programs that are clearly designed without consideration of business objectives and goals.

In this scenario, the risk teams may be feeling great about their far reaching policies and programs, but are blind to the additional risk they have created. Because the business recognizes that they can’t both comply with business goals/targets AND risk processes, it finds shortcuts and workarounds that enable work to get done without any review or mitigation from risk teams. 

Those out of touch policies and processes are ignored, and worked around as the business naturally recognizes there’s actually more risk to the business by delaying a project, product to market, or service delivery than whatever the risk team is trying to mitigate against. The business may be wrong, but this failure in supporting business policy indicates a lack of the communication and partnership that should be at the foundation of the policy.

The most important policy that all team members must remember is to ‘only act in the best interest of the company.’  In an interview, Reed Hastings, CEO of Netflix once said, “Instead of blindly following directions or sticking to a process, a first principle thinker will constantly ask, ‘What’s best for the company?’ and ‘Couldn’t we do it this other way instead?’”  

Along this same line of thinking, the business needs to understand the risks and purpose for additional reviews, and risk teams must understand and factor core business priorities (including speed)into every policy and process design. 

It’s easy for either party to think they are reducing risk when they are in fact increasing risk with their myopic mindset.

Seek Collaboration, Not Buy-In

Without alignment and collaboration between your risk and business teams, leadership buy-in is almost impossible. It’s critical that the risk team and the business work together to develop an ideal risk program. 

The team with the most leadership influence sometimes imposes their will on the rest of the business. This can lead to superficial ‘buy in’ or ‘disagree and commit.’ But none of this is ideal for the business. Only through collaboration and alignment with core business objectives can the risk programs be designed to truly minimize risk. 

Since, the company’s business success is what matters most, collaboration and teamwork should be the most important expectation of senior leadership. 

Don’t be confused that ‘business success,’ is a proxy for increasing sales, revenue, or partnerships. Business objectives or risk can be ignored in hopes of achieving a short term goal. But that is often at the expense of longer term goals and success. 

At the same time, the negative impact to the business when you ‘over rotate’ on risk programs may not be seen in the first few quarters, but eventually the impacts will be impossible to ignore. The stacking of delays and the mass exit of the most talented and innovative team members will create a negative spiral that may persist for years, or even worse, become the fabric of your company culture.

Don’t seek to obtain buy-in and compliance. Seek to obtain collaboration as you look to truly support the business in reducing risk rather than blindly imposing policy.

The highest value expectation is joint collaboration to enable business success.

Understand high value vs. trivial questions

The advent of ‘pseudo standard’ assessments and questionnaires make it easy to ask for an increasingly long set of data and documents. It’s good to remember that ‘just because you can, doesn’t mean that you should.’ 

Supplier self-reported data and documents are critical to the process. But it’s important to remember that this type of  data has limitations. The accuracy of self-reported data will decrease in direct correlation with the increased length of the questionnaire. Until a true standard emerges, there’s massive work imposed on suppliers to manage virtually unlimited variations of questions and assessments. 

Response time (and response accuracy) decreases as assessment length and complexity increases. Wise risk managers recognize this relationship and invest the extra effort up front to understand high impact/value questions versus imposing endless trivial questions for the supplier to review and for risk managers to factor into assessments, risk determination and mitigation.

Often the most powerful questions are those that ask for third party assessments and audits (ISO, SOC 2, Fedramp, etc). The existence of these reports aligned with their findings allow risk managers to trust the structure and process of third party auditors and jump quickly to the negative findings and mitigations. This approach saves time, decreases complexity, and enables the vendor to leverage their investment in the third party assessment. 

When these third party assessments are available, you should avoid requiring the vendor to answer a lengthy questionnaire that essentially replicates the process required by the third party for the assessment. Your assessment platform should include the questionnaire logic-branching to skip the lengthy questionnaire given the audited assessment.

Raise the bar on self-reported data

As mentioned, the most powerful self-reported evidence is the data that has been attested by a third party audit or certification. 

However, in the absence of robust third party validations, additional questions for the vendor are necessary. Many data and risk companies scrape data from the internet for search and reference. While this is helpful, it’s often expired or older information. 

Asking the vendor to self report their compliance should be the foundation of your process. Even better if you can collect the vendor data and documents from a portal that enables cross-sharing of that information.  It’s never appropriate for a portal to display or share self-reported information from vendors without their approval. But that approval, along with self-certification that the shared data is accurate and up-to-date saves everyone time.

I’ve always believed that the more fully the vendor-approved data is shared across customers, the more the community will begin to raise the bar on the accuracy of self-reported information.

I often fear that vendors blur the accuracy of their answers to win a new deal. But if that blurred answer is visible to all connected customers, the vendor will hold themselves to a higher standard of truth and accuracy.

Blend self-reported and third party data 

What’s the old phase?  “Trust, but verify.”  That’s as true with vendor risk assessments as anywhere. It’s tempting to rely only on self-reported information or third party (scraped) information. But the most clarity comes from a blend of the two.

In some cases third party validation is key.  As an example, UL certifies product ingredients for safety  and environmental sustainability while protecting the secret recipes of the vendors.  RapidRatings and Credit Risk Monitor do the same by reviewing private company financials without disclosing sensitive details publicly. 

In other cases, third party validation can bring an entirely different perspective to the risk determination. DarkBeam(R), BitSight(R) and other ‘outside the firewall’ security assessment tools shine a light on the exterior perimeter of firewalls, domains, dark web, market, breached passwords and other variables that are almost never the subject of self-reported assessments. 

Lastly, for the highest risk vendors, on-site audits, penetration testing, and other methods are critical to verify the risks and mitigations of the vendor relationship and operations. 

Modern risk platforms blend together both self-reported data and documents alongside third party opinions, audits, and verifications. This enables factoring third party data into risk measurements. The blend of self-reported and third party data also supports a risk monitoring program that provides a holistic dashboard of all vendor risks versus separate data boards for financial viability, compliance, privacy, security, modern slavery, sustainability, etc.

Win stakeholder trust with end-to-end visibility

As I highlighted earlier, it’s critical that the risk team and the business collaborate to develop an ideal risk program. It’s also critical that all risk teams work together. In my job, I’m constantly completing risk assessments and onboarding surveys. It’s stunning (and frustrating) to me how often the same company asks the same question multiple times. 

Sometimes this is a factor of different teams sending different surveys (they are clearly working in silos), but sometimes I’m even asked the same question in the same spreadsheet or form. It’s clear that assessment exhaustion isn’t just hard on the vendors, but also on the internal teams managing the process.

The most modern vendor risk and onboarding platforms bring the teams and assessments together. This enables the rationalization of questions, eliminates redundancy, and enables a holistic vendor risk management process and design to be considered. 

A common platform also enables various risk teams (and the supporting procurement process) to have visibility of status, scores, and opinions. One risk team may be on the threshold of assigning a higher/lower score, and they would easily shift their score one way or the other if they could see a more holistic view of the vendor, rather than just their own siloed concerns. 

Perhaps most importantly, a common platform enables all players to see the status and overall process throughout the lifecycle. There’s almost nothing more frustrating than for business stakeholders to agree to follow a policy or process while waiting on the outside of the black box with no visibility, hoping and praying the process will complete before it tanks their project deliverables. End-to- end visibility is an important capability to maintain business stakeholder confidence, trust, and process compliance.

Enable business success 

The very best risk teams understand the primary goal of enabling company business success. They also collaborate closely with the business as they design and implement risk processes. This supports increased compliance to risk processes and policies while also protecting the business from unforeseen negative impacts.

1. World Economic Forum. 5 ways the COVID-19 pandemic has changed the supply chain.

 2. CNBC. Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt. 

3. Forbes. The Netflix Decision Making Model Is Why They’re So Successful (forbes.com)