Intelligent Vendor Risk Management

Carefully selected vendors are important resources for goods, services, and innovation. However, these vendors often bring additional risk, which is why vendor risk management (VRM) is such a critical element of third-party risk and procurement programs.

What Is Vendor Risk Management and Why Is It Important?

Vendor risk management is identifying, assessing, and mitigating risks associated with third-party vendors. This is important because it can help protect your organization from potential financial, reputational, and regulatory compliance risks that may arise from your vendor relationships.

How COVID Disrupted Supply Chains

These past few years of COVID economic recovery have made ‘supply chain and supply chain disruptions’ a household concern.

“Nearly two years after the world first learned of COVID, the supply chain is still experiencing an unfortunate series of firsts – a historic level of carrier unreliability, record high freight rates, all-time low warehouse vacancies, and more.”

Everyone understands that vendor and supply chain issues have impacted consumer availability of food, fuel, electronics, automobiles, and more. [For more on how the worldwide supply chain continues to be affected, read 5 Ways the COVID-19 pandemic has changed the supply chain.]

Managing Vendor Risk in Your Supply Chains

Manufacturing and vendor risk management teams have managed supply chain risks as long as the modern factory has existed. However, within the last 2-3 decades, the proliferation of global sourcing and ‘digital everything’ has made it critical to also evaluate and consider indirect vendor risk.

It’s also dropped the threshold where a company needs to be mindful of FCPA/ABC and other anti-fraud and corruption regulations. While regulatory compliance isn’t new, it’s no longer just big multinational companies at risk of vendors or channel partners offering money or gifts to get work done – particularly in countries where such bribes are common. The Foreign Corrupt Practices Act (FCPA) penalties can lead to jail time for company officers as well as significant financial penalties. 

Internet and ‘Digital Everything’ Introduces Privacy and Security Risks

Additionally, the growth of the internet and ‘digital everything’ has introduced new privacy and security risks, including those related to the Payment Card Industry Data Security Standard (PCI DSS), compliance requirements, and data security for almost all companies. It is nearly impossible for a B2B or B2C company to conduct transactions without collecting personal information in some capacity. Regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have a broad reach, requiring all companies to adhere to these guidelines or potentially face significant fines. As of January 28, 2021, European Union protection authorities have issued fines totaling close to $1.25 billion for violations of GDPR. This highlights the importance of having proper vendor risk management and data security controls in place.

Company leaders must prioritize implementing an effective third-party risk management program, such as Vendor Risk Management (VRM), to address concerns over information security, data privacy, and compliance obligations, including those related to the risks and regulations brought on by the rise of the internet and digital everything. Companies need a successful vendor risk management program to mitigate the potential fines, data breaches, and failures that can occur in today’s digital landscape. Additionally, customers and third-party auditors may require proof of compliance with information technology (IT) goods and services, making a vendor risk management program a crucial aspect of overall risk management.

Balance Business Success with Risk Mitigation in Your Vendor Risk Management Strategy

It’s easy for a risk management team to lose sight of its core purpose, which isn’t simply to eliminate all vendor risks. That would quickly tank the business with friction and delays. 

It’s critical for risk management and other back office teams to remember that they exist to ‘enable business success.’ At the same time, zero understanding and mitigation of risk typically leads the company to risk exposure that can easily lead to material business impacts or failure. It’s essential to find the right balance.

When Risk Management Interrupts the Speed of Business

Business leaders tasked with product development, manufacturing, or other service delivery understand keenly the impact of time and delays on their operations. When back office teams require processes that fail to support the ‘speed of business,’ the business has minimal tolerance or ability to comply. Because business leaders understand the value of time, they often ignore policies and programs that are clearly designed without consideration of business objectives and goals.

In this scenario, the risk management teams may be feeling great about their far-reaching policies and risk management activities but are blind to the additional risk they have created. Because the business recognizes that it can’t both comply with business goals AND risk processes, it finds shortcuts and workarounds that enable work to get done without any review or mitigation from risk management teams. 

Factor Core Business Priorities into Your Risk Management Framework

Those out-of-touch risk management policies and processes are ignored and worked around as the business naturally recognizes there’s actually more risk to the business by delaying a project, product to market, or service delivery than whatever the risk management team is trying to mitigate against. The business may be wrong, but this failure to support business policy indicates a lack of communication and partnership that should be at the foundation of the supplier risk management policy.

All team members must remember the most important policy: ‘Only act in the best interest of the company.’  In an interview, Reed Hastings, CEO of Netflix, once said, “Instead of blindly following directions or sticking to a process, a first principle thinker will constantly ask, ‘What’s best for the company?’ and ‘Couldn’t we do it this other way instead?’”  

Along this same line of thinking, the business needs to understand the potential risks and purpose for additional reviews, and risk management teams must understand and factor core business priorities (including speed) into every risk management policy and process design. 

It’s easy for either party to think they are decreasing risks when they are, in fact, increasing potential risks with their myopic mindset.

Align with Core Business Objectives to Manage Risk

Leadership buy-in is almost impossible without alignment and collaboration between your own risk management program and business teams. It’s critical that the risk team and the business work together to develop an ideal risk program.

The team with the most leadership influence sometimes imposes its will on the rest of the business. This can lead to superficial ‘buy-in’ or ‘disagree and commit.’ But none of this is ideal for the business. Only through collaboration and alignment with core business objectives can risk programs be designed to mitigate risk truly. 

Since the company’s business success matters most, collaboration and teamwork should be the most important expectation of senior leadership. Don’t be confused that ‘business success’ is a proxy for increasing sales, revenue, or partnerships. Business objectives or risks can be ignored in hopes of achieving a short-term goal. But that is often at the expense of longer-term goals and success. 

Seek Collaboration in Your Vendor Risk Management Strategy

At the same time, the negative impact on the business when you ‘over rotate’ on risk management programs may not be seen in the first few quarters, but eventually, the impacts will be impossible to ignore. The stacking of delays and the mass exit of the most talented and innovative team members will create a negative spiral that may persist for years or, even worse, become the fabric of your company culture.

Don’t seek to obtain buy-in for internal security controls and compliance. Seek to obtain collaboration as you look to truly support the business in reducing risk rather than blindly imposing policy and a rigid risk management framework.

The highest value expectation is joint collaboration between business partners to enable business success.

Vendor Assessments in Risk Management

The advent of ‘pseudo standard’ supplier assessments and questionnaires makes it easy to ask key suppliers for an increasingly long set of data and documents. It’s good to remember that ‘just because you can, doesn’t mean that you should.’ 

Supplier self-reported data and documents are critical to the vendor selection process. But it’s important to remember that this type of data has limitations. The accuracy of self-reported data will decrease in direct correlation with the increased length of the questionnaire. Until a true standard emerges, there’s massive work imposed on suppliers to manage virtually unlimited variations of questions and assessments. 

Response time (and response accuracy) decreases as assessment length and complexity increase. Wise risk management leaders recognize this relationship. That’s why they invest the extra effort upfront to understand high value versus endless trivial questions for the supplier to review and for risk managers to factor into their supplier risk assessments, risk determination, and risk mitigation.

Often the most powerful questions ask for third-party assessments and audits (ISO, SOC 2, Fedramp, etc). The reports allow risk managers to trust the structure and process of third-party auditors and jump quickly to the negative findings and mitigations. This approach saves time, decreases complexity, and enables vendors to leverage their investment in the third-party risk assessment. 

When these third-party risk assessments are available, you should avoid requiring the vendor to answer a lengthy questionnaire that essentially replicates the third-party risk assessment process. Given the audited assessment, your assessment platform should include logic branching to skip the lengthy questionnaire.

Share Self-Reported Data in Risk Management

As mentioned, the most powerful self-reported evidence is the data attested by a third-party audit or certification. However, in the absence of robust third-party validations, additional questions for the vendor are necessary. Many data and risk companies scrape data from the internet for search and reference. While this is helpful, it’s often expired or older information. 

Asking the vendor to self-report their compliance should be the foundation of your risk management process. Even better if you can collect the vendor data and documents from a portal that enables cross-sharing of that information.  It’s never appropriate for a portal to display or share self-reported information from vendors without their approval. However, approval and self-certification that the shared data is accurate and up-to-date saves everyone time.

I’ve always believed that the more fully the vendor-approved data is shared across customers, the more the community will begin to raise the bar on the accuracy of self-reported information.

I often fear that vendors blur the accuracy of their answers to win a new deal. But if that blurred answer is visible to all connected customers, the vendors will hold themselves to a higher standard of truth and accuracy.

Blend Self-Reported and Third-Party Data in Risk Management

What’s the old phrase?  “Trust, but verify.”  That’s as true with vendor risk assessments as anywhere else. It’s tempting to rely only on self-reported or third-party (scraped) information, but the most clarity comes from a blend of the two.

In some cases, third-party validation is key.  For example, UL certifies product ingredients for safety and environmental sustainability while protecting the secret recipes of the vendors.  RapidRatings and Credit Risk Monitor do the same by reviewing private company financials without disclosing sensitive details publicly. 

In other cases, third-party risk management and validation can bring an entirely different perspective to the risk determination. BitSight(R) and other ‘outside the firewall’ security assessment tools shine a light on the exterior perimeter of firewalls, domains, dark web, market, breached passwords, and other cyber-risks that are almost never the subject of self-reported assessments. 

Lastly, for the highest-risk vendors, on-site audits, penetration testing, and other methods are critical to verifying the risks of the vendor relationship and operations. 

Modern risk platforms combine self-reported data and documents with third-party opinions, audits, and verifications. This enables factoring third-party data into risk measurements. The blend of self-reported and third-party data also supports a risk monitoring program that provides a holistic dashboard of all vendor risks versus separate data boards for financial viability, various compliance requirements, privacy and security breaches, modern slavery, sustainability, etc.

Collaborate to Develop an Ideal Risk Management Program

As I highlighted earlier, it’s critical that the risk management team and the business collaborate to develop an ideal risk management program and that all risk management teams work together. In my job, I’m constantly completing risk assessments and onboarding surveys. It’s stunning (and frustrating) to me how often the same company asks the same question multiple times. 

Sometimes this is a factor of different teams sending different surveys (they are clearly working in silos), but sometimes I’m even asked the same question in the same spreadsheet or form. It’s clear that assessment exhaustion isn’t just hard on the vendors but also on the internal teams managing the vendor risk management process.

The most modern onboarding and vendor management platforms combine teams and assessments. This enables the rationalization of questions, eliminates redundancy, and ensures a more holistic vendor risk management process. 

Gain End-to-End Visibility in Risk Management

A common platform also enables various risk management teams (and the supporting procurement process) to have visibility of status, scores, and opinions. One risk management team may be on the threshold of assigning a higher/lower score, and they would easily shift their score one way or the other if they could see a more holistic view of the vendor risk rather than just their own siloed concerns. 

Perhaps most importantly, a common platform with continuous monitoring capabilities enables all players to see the status and overall process throughout the vendor lifecycle management. There’s almost nothing more frustrating than for business stakeholders to agree to follow a policy or risk management process while waiting on the outside of the black box with no visibility, hoping and praying the process will complete before it tanks their project deliverables. End-to-end visibility is an important capability to maintain business continuity, stakeholder confidence, trust, and process compliance.

Enable Business Success and Manage Supplier Risk

The very best vendor risk management teams understand the primary goal of enabling company business success. They also collaborate closely with the business as they design and implement risk management processes. This supports increased compliance with risk processes and policies while also protecting the business from unforeseen negative impacts.

1. World Economic Forum. 5 ways the COVID-19 pandemic has changed the supply chain.

 2. CNBC. Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt. 

3. Forbes. The Netflix Decision Making Model Is Why They’re So Successful (forbes.com)