Vendor Risk Management Best Practices: Questions & Answers

Rsam and PWC met with Atlanta area businesses on November 3 to talk about the hot topic of vendor risk management (VRM). Attendees asked great questions about best practices. We want to share them since they’re likely universal.

Question: Is there a success story about a company that’s done VRM well? And, which functional area should ‘own’ VRM?

Response: Organizations that establish communal governance councils have the best success. You need ownership across the business. Think of it as an ecosystem of stakeholders. The governance council may own the platform but all business functions must be involved.

Typically, legal, compliance, risk and Info Sec teams initiate a VRM initiative. Organizations that create a governance council to drive the program across the organization will influence its success.

Question: Should you approach assessments at the vendor level or engagement level?

Response: If it involves “universal buying” it’s usually done at the vendor level. More nuanced purchases are done at the engagement level. You might need to have sub-questionnaires to address those particular situations. Ultimately, assessments should always be based on the criticality of vendors. Always be aware of who has access to what and the connecting points from the vendor into your critical systems.

Question: How should you go about consolidating vendors following a merger or acquisition?

Response: M&A activities can impact the organization greatly in terms of vendor risk. A vendor who is critical to one company may not be to the other. You have to take an integrated approach to assessments. Get all stakeholders on board from the start. When an organization is going through an acquisition, change management is difficult enough. It’s important for everyone to realize how the acquisition impacts the dynamics of vendor relationships.

Poll Questions

Attendees at the Atlanta event represented many different industries, including Financial Services, Legal, Manufacturing, Healthcare and others. While their organizations were diverse, one thing was common: The group acknowledged that they have room for improvement in their current VRM program. A quick poll of the room showed the followed:

  • The majority are relying on manual processes for assessments.
  • No one is using integrations with third party services to help bolster their assessment process.
  • Vendor risk management isn’t confined to one functional area. Most commonly the VRM role reports to InfoSec but other areas included procurement, compliance and risk.

Peer Best Practice

One attendee shared a best practice for reducing VRM fatigue. Their organization asked themselves a simple question: “What is a Vendor?”

  • What service do they provide us?
  • Can we survive without them?
  • How critical is what they do to our business?

They realized not every vendor is equal. Rather than overwhelming themselves with data about vendors that are not critical to their business or don’t provide an actual service. Instead, they focused on the ones that matter most. After going through this process, they were able to cut their vendor assessment list in half.

Advice for Organizations Struggling with VRM

Whether you’re starting, revamping or re-energizing your VRM program, the best advice is to keep it simple. Don’t strive for a perfect end state from the start or you will never reach your goal. Too many things change too quickly. Your VRM program is an evolutionary one.

Keep in mind the 80-20 rule. Figure out what you can do that applies to 80% of your vendors and start there. Chart a manageable path and refer back to your aspirational state as you make progress. Make sure your VRM platform supports evolution.