Vendor Risk Management (VRM) was a hot topic discussed on the exhibit floor at RSA 2017. The Rsam team on-site collected comments they heard from risk and compliance professionals trying to wrangle in vendor risk. We weren’t surprised to learn that the struggle is real and causing lots of hand-ringing.
With hundreds or even tens of thousands of vendors in your ecosystem, keeping track of each is a gigantic endeavor. Without some form of automation, your VRM program will simply not succeed.
Here are common stories we heard from RSA attendees and our recommendations for how to deal with them.
We use the same questionnaire for every vendor and many don’t ever complete them.
Rsam Recommendation: A cookie-cutter approach to questionnaires will yield a lot of wasted and irrelevant data. A best practice is to tailor questionnaires so you only ask vendors questions that are relevant to them. It’s a win-win. You get cleaner data that requires far less manual analysis. Your vendor isn’t forced to waste time on questions that aren’t applicable; therefore, they are more likely to complete the survey.
We have no way of knowing when something changes with a vendor.
Rsam Recommendation: Ongoing monitoring is really at the crux of a successful VRM program. Everything is changing quickly all the time; it’s impossible to stay on top of it without automation. You must be alerted to changes that happen between assessments so you can respond. For example, what if the vendor experiences financial issues that could impact their long-term viability? That’s something you would want to know now not when they take their shingle down.
It takes way too much time to go through completed vendor surveys. We end up not taking action on a lot of it.
Rsam Recommendation: Every good lawyer knows; never ask a question without knowing what the answer will be. The same should be true of a vendor survey. You need to have control over how vendors respond. You can do that by implementing simple steps like a drop-down selection box or other methods that eliminate the ‘unstructured data’ nightmare. By controlling how vendors can reply to a survey, you can eliminate the time it takes your team to review it.
We have difficulty knowing what to report on and how to interpret it.
Rsam Recommendation: When you’re drowning in a sea of data, it’s hard to find meaning among the chaos. Again, automation is your friend. You want to understand which vendors pose the most risk at any point in time. By using automated risk scoring, you can have that information rolled up into a report with the click of a button. Instead of guessing, you can begin remediating.