Vendor Risk Management

November 3, 2021

At some point, everyone has to purchase something from a vendor or third-party supplier.  Whether it is buying groceries at a store, dinner at a restaurant or repairs to your home, we tend to minimize our risk by performing some sort of due diligence. The criteria may vary depending on what you are purchasing, however, minimizing risk is the underlying component.

This also applies to organizations of any industry.  Companies have a higher level of scrutiny when it comes to assessing the risks of doing business with a vendor or third-party supplier—and appropriately so! In healthcare, there are requirements in place to make sure that supplies or services are in compliance with government regulations.  In banking, data security management is a key component to ensure that breaches do not occur with their customers’ personal information.  Regardless of the industry, vendor risk management should be a key organizational priority.

By definition, vendor risk management (VRM) is the process of ensuring that the vendors or third-parties do not create business disruption or a negative impact on company performance.  Most organizations don’t know where to start when developing a comprehensive VRM program – they just know that it needs to be implemented.  Many organizations that have implemented a VRM program either encounter a lack of follow-through to enforce the program or create programs that are so cumbersome that it promotes reactionary behaviors or avoidance of the program all together.

A comprehensive, yet simple, vendor risk management program will allow you to:

  • Support risk management at the enterprise level
  • Focus on management of strategic, financial and operational risk
  • Provide alignment of procurement to overall audit, governance and risk management initiatives

In order to implement a successful and sustainable VRM program, there are a few things to consider:

  • Define ongoing strategic value to the organization: This value needs to be defined and demonstrated to senior leadership. They must see that the VRM program will bring about cost savings and risk mitigation. They must also see that suppliers will be dedicated to providing long-term value to the organization.  Alignment of the VRM goals to the organizational goals is a must.
  • Compliance to implemented processes by organization and vendors:  Vendor risk management is an ongoing process, not a one-time assessment.  Compliance to processes will provide a closed-loop circuit which will drive long-term value and successful partnerships.  This will push alignment of your procurement organization to overall audit, governance and risk management initiatives.
  • Dedicated resources to oversee vendor risk: Procurement organizations are often stretched to manage multiple vendors on a day-to-day basis.  Dedicated resources to proactively manage vendor risk will allow the organization to effectively focus on managing vendor risk and performance consistently, pulling away from the day-to-day tactical procurement functions.
  • Consistent cadence to review vendor risk: Assessing vendor risk is not a one-time activity.  Vendor risk management without actions, improvements, follow ups and repeatable processes within a defined cadence is futile.  An organization should go beyond assessing risk for the sake of defining a vendor’s risk profile.  Repeating the activity of assessing vendor risk provides ongoing visibility into the overall risk to the organization and allows the vendors to understand the criticalness of their role in delivering to their customer.
  • Proactive issue identification and resolution plan: Should a vendor risk profile change when re-assessing risk consistently, vendor risk managers can proactively identify any risks that may cause damage to the organization and mitigate them effectively through the implementation of a resolution or performance improvement plan.  Not unlike the protocol for an employee that is struggling to perform, vendor risk managers can utilize a performance improvement plan to help the vendor course-correct and improve their overall performance.
  • Define and communicate measurable results to validate the value of ongoing risk and performance management: Just like any new program that is implemented, proving the value and worth of a VRM program to the enterprise is key.  Therefore, measuring the results and communicating the results to senior leadership provides a view into how vendor risk management can create both top and bottom line value while ultimately justifying the worth of such a program.
  • Assess your software infrastructure and evaluate implementing a platform to support the overall VRM program: More and more organizations are supporting their VRM programs through the implementation and enablement of a risk management platform.  This allows the ability to proactively assess risks and track performance improvement plans in a more automated fashion versus spreadsheets or other manual means.  If you’re already planning to implement a source-to-pay platform, tacking on the risk management piece will align with that overall vision.

However you plan to implement your VRM program, be sure to keep it simple.  You want to be able to assess and address risks with your vendor before there’s a negative impact in the easiest way possible.  A comprehensive vendor risk management program, along with a risk management platform, will provide the overall structure required to deliver a proactive, consistent and efficient means to support the organization’s enterprise risk initiatives.  By first minimizing your risk, you can then evolve your program to strategically develop a long-term tactical supplier performance and relationship management program.