Josh specializes in developing, implementing, and maturing vendor management programs. He has worked with organizations of all sizes – in industries ranging from NGOs to financial services to healthcare to nonprofits – helping them take a more informed and disciplined approach to vendor management.With what feels like an exponential rise in the number of cloud-based solutions available over the last 5 – 10 years, organizations are in a better place now than they ever have been before to automate business processes. Automation might seem like a no brainer in certain functional areas of the business, but when it comes to vendor risk management, are there use cases for introducing automation into the process?
The answer is YES!
In this article we’ll explore the 4 vendor management activities that you should automate in your vendor risk management program, but there are certainly many, many other ways in which automation can be worked into the vendor management process.
1. Inherent Risk Tiering
Often one of the first activities performed in the vendor risk management process, determining the inherent risk of your vendor relationships is key to understanding how that vendor will be assessed and managed. If this risk tiering process is subjective, you may end up tiering your vendors inconsistently. If the process is manual, you may be wasting valuable time assigning risk tiers when automation could do it for you.
Vendor risk management systems enable you to standardize your inherent risk assessment process, and also build automation in as well. For example, if you are using a point-based question and answer inherent risk assessment, you could set up point thresholds in your system to automatically assign an inherent risk level based on the assessment’s final score. Even better, you could set up logic that automatically triggers a particular inherent risk level based on an answer to a single question (i.e., any time a vendor has access to PHI, protected health information, automatically trigger ‘High Risk’).
2. Due Diligence Scoping
Many organizations don’t have a good way to scope their due diligence questionnaires. Scoping means “right-sizing” the questionnaire based on the specific vendor that is being assessed (i.e., you wouldn’t send your landscaping vendor a 300-question information security questionnaire).
Best-in-class vendor management systems allow you to establish workflow rules that automate when certain questionnaires are required to be launched. For example, let’s say that your organization maintains three different vendor questionnaires – 1) a Corporate Health Assessment, 2) an Information Security Assessment and 3) a Business Continuity Assessment. Automation would allow you to implement rules such as “always send our Business Continuity Assessment to any vendor classified as ‘Critical’”.
3. Vendor Response Evaluation
The process of evaluating vendor responses to due diligence questionnaires may be one of the most time-intensive activities associated with vendor management. But it doesn’t need to be! If you scope your questionnaires and send vendors only the questions they need (#2 above) AND, if you introduce automation into the evaluation process, you’ll save hours of valuable time.
Best-in-class vendor management systems allow you to configure “preferred responses” within your questionnaires. This means that when a vendor submits a questionnaire, you will be able to quickly identify whether or not the vendor’s response to each question aligns with how you wanted them to answer those questions. Some systems even take this automation process a step further and automatically associate pre-defined risks with questions that did not meet your organization’s response standards (i.e., preferred response).
4. Continuous Monitoring of Vendors
Continuous monitoring is key to effectively managing vendor relationships. Your work as a vendor risk manager does not stop once the initial due diligence of a vendor has been completed. You need to continuously monitor your vendors to identify if any new risks present themselves.
Automation can make this a much more efficient and manageable process. There are a number of online tools out there, such as Argos Risk or Prevalent, that constantly scan for emerging threats that you may not be aware of. For example, you can configure these types of systems to send you automatic alerts when certain events occur that may increase your organization’s risk exposure (such as alerts on a vendor’s declining financial condition, lawsuits the vendor is involved in, data breaches, etc.). Working these types of automated alerts into your overall vendor risk management process drastically improves your ability to prevent risks.
Automation is no longer something that is only available to extremely large organizations with even larger budgets. You could begin automating your vendor risk management process today. Use the tips in this article to begin your automation journey!
