One of the fundamentals to effective vendor management is recognizing that not all vendors are created equal when it comes to how they need to be managed. Some relationships are large and complex, while others are small and transactional.
That’s why these three words need to be baked into the core of your vendor management program: Risk-Based Approach
Taking a risk-based approach to vendor management allows you to categorize your vendors by risk, and focus your time and energy on the vendors that are riskiest – and oftentimes most important – to your organization. Let me explain what I mean.
When you enter into a new relationship with a vendor, they bring a variety of risks into your organization. Risks such as:
- Operational & business continuity risk
- Information security risk
- Financial risk
- Legal and compliance risk
- And sometimes most important – reputational risk
Identifying these risks BEFORE you sign the contract (and during the procurement process) is the key to risk-based vendor management. Doing so enables you to properly vet the vendor, mitigate risks contractually or through alternative controls, and establish a risk-based plan for monitoring the relationship post-contract.
This won’t work though if your approach to risk identification is ad hoc. You need to follow a standard process, that starts with an inherent risk assessment.
The inherent risk assessment allows you to ask risk-related questions about the prospective vendor relationship in order to identify risks and determine the type of due diligence and risk oversight that is needed. Questions like:
- Are any key activities being outsourced to this vendor?
- Will the vendor be supporting one or more critical areas of operations?
- Will the vendor have access to confidential information? What type and how much?
- Will the vendor be interfacing directly with clients or customers?
- Will the vendor have unsupervised access to our offices and our employees?
- Does the vendor play a role in our own compliance with laws and regulations?
Answers to these and similar questions are the only way to understand risks with the vendor, and to employ a risk-based approach to managing the relationship.
Learn more about risk-based vendor management by downloading our eBook, How to Kick Start Your Vendor Management Program.