Earlier this year, I wrote about the core foundational elements you need to incorporate into your vendor management program. This time, we’ll dive a bit deeper into one of those elements – the third-party risk management system. Just like there are certain foundational elements of a successful vendor management program, the system you use to manage your program must also contain certain key features.
As a recap, the six foundational elements of a vendor management program are:
- Governance & Oversight – Provides vision, direction and accountability for the vendor management function.
- People, Skills and Training – Ensures the right level of vendor management resources, subject matter expertise and stakeholder knowledge.
- Third-Party Profiles – Organizes data and documents so you have clear profiles of your third-party relationships.
- Policies & Standards – Establishes the scope and guidelines for the program, and defines key roles & responsibilities.
- Operating Procedures – Defines the day-to-day activities stakeholders will undertake to execute the program.
- Systems – Centralizes information, facilitates workflow, provides reporting and ensures an audit trail of activities.
Now, let’s dive into the 7 essential elements of third-party risk management systems.
- Vendor Inventory and Profiles – Your third-party risk management system isn’t only used to facilitate risk-based activities – It should also serve as the system that houses your organization’s complete vendor inventory (and profiles for each of those vendors). A vendor profile should contain more than just a name. Here are some key components of a complete vendor profile:
- The vendor’s full legal name, and alternate/DBA names, their primary address and key contacts
- Documentation that should be kept on-file with the vendor, such as SOC reports or insurance certificates
- A list of contracts your organization has entered into with the vendor, including whether or not the contract is active or inactive
- A list of issues related to the vendor, including performance issues or issues uncovered during due diligence or ongoing monitoring
- Information about how much your organization spends with the vendor. This could be at a contract-level, or simply at the vendor level
- Automation of Risk-Based Classification – There should be a workflow-based process for assessing new vendors (or existing vendors when a change in scope occurs), and scoring logic to calculate an inherent risk level, therefore helping you determine what level of risk-based due diligence to perform on your vendors. Your system should also allow for approvals of risk assessments should certain internal stakeholders need to review assessments.
- Vendor Engagement – It should be easy for your vendors to provide you information and documentation. It should also be easy for you to know what to ask for. Your system should be able to handle the facilitation of risk-based due diligence assessments based on the vendor’s inherent risk level, and should have logic built in to allow for proper scoping. For example, if your vendor will not have access to any of your organization’s non-public information (NPI), there is no need to send them due diligence questions related to how they store, access or process your information.
- Employee Engagement – When your internal staff need to request a new vendor, or a change in scope to an existing vendor, the third-party risk management system should be the place requests are made. Staff should have access to an employee-only portal that allows for submission of requests, and for the appropriate workflows to be triggered (i.e. the Vendor Management Office may review new requests and launch the necessary assessments).
- Continuous Monitoring – Initial, point-in-time, due diligence is not enough these days. Your system should be able to facilitate your organization’s ongoing monitoring approach to managing your vendor relationships. This could mean workflows around the launch, collection and review of vendor performance reviews (completed by your staff on some level of frequency based on the vendor’s risk level). It could also mean integrating with other third-party intelligence tools (such as our partner Argos Risk) to incorporate real-time monitoring of your vendor relationships.
- System Integration – Along with being able to communicate with third-party intelligence tools as mentioned above, your system should also be able to seamlessly integrate with other operational tools used by your organization, and pull in (or send) relevant information to/from each. For example, you may want to integrate your third-party risk management system with your AP system to pull in spend data. You might want to connect your system to your organization’s GRC (governance, risk and compliance) system to push vendor-related issues into your organization’s risk register.
- Reporting – Your system should make it easy to report on vendor management activities, allowing for the easy collection of data used in reporting to senior management, committees or your board. It should also allow for ad hoc reporting in case staff need to obtain information specific to their needs (for example, a list of active vendors in their department). There should also be role-based dashboards that make it easy for each user to see only the most relevant information.
Finding the right third-party risk management system can seem overwhelming, but it doesn’t need to be. Hopefully these pointers, and our list of software providers, help you find a system that is right-sized for your organization.
Author: Josh Angert
Job Title: Consulting Manager
Organization: Vendor Centric