Formalizing Vendor Risk Management – Keep It Simple to Improve Over Time

2 minute read

May 2017

When starting to build a formal Vendor Risk Management program, it’s important not to overcomplicate things. Too many companies make it more difficult than it needs to be with cumbersome review processes and attempts to overcomplicate. Start simple and let your vendor risk management program mature over time.

ProcessUnity often tells new customers, “We can build a crazy awesome program for you, but the real benefit is to get instant results from this software you just bought. You need a program. Let’s get you started and let’s mature it over time. Let’s not spend seven months trying to build something that you’re going to go back and tweak anyway.”

It starts with the basics: A list of your third-party vendors, what services they provide and the primary contacts at each one.

Next, categorize each vendor as active, inactive or terminated. Focus on the active.

From there, get the critical information on each. There’s probably a fair amount of metadata you want to capture about your vendor community. Ask yourself – What’s out there? What do I have? Again, start simple, start small and mature into it. Your accounts receivable team likely has a lot of this information: if you are paying someone money, they should know!

If you already have an inherent risk methodology, use it to categorize each vendor into their risk tiers.

If you don’t have an inherent risk methodology, start thinking about how you want to build it so you can focus your efforts on your critical vendors first.

Now, do you have an assessment questionnaire? If not, where are you going to pull your questions from?

There’s no need to spend valuable time trying to create a questionnaire from scratch when there are many places to find useful content that already exists. Shared Assessments is a good place to start.

Remember, your vendor risk management program is going to evolve over time. It’s most important to understand your resources and timeline, and don’t overextend yourself by trying to create a program that ends up so unwieldy it can’t get off the ground. Build a solid foundation, and it’ll mature and become more useful with each iteration.

To learn more about building an effective vendor risk management program, download Four Keys to Building a Vendor Risk Management Program That Works.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit