Formalizing Vendor Risk Management – Keep It Simple/Improve Over Time

John Tondreau Published by May 12, 2017 Share

When starting to build a formal Vendor Risk Management program, it’s important not to overcomplicate things. Too many companies make it more difficult than it needs to be with cumbersome review processes and attempts to overcomplicate. Start simple and let your VRM program mature over time.

I often tell new customers, we can build a crazy awesome program for you, but the real benefit is to get instant results from this software you just bought. You need a program. Let’s get you started and let’s mature it over time. Let’s not spend seven months trying to build something that you’re going to go back and tweak anyway.

It starts with the basics: A list of your third-party vendors, what services they provide and the primary contacts at each one.

Next, categorize each vendor as active, inactive or terminated. Focus on the active.

From there, get the critical information on each. There’s probably a fair amount of metadata you want to capture about your vendor community. Ask yourself – What’s out there? What do I have? Again, start simple, start small and mature into it. Your accounts receivable team likely has a lot of this information: if you are paying someone money, they should know!

If you already have an inherent risk methodology, use it to categorize each vendor into their risk tiers.

If you don’t have an inherent risk methodology, start thinking about how you want to build it so you can focus your efforts on your critical vendors first.

Now, do you have an assessment questionnaire? If not, where are you going to pull your questions from?

There’s no need to spend valuable time trying to create a questionnaire from scratch when there are many places to find useful content that already exists. Shared Assessments is a good place to start.

Remember, your vendor program is going to evolve over time. It’s most important to know your resources and timeline and don’t overextend yourself by trying to create a program that ends up so unwieldy it can’t get off the ground. Build a solid foundation, and it’ll mature and become more useful with each iteration.

To learn more about building an effective vendor risk management program, download Four Keys to Building a Vendor Risk Management Program That Works.