5 Key Considerations Before Evaluating Vendor Risk Management Software
A thorough analysis of where the organization’s vendor risk management program is at the moment – and how it wants to evolve – will help to ensure that the right technology decisions are made. Ideally, the vendor risk management software your firm selects should meet you where you are now, and support the evolution of your vendor risk management program in the future. An analysis will also help shape the conversations that you have with vendor risk management software providers, by helping you to ask the right questions and understand their responses in the context of your future direction.
This blog should help you to benchmark your organization’s vendor risk management oversight and framework. It outlines the questions you should be asking to ensure you find a solution aligned to your organization’s approach to vendor management.
Does your VRM team have an adequate budget and personnel to manage oversight and due diligence?
The level of regulatory expectations around vendor risk management is increasing dramatically, particularly around vendor risk management governance, policies, and frameworks. As well, most industries are working with an increasing number of vendors as businesses outsource key processes and support functions.
However, all too often, small third-party risk management teams are responsible for managing a high volume of third-party vendors. For example, a recent survey by Aravo found that 32% of respondents who reported having no dedicated third-party risk management team said they manage between 5,000 and 49,000 third parties. Another 23% said they manage between 500 and 4,999 third parties. An amazing 4% of this group said they manage more than 50,000 third parties.
Many organizations also struggle to obtain budget for vendor risk management software, vendor risk due diligence data, vendor risk monitoring services providers, and headcount for front line vendor risk managers. Often the root cause of this underinvestment is the challenge of getting senior management and the board to understand the level of effort and budget required for third-party risk management.
If a vendor risk management program does not have resources available that are commensurate with the size of the vendor relationship portfolio, and the risks within that portfolio, the outcome will always remain fragmented. Worse, in the face of risk, parts of the organization will engage in finger-pointing or fail to collaborate, rather than addressing the issues that are creating the risk. These problems could, in the end, wind up costing the organization much more money in the form of lost customers, regulatory sanctions, reduced revenue and reputational damage. This post on How To Build a Business Case for Better Third-Party Risk Management provides some data points and tips to help you with a value case.
How invested is the board and senior management in vendor risk management?
Boards and senior management should understand that their engagement and oversight is an important component of program success, and is also expected by the regulators. The tone from the top matters enormously in vendor risk management, just as it does within other risk disciplines.
However, the Aravo survey’s findings indicate that many boards still fail to grasp the extent of the risks that third parties pose to their organizations – 40% of respondents said their board doesn’t have a good handle on third-party risk.
Vendor risk management teams should proactively nurture board engagement by educating the group about the important impact that vendor risk can have on the ability of the organization to meet its strategic goals. When boards make this connection, they understand why it is important to resource the vendor risk management program at a good level, and they also support the advancement of the program’s maturity.
Where are the gaps in your vendor risk management framework today?
Understanding where the gaps are in your current vendor risk management framework, and how the organization wants that framework to evolve over time, is a crucial step. There may be gaps that can be closed through the purchase of the right vendor risk management technology, while other gaps may require a different solution, or a combination of organizational, process, and technological change.
Look at a robust vendor risk management framework – for example, there is one in Aravo’s Third Party GRC Maturity Model white paper, on pages 7-9. Key elements of this framework include:
- Understanding your risks
- Approaching vendor risk management in proportion to the organization’s risks
- Establishing vendor risk management governance by the board
- Creating a single catalog of all vendors, and/or third parties
- Developing proactive vendor risk assessments and due diligence efforts
- Ensuring adequate oversight of vendor risk management
- Building and documenting policies and procedures
- Providing integrated communications, training, and reporting
- Maintaining ongoing vendor monitoring
Once the gaps in the framework are identified, be sure to explore how vendor risk management software can help close them and where it might be able to support the closing of others.
Where does your program benchmark on a vendor risk management maturity scale?
A vendor risk management maturity calculator can help your organization benchmark how effective your program is in comparison with the discipline as a whole. With the information about your firm’s framework to hand, it’s possible to understand how your program stacks up in a matter of minutes.
The vendor risk management maturity calculator looks at four different factors to determine how advanced a program is overall:
- Governance & Oversight
Doing such a benchmarking exercise can be very helpful because it can help a vendor management team better understand where it needs to develop to grow. Benchmarking like this can also serve to help validate those needs for senior management and the board. Use Aravo’s maturity calculator to find out your stage.
What are your organization’s technology requirements based on your program’s maturity?
Once your vendor risk management team understands both the framework elements that are in place and the level of maturity the program is at, it’s time to consider what the organization’s technology requirements are in light of these findings.
- Early stages – If your vendor risk management program registered as Ad Hoc or Fragmented in the maturity calculator, or it is still dependent on manual processes and in need of best-practice guidance, your first step with vendor risk management software should be to use it to centralize third-party data in one location and to reduce existing manual processes. The solution should be able to stand up quickly and support the initial intake of vendors from across the organization. It should also support vendor risk assessments, vendor risk reviews, and the whole of vendor lifecycle management. Explore the Aravo TPM Express datasheet for more information.
- Moderate maturity – If your program turned out to be Defined or Integrated in the maturity calculator, or you feel it is an emerging or established vendor risk management framework, you should be looking for automation and enhanced data management. You should also expect risk-based due diligence, cross-functional onboarding, and robust lifecycle management. The vendor risk management software should be able to support:
- Initial vendor intake
- Vendor risk assessments
- Vendor risk review
- Vendor due diligence
- Vendor transactional enablement
- Vendor lifecycle management – including ongoing monitoring, issue management, and remediation management as well as termination and offboarding
To explore how a technology platform could support a vendor risk management program in these ways, read the Aravo TPM Standard datasheet.
- Mature – If your vendor risk management program scored as Agile in the maturity calculator or you feel that your program has well-defined processes and is in need of a configurable solution, you should explore a technology platform that has a bespoke data model that is able to meet your organization’s unique vendor risk management needs. The solution should be able to be provide all of the functionality required at the moderate maturity level. However, it should also be based on a custom data model that can include new entities and custom associations. To discuss your organization’s specific needs and how vendor risk management software can support them, contact Aravo for a conversation.
In summary, purchasing or replacing your organization’s vendor risk management software is a big step, and so it’s important to do a thorough assessment of your organization’s resources, board support, framework, and maturity before going ahead and speaking with software solution providers. Taking these steps will enable you to engage proactively with technology, and find software that is aligned with where you are at the moment, as well as your future vendor risk management goals.
Constructing an RFP that captures your key business requirements without being an information overload can be a challenging task – but if you are taking this route, it’s important that you get it right.
Vendor and Third-Party Management solutions come with a diverse set of capabilities from a variety of providers in the market. Some solutions focus on departmental third-party issues such as information security; others focus on industry verticals. Many focus purely on the due diligence process. Some offer modules as part of broader platforms, and a few offer an end-to-end third-party management capability. If you are looking to go to RFI/RFP in 2021, take some of the pain out of compiling the documentation and use this editable template which provides a library of best-practice questions to draw from across a broad range of categories including: