If purchasing vendor risk management software is on your “to do” list over the next 12 months, it’s important to recognize that successfully purchasing and implementing new technology is as much about looking inward within the organization, as it is about looking outward at the available software.
A thorough analysis of where the organization’s vendor risk management program is at the moment – and how it wants to evolve – will help to ensure that the right technology decisions are made. Ideally, the vendor risk management software your firm selects should meet you where you are now, and support the evolution of your vendor risk management program in the future. An analysis will also help shape the conversations that you have with vendor risk management software providers, by helping you to ask the right questions and understand their responses in the context of your future direction.
This blog should help you to benchmark your organization’s vendor risk management oversight and framework. It outlines the questions you should be asking to ensure you find a solution aligned to your organization’s approach to vendor management.
The level of regulatory expectations around vendor risk management is increasing dramatically, particularly around vendor risk management governance, policies, and frameworks. As well, most industries are working with an increasing number of vendors as businesses outsource key processes and support functions.
However, all too often, small third-party risk management teams are responsible for managing a high volume of third-party vendors. For example, a recent survey by Aravo found that 32% of respondents who reported having no dedicated third-party risk management team said they manage between 5,000 and 49,000 third parties. Another 23% said they manage between 500 and 4,999 third parties. An amazing 4% of this group said they manage more than 50,000 third parties.
Many organizations also struggle to obtain budget for vendor risk management software, vendor risk due diligence data, vendor risk monitoring services providers, and headcount for front line vendor risk managers. Often the root cause of this underinvestment is the challenge of getting senior management and the board to understand the level of effort and budget required for third-party risk management.
If a vendor risk management program does not have resources available that are commensurate with the size of the vendor relationship portfolio, and the risks within that portfolio, the outcome will always remain fragmented. Worse, in the face of risk, parts of the organization will engage in finger-pointing or fail to collaborate, rather than addressing the issues that are creating the risk. These problems could, in the end, wind up costing the organization much more money in the form of lost customers, regulatory sanctions, reduced revenue and reputational damage. This post on How To Build a Business Case for Better Third-Party Risk Management provides some data points and tips to help you with a value case.
Boards and senior management should understand that their engagement and oversight is an important component of program success, and is also expected by the regulators. The tone from the top matters enormously in vendor risk management, just as it does within other risk disciplines.
However, the Aravo survey’s findings indicate that many boards still fail to grasp the extent of the risks that third parties pose to their organizations – 40% of respondents said their board doesn’t have a good handle on third-party risk.
Vendor risk management teams should proactively nurture board engagement by educating the group about the important impact that vendor risk can have on the ability of the organization to meet its strategic goals. When boards make this connection, they understand why it is important to resource the vendor risk management program at a good level, and they also support the advancement of the program’s maturity.
Understanding where the gaps are in your current vendor risk management framework, and how the organization wants that framework to evolve over time, is a crucial step. There may be gaps that can be closed through the purchase of the right vendor risk management technology, while other gaps may require a different solution, or a combination of organizational, process, and technological change.
Look at a robust vendor risk management framework – for example, there is one in Aravo’s Third Party GRC Maturity Model white paper, on pages 7-9. Key elements of this framework include:
Once the gaps in the framework are identified, be sure to explore how vendor risk management software can help close them and where it might be able to support the closing of others.
A vendor risk management maturity calculator can help your organization benchmark how effective your program is in comparison with the discipline as a whole. With the information about your firm’s framework to hand, it’s possible to understand how your program stacks up in a matter of minutes.
The vendor risk management maturity calculator looks at four different factors to determine how advanced a program is overall:
Doing such a benchmarking exercise can be very helpful because it can help a vendor management team better understand where it needs to develop to grow. Benchmarking like this can also serve to help validate those needs for senior management and the board. Use Aravo’s maturity calculator to find out your stage.
Once your vendor risk management team understands both the framework elements that are in place and the level of maturity the program is at, it’s time to consider what the organization’s technology requirements are in light of these findings.
To explore how a technology platform could support a vendor risk management program in these ways, read the Aravo TPM Standard datasheet.
In summary, purchasing or replacing your organization’s vendor risk management software is a big step, and so it’s important to do a thorough assessment of your organization’s resources, board support, framework, and maturity before going ahead and speaking with software solution providers. Taking these steps will enable you to engage proactively with technology, and find software that is aligned with where you are at the moment, as well as your future vendor risk management goals.
Constructing an RFP that captures your key business requirements without being an information overload can be a challenging task – but if you are taking this route, it’s important that you get it right.
Vendor and Third-Party Management solutions come with a diverse set of capabilities from a variety of providers in the market. Some solutions focus on departmental third-party issues such as information security; others focus on industry verticals. Many focus purely on the due diligence process. Some offer modules as part of broader platforms, and a few offer an end-to-end third-party management capability. If you are looking to go to RFI/RFP in 2021, take some of the pain out of compiling the documentation by using an RFP template which provides a library of best-practice questions to draw from across a broad range of categories including:
Share with Your Friends:
