Third parties have become a critical part of customer engagement, IT, and procurement strategy as they bring new capabilities, opportunities, and scale to enterprises. On the flip side, they also can bring substantial operational, financial, compliance, and reputational risks. Risk and compliance teams cannot just be focused on what must be done internally to protect a company and its customers. Teams must also ensure that the same checks and balances are in place for third parties through robust use of vendor performance management.
Vendor performance management is a risk management area that measures how vendors and suppliers are performing against contract SLAs, meeting objectives/KPIs, and other measurement tools. Today, risk teams must take a microscope to vendor performance, as including this in TPRM data will heighten security and reduce vulnerabilities posed by third parties.
Managing vendor performance can be a big undertaking. The number of third parties and suppliers that large organizations can work with can extend into the tens of thousands or even many hundreds of thousands and involve a web of complex relationships. Due to this scale and complexity, as more third parties are on-boarded, they are often not managed to the level of risk that they represent. Building best practices, being vigilant in continuous monitoring, and utilizing TPRM automation are critical steps in managing these risks.
One way that many third-party risk programs are managing this high volume of data and successfully exposing risks is through the effective use of automated scoring and weighting. Automated scoring enables raw data about a third party (or even fourth parties and other subcontractors) to be transformed into an intelligent piece of information (a score) that can then be combined with other third-party information. This determines their level of risk (usually, low, medium, or high). The goal of scoring is to then trigger the appropriate courses of action for the organization to manage or remediate that risk.
Weighting is used to add further intelligence and relevance to the score, with each data point assigned a weight based on its importance to the overall business, risk criticality, or other information such as risk appetite. This provides an inherent risk score, that in turn can trigger segmentation and the appropriate level of due diligence and mitigation processes.
Why is risk scoring so critical? Well, it also provides the organization with a comprehensive view of third-party risk. They can see the risk of doing business with a third party at the parent company level, the risk associated with doing business with its subsidiaries or subcontractors, the risk associated with each engagement, as well as the individual risk domains that are associated with each of these levels.
Vendor risk assessments are risk management tools conducted in questionnaire form and ask about the organization’s risks and controls in a particular area of the business. Within TPRM, vendor risk assessments can be used internally to help the organization assess its third-party risks and controls from within, or can be sent to third parties for them to complete to help the organization better understand the risk and control environments in their business partners.
While many vendor assessments are performed as part of onboarding, it is also important to incorporate them as part of continuous monitoring and managing vendor performance. Five best practices for approaching vendor risk assessments are:
A vendor service level agreement (SLA) is a set agreement between an organization and a third party on specific levels of service and functions that is expected as part of the engagement. This is an important step in engaging with a third party, and mutually agreeing upon specific services and areas of the relationship.
Important points to add and review within an SLA include:
An SLA does not end when the document is finished. Organizations need to consistently review vendor performance to ensure they’re meeting the terms of the SLA.
Key performance indicators (KPIs) measure the quality of service that a third party or vendor provides to an organization. For example, KPIs you could implement would be to measure vendor performance and ensure terms of SLAs are being met. Key risk indicators (KRIs) measure the risks themselves and your exposure to them as an organization.
It is a good practice to start with the end in mind; in other words, what are your goals for the relationship with this vendor, then move forward from there. Once KPIs and KRIs are set, it is important to re-visit them as continuous monitoring is performed on the vendor.
As organizations integrate with more and more third parties to deliver products and services, their threat landscape grows. In Aravo’s TPRM benchmarking survey, it was determined that 90% of participants experienced an incident related to a third party. Managing the performance of these vendors is not only critical to lessening the number of risks a company can face, but also ensuring they are meeting the terms of contracts, SLAs, and key performance measurements.
It’s important to find a TPRM automation tool that hosts robust capabilities for vendor performance management. Software programs should be able to:
1. Collect targeted performance metrics and information from internal managers and third parties
2. Provide proactive alerts when remediation is required
3. Collaborate, remediate, and innovate with suppliers
Aravo’s Performance Management Application provides the tools to collect, measure, analyze, and report on supplier-related key performance indicators (KPIs) in one centralized, standardized system. It complements TPRM functionality to deliver a complete supplier lifecycle management solution and seamlessly integrates into Aravo’s market-leading TPRM platform.
Designed to simplify and enable assessments and monitoring of relevant third-party performance, customers can proactively plan for potential delivery lapses, strategize to compensate for anticipated service misses, and augment controls and options prior to issues arising. With an ability to actively evaluate the engagement, both parties can improve supplier visibility, enhance processes, and build long-term collaborative engagements.
In addition to performance management, Aravo also provides TPRM best practices through the Strategic Alignment Framework™, a best practices-based methodology that adapts to your organization’s TPRM initiative to streamline your goals, teams, processes, and technologies.
The Strategic Alignment Framework™ begins with 1-3 Discovery Sessions between you and the Aravo team. These are collaborative discussions designed to pinpoint your organization’s TPRM objectives, priorities, and key drivers, and they help us customize your Program Charter. These sessions drive the entire journey.
The Framework can be designed to assist wherever you are within the TPRM journey, as well as what your goals are. Depending on the discovery sessions, the process can help you set vendor KPIs, create an improved performance management process, and build further resilience.
Interested in integrating better Vendor Performance Management into your TPRM program? Speak with one of our experts today!
Share with Your Friends:
