Third parties have become a critical part of customer engagement, IT, and procurement strategy as they bring new capabilities, opportunities, and scale to enterprises. On the flip side, they also can bring substantial operational, financial, compliance, and reputational risks. Risk and compliance teams cannot just be focused on what must be done internally to protect a company and its customers. Teams must also ensure that the same checks and balances are in place for third parties through robust use of vendor performance management.
Vendor performance management is a risk management area that measures how vendors and suppliers are performing against contract SLAs, meeting objectives/KPIs, and other measurement tools. Today, risk teams must take a microscope to vendor performance, as including this in TPRM data will heighten security and reduce vulnerabilities posed by third parties.
Managing vendor performance can be a big undertaking. The number of third parties and suppliers that large organizations can work with can extend into the tens of thousands or even many hundreds of thousands and involve a web of complex relationships. Due to this scale and complexity, as more third parties are on-boarded, they are often not managed to the level of risk that they represent. Building best practices, being vigilant in continuous monitoring, and utilizing TPRM automation are critical steps in managing these risks.
Measuring Third-Party Vulnerabilities Through Risk Scoring
One way that many third-party risk programs are managing this high volume of data and successfully exposing risks is through the effective use of automated scoring and weighting. Automated scoring enables raw data about a third party (or even fourth parties and other subcontractors) to be transformed into an intelligent piece of information (a score) that can then be combined with other third-party information. This determines their level of risk (usually, low, medium, or high). The goal of scoring is to then trigger the appropriate courses of action for the organization to manage or remediate that risk.
Weighting is used to add further intelligence and relevance to the score, with each data point assigned a weight based on its importance to the overall business, risk criticality, or other information such as risk appetite. This provides an inherent risk score, that in turn can trigger segmentation and the appropriate level of due diligence and mitigation processes.
Why is risk scoring so critical? Well, it also provides the organization with a comprehensive view of third-party risk. They can see the risk of doing business with a third party at the parent company level, the risk associated with doing business with its subsidiaries or subcontractors, the risk associated with each engagement, as well as the individual risk domains that are associated with each of these levels.
A Detailed Look into Third-Party Risk with Vendor Risk Assessments
Vendor risk assessments are risk management tools conducted in questionnaire form and ask about the organization’s risks and controls in a particular area of the business. Within TPRM, vendor risk assessments can be used internally to help the organization assess its third-party risks and controls from within, or can be sent to third parties for them to complete to help the organization better understand the risk and control environments in their business partners.
While many vendor assessments are performed as part of onboarding, it is also important to incorporate them as part of continuous monitoring and managing vendor performance. Five best practices for approaching vendor risk assessments are:
Build a single source for all vendors: Having a single database of all the vendors the organization works with, and the information associated with them, creates a trusted source of data across the entire company.
Build a structured approach for assessments: The vendor risk assessment questionnaire should be well-structured and use best-practice question sets. The vendor risk assessment templates should also be relatively stable over time, so that good quality metrics can be built and tracked, and trend data accumulated.
Learn more about the vendor: Learn about the relationship the vendor will have with the business, such as what the strategic objective of the relationship is, its criticality to the business, the processes it will perform, the IT systems and data involved, and how an issue with the vendor would impact the organization. This will shape an understanding of the risk inherent in the relationship. This in turn will provide data triggers for the scope of the risk assessment(s) required.
Choose the right vendor risk assessments to send: Vendor risk assessments should be conducted at the product and service level. For example, if the vendor relationship involves personal data of customers, assessments that cover data privacy risk, IT risk, and cyber risk should be included. Vendor risk assessments should also cover more comprehensive risks, such as financial viability.
A risk assessment isn’t a one-time exercise: The data that is gathered should form the basis of the organization’s vendor ongoing monitoring program. Relationships, business conditions, and risks change and evolve, and changes need to be monitored and assessed.
The Importance of Monitoring SLAs
A vendor service level agreement (SLA) is a set agreement between an organization and a third party on specific levels of service and functions that is expected as part of the engagement. This is an important step in engaging with a third party, and mutually agreeing upon specific services and areas of the relationship.
Important points to add and review within an SLA include:
Scope
Availability
Responsibilities
Metrics
Procedures for escalations
Remediations and penalties
Change management
Termination procedures
And more
An SLA does not end when the document is finished. Organizations need to consistently review vendor performance to ensure they’re meeting the terms of the SLA.
Setting and Managing Third-Party KPIs and KRIs
Key performance indicators (KPIs) measure the quality of service that a third party or vendor provides to an organization. For example, KPIs you could implement would be to measure vendor performance and ensure terms of SLAs are being met. Key risk indicators (KRIs) measure the risks themselves and your exposure to them as an organization.
It is a good practice to start with the end in mind; in other words, what are your goals for the relationship with this vendor, then move forward from there. Once KPIs and KRIs are set, it is important to re-visit them as continuous monitoring is performed on the vendor.
Best Practices for Vendor Performance Management
As organizations integrate with more and more third parties to deliver products and services, their threat landscape grows. In Aravo’s TPRM benchmarking survey, it was determined that 90% of participants experienced an incident related to a third party. Managing the performance of these vendors is not only critical to lessening the number of risks a company can face, but also ensuring they are meeting the terms of contracts, SLAs, and key performance measurements.
It’s important to find a TPRM automation tool that hosts robust capabilities for vendor performance management. Software programs should be able to:
1. Collect targeted performance metrics and information from internal managers and third parties
Score third parties across a range of targeted metrics and define how scores are to be weighted and rolled up into a total performance score.
Identify internal relationship managers and suppliers to participate in the performance management process and drive the collection of required performance information.
2. Provide proactive alerts when remediation is required
Configure alerts tied to specific performance conditions and thresholds.
Use performance dashboards to highlight vendors that require remediation.
Automatically trigger corrective actions based on the performance criteria.
3. Collaborate, remediate, and innovate with suppliers
Use performance scorecards to collaborate with suppliers and raise the bar of performance and strategic relationships.
Proactively collaborate with suppliers on innovation initiatives such as joint product development, packaging development, and new markets for revenue growth.
Third-Party Performance Assessments Drive Proactive Business Strategies
Aravo’s Performance Management Application provides the tools to collect, measure, analyze, and report on supplier-related key performance indicators (KPIs) in one centralized, standardized system. It complements TPRM functionality to deliver a complete supplier lifecycle management solution and seamlessly integrates into Aravo’s market-leading TPRM platform.
Designed to simplify and enable assessments and monitoring of relevant third-party performance, customers can proactively plan for potential delivery lapses, strategize to compensate for anticipated service misses, and augment controls and options prior to issues arising. With an ability to actively evaluate the engagement, both parties can improve supplier visibility, enhance processes, and build long-term collaborative engagements.
Building a Robust Vendor Performance Management Program with the Strategic Alignment Framework™
In addition to performance management, Aravo also provides TPRM best practices through the Strategic Alignment Framework™, a best practices-based methodology that adapts to your organization’s TPRM initiative to streamline your goals, teams, processes, and technologies.
The Strategic Alignment Framework™ begins with 1-3 Discovery Sessions between you and the Aravo team. These are collaborative discussions designed to pinpoint your organization’s TPRM objectives, priorities, and key drivers, and they help us customize your Program Charter. These sessions drive the entire journey.
The Framework can be designed to assist wherever you are within the TPRM journey, as well as what your goals are. Depending on the discovery sessions, the process can help you set vendor KPIs, create an improved performance management process, and build further resilience.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.
Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.
Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.