August 16th, 2017 • posted by Aravo • Reading Time: 4 minutes

Scorecards that measure the performance of suppliers and vendors that a company contracts with have been a business tool embraced by procurement for some time now.

However, there’s an evolution underway. Increasingly businesses are recognizing that a holistic third party scorecard that also embeds risk and compliance metrics, can not only help drive continuous improvements in vendor performance, but can also help reduce the risk that third party engagements may bring to the enterprise. What’s more, scorecards can also be leveraged as a collaborative tool to help raise the collective bar of the third party ecosystem – especially in areas such as IT security.  Operational risk, Information Security and Compliance are all now stepping up to the scorecard plate.

Scorecards

Imagine having all of the real-time information you need about a third party relationship right in front of you – information that will empower you to make decisions about managing risk, ensuring compliance, and optimizing performance in that partnership. Even better, you could use that information to build a very collaborative relationship with the third party, and enhance your own internal risk culture.

What you are imagining is a third party scorecard. Scorecards – correctly constructed – bring together the relevant information about a third party into a single dashboard or report. They enable the user to understand the strengths and potential risks of the third party relationship quickly and easily. Usually, this is accomplished by consolidating a range of information points via scoring and weighting into a series of “scores” – often red/amber/green, or an alphanumeric score.

For example, to derive a score for IT risk in a third party relationship, the score could be composed of data from external sources on cyber-preparedness (such the cyber-ratings from SecurityScorecard) and internal risk assessments. Data feeds that monitor system and IT security performance – both internal and from the third party – can also be integrated. These individual pieces of data are then combined by automatically assigning a score value based on what the data indicates. These scores are then merged into an overall score for IT risk.

A good, holistic scorecard can score against  a range of relevant risks for that particular third party relationship, including:

Risk	Performance	Compliance
Geo-political	Cost	FCPA/Legal
Financial Health/Viability	Quality	Diversity/SMB
Operational	Delivery	Conflict Minerals
Reputational	Technical	Data Privacy
Ethics & Integrity	Responsiveness	Sunshine Act
EH&S	Leadership	RoHS/REACH
Business/Supply Continuity	Electronic Enablement	Buyer Policies

A scorecard user can then tell – at a glance – just what aspects of a third party relationship requires attention. When the scorecard is in dashboard form, on a supporting third party risk management solution, the user can then drill down into a specific score to look at the underlying data points, better understanding root causes. For example, a weak IT risk score could be the result of a poor network security score coming from both internal risk assessments and an external source on cyber-preparedness.

Best practice use-cases

Scorecards aren’t just a great tool for zeroing in on key issues. Forward thinking organizations also use these scorecards in a range of different ways to shape organizational strategy, enhance collaboration with third parties, and improve risk culture. For example:

• Segment and risk-assess third parties – By creating a holistic view of the risks that a third party poses, it’s much easier to put that vendor in a segment relative to other business partners.
• Improve performance and de-risk relationships with third parties – Through a better understanding of how the third party relates to the organization, stakeholders can identify how to create more value from the relationship and reduce risk.
• Collaborate with third parties to build trust – Many organizations are actively sharing their scorecard for a third party directly with that partner. The scorecard then becomes a way for both parties to engage in improving the relationship, and provides the third party with clarity around where it can improve its engagement.
• Share third parties’ security posture – IT security, data security and cyber-risk can all be key points of weakness in a third party relationship. Some best practice organizations are sharing a detailed and continuous assessment of these risks with the third party partner, often incorporating information from vendors such as SecurityScorecard to help raise the collective bar.
• Provide transparency about the impact of remediation efforts – By using scorecards and sharing them with third parties, it’s easy to agree the metrics to track which would indicate improvement. Changes in scores can be backed by a full and auditable workflow to track both scoring and remediation activity in a good third party risk solution.
• Incentivize the first line of defense for relationship management – Scorecards can also be used to help drive links between good third party risk management and compensation within the organization’s business units. By having transparent and agreed metrics, organizations can use scorecards to enhance the culture around third party relationship management by linking these metrics to KPIs and compensation.

This level of transparency that scorecards present can also help an organization to improve its controls. Balanced scorecards have often been used for managing contract and supplier performance in the procurement domain. Specific contract terms and conditions can be aligned to the compliance and performance metrics of the scorecard.

It’s clear that scorecards are a valuable business tool in managing third party relationships. For a detailed paper on risk, compliance and performance scoring and weighting, download our technical white paper, Evaluating Third Party Risk and Performance – Best Practice Approaches to Risk and Performance Scoring and Automated Workflow.

For more information about Aravo solutions for Third Party Risk Management, please contact us.