- Aravo for
- Aravo Ecosystem
- About Us
- Request Demo
Scorecards that measure the performance of suppliers and vendors that a company contracts with have been a business tool embraced by procurement for some time now.
However, there’s an evolution underway. Increasingly businesses are recognizing that a holistic third party scorecard that also embeds risk and compliance metrics, can not only help drive continuous improvements in vendor performance, but can also help reduce the risk that third party engagements may bring to the enterprise. What’s more, scorecards can also be leveraged as a collaborative tool to help raise the collective bar of the third party ecosystem – especially in areas such as IT security. Operational risk, Information Security and Compliance are all now stepping up to the scorecard plate.
Imagine having all of the real-time information you need about a third party relationship right in front of you – information that will empower you to make decisions about managing risk, ensuring compliance, and optimizing performance in that partnership. Even better, you could use that information to build a very collaborative relationship with the third party, and enhance your own internal risk culture.
What you are imagining is a third party scorecard. Scorecards – correctly constructed – bring together the relevant information about a third party into a single dashboard or report. They enable the user to understand the strengths and potential risks of the third party relationship quickly and easily. Usually, this is accomplished by consolidating a range of information points via scoring and weighting into a series of “scores” – often red/amber/green, or an alphanumeric score.
For example, to derive a score for IT risk in a third party relationship, the score could be composed of data from external sources on cyber-preparedness (such the cyber-ratings from SecurityScorecard) and internal risk assessments. Data feeds that monitor system and IT security performance – both internal and from the third party – can also be integrated. These individual pieces of data are then combined by automatically assigning a score value based on what the data indicates. These scores are then merged into an overall score for IT risk.
A good, holistic scorecard can score against a range of relevant risks for that particular third party relationship, including:
|Ethics & Integrity||Responsiveness||Sunshine Act|
|Business/Supply Continuity||Electronic Enablement||Buyer Policies|
A scorecard user can then tell – at a glance – just what aspects of a third party relationship requires attention. When the scorecard is in dashboard form, on a supporting third party risk management solution, the user can then drill down into a specific score to look at the underlying data points, better understanding root causes. For example, a weak IT risk score could be the result of a poor network security score coming from both internal risk assessments and an external source on cyber-preparedness.
Best practice use-cases
Scorecards aren’t just a great tool for zeroing in on key issues. Forward thinking organizations also use these scorecards in a range of different ways to shape organizational strategy, enhance collaboration with third parties, and improve risk culture. For example:
This level of transparency that scorecards present can also help an organization to improve its controls. Balanced scorecards have often been used for managing contract and supplier performance in the procurement domain. Specific contract terms and conditions can be aligned to the compliance and performance metrics of the scorecard.
It’s clear that scorecards are a valuable business tool in managing third party relationships. For a detailed paper on risk, compliance and performance scoring and weighting, download our technical white paper, Evaluating Third Party Risk and Performance – Best Practice Approaches to Risk and Performance Scoring and Automated Workflow.
For more information about Aravo solutions for Third Party Risk Management, please contact us.