The vendor risk management process is becoming an area of increased focus for risk managers. The operational, financial, and regulatory risks third-party vendors and contractors pose to an organization continue to expand unabated. Despite the magnitude of the threat posed from lax vendor management programs, many risk managers do not feel their organizations have the technology and capabilities in place to properly face the challenge.
A Deloitte study notes that 94% of responding executives have only low to moderate levels of confidence in the tools and technology they use to manage third-party risk. Nearly 90% have similar lack of confidence in the quality of the underlying risk management process. Armed with dubious solutions and processes, risk managers fighting for effective vendor risk management assessment may find it an uphill battle.
The status quo may not hold
Recent New York Times coverage of the dire supply chain effects Hurricane Maria had on the availability of critical prescriptions in the U.S. illustrates how quickly vendor management issues can escalate. The article notes, “Federal officials and major drugmakers are scrambling to prevent national shortages of critical drugs for treating cancer, diabetes and heart disease, as well as medical devices and supplies, that are manufactured at 80 plants in hurricane-ravaged Puerto Rico.”
Typically, these risks are managed through a cumbersome, annual cycle of sending out assessments and then manually processing the results in an attempt to, somehow, identify vendors with risk profiles above the organization’s appetite. This, however, is not the strategic approach that effective vendor risk management requires. Third-party business relationships can potentially disrupt operations, threaten revenue streams, cause reputational damage, and expose the organization to regulatory penalties. That risk must be managed strategically like all other enterprise risks.
Managing Certificates of Insurance — a first step
Certificates of Insurance (COI) are an important tool for reducing the exposure any organization has arising from the liability created by a vendor or contractor. Diligently monitoring the appropriate coverages, renewal dates, and overall compliance for a large number of third parties can be a resource-draining nightmare, as discussed in a previous blog post.
The right RMIS solution can help tame this process and limit an organization’s exposure to third parties that maintain insufficient liability coverage. While this is certainly a required first step, it still does not provide an organization with the ability to make strategic decisions on vendor management. COIs managed properly may limit the incidence of unexpected liability from a third party, but do little to address the actual risks posed by any vendor or contractor.
Pushing past the limitations of vendor risk assessments
The primary tool for mitigating third-party risk is the risk assessment. The process tends to follow familiar steps: create an assessment (sometimes using a one-size-fits-all form), send it off to a vendor (typically, this is done on an annual basis), collect the results, and file them away. This procedure is often highly manual and treated as an administrative chore by parties on both sides. Because of that, the focus typically centers on simply completing the process rather than using the process to inform better decisions.
The data collected via vendor risk assessment is, in theory, supposed to help the organization understand the risk profiles of all vendors and contractors allowing them to take action when risk thresholds are exceeded. If the data is buried in some spreadsheet or locked away in a file cabinet, it can offer no impact. Similarly, collecting non-relevant information also provides no context for decision makers. Assessments only hold value if they are timely, accurate, and actionable. Fail any of those conditions and the strategic benefit is lost.
Increasing timeliness with online portals
A difficult collection process will usually be one put off or avoided altogether, especially if it means time is taken away from one’s primary duties. This leads to forms sitting on desks, cycles of follow-up calls and emails, and delayed data. Creating a much-simplified vendor risk management process, however, not only leads to faster completion cycles, but also opens up the possibility of more frequent data requests since the administrative burden is reduced.
The use of easily customized online portals can dramatically improve the vendor risk assessment process for all parties involved. Detailed instructions provide the context needed for respondents to fully understand the process, while simplified digital forms streamline the data entry process and reduce completion times. Tracking submission statuses and overdue requests is easy with Origami Risk’s flexible dashboards and reports. Follow-up emails can also be sent automatically, creating a self-managing process requiring few resources to run efficiently.
Improving accuracy through data event triggers and smart forms
Every vendor risk assessment returned needs to go through an initial examination. Do the responses look plausible? Is any data missing or unusual? Origami Risk can use data events to examine the submission and scan for anomalies or red flags. Assessments requiring additional follow up can be escalated for further review, or automatically sent back to the respondent with requests for clarification. Having the system make a first pass “credibility check” speeds up the process and ensures that questionable data gets the scrutiny it warrants.
Form design can also significantly improve data accuracy. By using drop downs, which can be customized for each type of vendor or risk profile, the data collected is standardized, consistent, and easier to analyze. Contingent data fields can also be set to appear only when a respondent answers a question with a specific response — otherwise, the fields remain hidden to avoid creating unnecessary confusion. When considering assessment design, look for ways to eliminate potential ambiguity in responses. This requires flexible forms that can be easily tailored to the many types and profiles of third parties your organization works with, as each one may require a different approach to assessment design.
Delivering actionable results with data-driven notifications and automated corrective actions
Well-designed assessments identify potential third-party risk issues. This, however, is only the first part of the process. The real value of the vendor risk assessment process is in the impact it has on the decision-making process after an issue has been identified.
Origami Risk allows you to set automatic notifications and reports that alert decision makers whenever a vendor risk assessment contains information requiring further investigation. This puts critical information in the right hands at the moment action is required. Risk managers and the executive team can use this information to strategize on the right course of action for those vendors with shifting risk profiles, while allowing normal procedures to be applied to those with assessments within an acceptable range.
Using Origami Risk audit tools, vendor corrective actions can be automatically sent and monitored for compliance. This allows your organization to determine best practices for assessments that fail to meet the standard, and to push those corrective requests back to the vendor at the moment that conditions warrant — shortening the follow-up cycle and ensuring that consistent instructions for corrective actions are issued every time.
Applying an enterprise risk perspective to vendor risk management
In the same way that the traditional risk assessment should be examined to determine if questions can be simplified to improve accuracy, it’s also important to confirm that the data needed to power strategic decision making is actually being captured. The data you need may not be the data you are collecting, leaving your organization blind to the most critical warning signs.
For instance, many assessments focus on lagging indicators (such as profitability) to assess financial health. This can lead to a backwards-looking approach that may not identify risks until after the impact is already felt. In a LinkedIn article, Heidi Norman points out, “Leading indicators, on the other hand, track processes in real-time. The beauty of leading indicators is that while it can take months to get an outcomes report that tells the organization, ‘How are we doing?’, leading indicators can tell you what’s happening in the moment.”
A strategic approach to data capture
Searching for leading indicators can lead to an entirely different analysis process. Asking if there have been any layoffs of vendor personnel during the previous period, for example, may provide advanced warning of a vendor’s financial stress. Linking to ERP data may yield data related to quality control issues that could hint at long-term operational risks. Safety and claims data could reveal the potential for future regulatory risks.
Taking the indicator search even further has the potential of making entirely new classes of data available. Origami Risk’s GIS mapping functionality, for example, allows for the type of disaster preparedness analysis that can extend to third-party providers. This type of “what-if” natural disaster analysis can help mitigate scenarios such as the effect of Hurricane Maria on the pharmaceutical and medical device industries.
A scalable approach
While an efficient, effective vendor risk management process sounds great, the resources it requires to deliver results may be out of reach. If a program can’t scale and achieve sustainability, the effort is likely to be viewed as poorly as the ones cited by 9 out of 10 of respondents in the Deloitte study.
A key to overcoming this potential resource cap is to take full advantage of smart automation. Not only can your organization offload routine administrative time-wasters such as emailing follow-ups and regular report generation, but by focusing on the creation of logic-based triggers even more tasks can be automated. Defining which set of conditions lead to exception-based notifications and escalation activities can drive large gains in productivity, creating scalability for your approach.
By applying this approach to reporting, you avoid the “noise” that can come from a cookie cutter approach to vendor risk management reports. Instead, tailor reports so that each key executive sees the information (in the format they prefer) that matters most to them. Better yet, you can allow them to easily customize their own reports on the fly.
Vendor risk management is often approached as a required exercise instead of an opportunity to apply strategic decisions that mitigate or prevent future impacts on the organization. With the right solution, your organization can take a wider approach to vendor management, and link it with ERM strategies focused on meeting critical organization objectives. By doing it in a sustainable way that doesn’t bury resources in a manual process, your organization can take advantage of a truly effective vendor risk management program.
Contact us today to find out how Origami Risk can transform your vendor risk management program.