Moving beyond the spreadsheet for vendor risk management
In today’s business landscape, many enterprise companies look to third-party vendors to provide them with organizational value and competitive advantage. While outsourcing has always existed in some form, globalization and the internet have caused the use of third-party vendors to increase exponentially. Previously, companies relied on third parties for non-core functions. Today, more and more critical functions are outsourced to find cost savings and efficiencies.
Because third-party vendors are an extension of an organization, businesses are held accountable for things like safety, ethics, business practices, and more. With more at risk than ever before, organizations must ensure third-party partners behave appropriately.
As the topic of third-party risk becomes more pressing across industries like healthcare and retail, many organizations are looking for ways to better assess and manage third-party risk. Unfortunately, reliance on archaic systems like spreadsheets and emails to manage multiple vendors, processes, and millions of dollars in contracts is commonplace.
Challenges Using a Spreadsheet System
Typically, companies allocate vendor management within a section of every department. To some this might seem like an organized way to go about risk management. However, this approach develops silos across the organization, requiring each department to be responsible for its own spreadsheet of third-party relationships, approvals, and processes. By siloing third-party risk across departments, employees experience difficulty in following company policies and in gaining a holistic understanding of vendor risk across the entire company.
The use of spreadsheets becomes even more overwhelming as a company grows. Relying on spreadsheets or manual solutions to track third-party vendors leaves room for error, and inevitably, more risk. Companies should ensure they have the correct tools and solutions that provide a bird’s eye view into vendor management by eradicating spreadsheets.
Calculating a Risk Score for Each Third-party
For organizations to ensure consistent outcomes for its vendor risk management program, they must develop a simple and consistent risk-scoring methodology that applies to all vendors. Rather than go overboard with calculations that include every single factor possible, consider developing risk scoring calculations that are transparent and easy to understand. With a clear and concise risk scoring methodology, risk managers have an easier buy-in with leadership and vendors. For enterprises looking to calculate a risk score, consider the following factors:
- Vendor type: Certain vendors will require stricter requirements. For example, a SaaS provider that hosts valuable company information will require stricter requirements versus an office cleaning vendor
- Critical or noncritical?: If a vendor fails to meet obligations, what is the impact to the company?
- Policies: Does the vendor have internal policies and procedures in place?
- Certifications: Does the vendor have certifications from an external audit?
Incorporating a risk score for each third party is one step in the process of moving beyond the spreadsheet. Through a risk score, a company has a transparent view into the potential risk of each vendor that is not siloed by departments.
Utilizing Solutions for Vendor Risk Management
Following the implementation of a risk score methodology, companies should look for a centralized system. In doing so, important comments or concerns can be quickly addressed by the appropriate individuals within the workflow and provide each department a bird’s eye view enabling better compliance. By getting rid of spreadsheets and utilizing a centralized system, all employees will have a more accurate understanding of the vendor risk management process. Beyond transparency, a centralized vendor risk management system provides the following benefits:
- Increased communication between company and vendors
- Predictable outcomes through risk scoring
- Greater compliance through workflows
- Centralization and consistency leading to reduced risk
When considering a solution for vendor risk management, organizations need to make sure the solution can grow with the company as it evolves and grows.
No More Spreadsheets
With increasing regulations and pressure on organizations to prove compliance and establish proper governance standards, companies cannot rely on spreadsheets to facilitate third-party policies and procedures. Instead, organizations must find a centralized vendor risk management system to simplify and standardize processes, effectively manage vendor risks and relationships, and ultimately save time and money throughout the entire enterprise.
Jon Siegler is the co-founder and chief product officer at LogicGate. He has over a decade of experience in designing customer-centric enterprise risk and compliance systems, delivering value for organizations by reducing their risk, improving efficiency, and automating processes. Jon is driven by a passion to connect deeply with customers' problems in order to build an amazing product that makes the challenges of risk and compliance easier. Prior to LogicGate, Jon led many legal, compliance, and regulatory consulting engagements at Fortune 500 organizations, where he successfully combined technology with business process design across a wide variety of domains.