Q: How does the vendor risk management process basically work?
A: In simplified form, the standard system follows the process shown below:
A vendor (or any third party) is entered in the system, and basic information is gathered about the vendor. At this point, the vendor is considered “High” risk, because no information is available to suggest otherwise. The system then guides the appropriate staff through a series of questions, which determines if the vendor is critical, material or minor and the extent of potential impact if something were to go wrong with the vendor. Based on that scoring, a defined set of information is identified to be collected and reviewed by appropriate subject matter experts. Following that evaluation, the system proposes a rating which is reviewed and finalized. Then, on a defined schedule – typically annually or when documentation expires – the process is repeated to assure that vendor status is current and reliable. And, of course, at all times dashboards are available and reports distributed to assure all involved are aware of current status. Finally, if there are issues or findings – such as a vendor not meeting standards – the system will assure that finding is assigned to an appropriate person and that resolution is happening in a timely fashion.
Q: Could I change the vendor questions or scoring algorithms? Can I have review and notification processes tailored to my firm?
A: No problem! Our system allows for customizable scoring algorithms and workflows.
Q: Can I tell if a vendor or subject matter expert has not responded? Will the tools remind them?
A: Yes. The system comes with dashboards and reports that tell program status down the specific response of individuals. The tool has a standard email based reminder system that will follow up automatically with non-respondents.
Q: Can I ask for more than status? Can I ask for some evidence of performance?
A: Certainly. All data collected is maintained in the system, and is available for review for users with appropriate permissions.
Q: Can I have reports automatically distributed to appropriate managers or executives?
A: Yes. Reports can be automatically run and distributed by email on virtually any schedule. The content of the reports can be filtered to the role of the recipient, so that, for example, a manager will only see status or performance of the vendors he or she is responsible for.
Q: What happens if a requirement is not being met?
A: In the standard system, this involves creating an issue, assigning it to a responsible party, negotiating an action plan and due date. The system will follow up to assure closure, including collecting any required evidence. Alternatively, the system can be set up to automatically create an issue and notify appropriate parties if a respondent selects a problematic answer.
Effective understanding and management of risks from third parties is essential in modern business – there is simply too much harm that can be done from having business information, customer information or business operations compromised. With the DoubleCheck VRM Solution, you can be assured that your vendors are demonstrating compliance…or else!