It’s Time to Move Beyond the Spreadsheet for Vendor Risk Management
Szuyin Leow | January 16, 2018
Third-party vendors are in many ways crucial to a company’s success, and yet many companies are using archaic systems like spreadsheets and emails to manage multiple vendors, processes, and millions of dollars in contracts. The time has come to move beyond the spreadsheet and onto a centralized system that streamlines the process and clarifies the procedure for everyone involved.
Managing your company’s third-party vendors is an intricate and detailed process. Third-party vendors are in many ways crucial to a company’s success, and yet many companies are using archaic systems like spreadsheets and emails to manage multiple vendors, processes, and millions of dollars in contracts. The time has come to move beyond the spreadsheet and onto a centralized system that streamlines the process and clarifies the procedure for everyone involved.
What is Vendor Risk Management?
Vendor risk management - or third-party risk management - is the process of ensuring that the use of third-party service providers at an organization does not create an unacceptable level of risk exposure or potentially increase the chance of significant business disruptions. This process is quite detailed and requires employees from both the organization and the service provider to contribute information and follow the protocols and procedures within their shared contract. For cloud computing vendors with PaaS or SaaS offering, risk assessments will typically focus on data security, privacy, availability and integrity.
Should You Calculate a Risk Score for Each Third-party?
The best way to ensure consistent outcomes from your company’s vendor risk management program is to develop a simple and consistent risk scoring methodology that can be applied to various types of vendors. It may be tempting to go overboard with risk scoring calculations that incorporate every possible factor imaginable, but often times the most successful are transparent and easy to understand. This ultimately leads to better buy-in with senior leadership and third-party partners.
A few factors which typically are included:
Type of Vendor – For example, you’ll want to impose stricter requirements on a SaaS provider that hosts your company’s data versus an office cleaning vendor.
Criticality – What would the impact be to the business if the vendor failed to meet their obligations?
Vendor Policies – Does the vendor have appropriate internal policies and procedures in place?
Certifications – Does the vendor have certifications from an external audit such as SOC1, SOC2, etc.?
The Difficulties of Using a Spreadsheet System
Traditionally, companies have allocated vendor management within a section of every department creating individual silos. Each department is responsible for creating their own spreadsheet of third-party relationships, tracking approvals, and documenting their process within their own department. This siloed system makes it impossible, or at least very difficult, to follow company policies and procedures across multiple departments, let alone get a holistic understanding of vendor risks across the entire company. This segregation inevitably leads to increased risk of non-compliance, human error, redundancies, and longer turnaround time to start a relationship with a vendor. According to GRC 20/20, “Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure.” By operating vendor risk management disparately, companies are missing the bird’s eye view that a centralized system provides.
Using Technology for Vendor Risk Assessments
With a centralized system in place across the entirety of the enterprise, important comments or concerns can be quickly addressed by the appropriate individual within the workflow - even if they’re located in a different department. When each department is given a bird’s eye view through the centralized system, it enables better compliance and creates a more accurate understanding of the entire process that segregation does not allow.
higher quality communications between company and vendors
easily tracked vendor relationships
predictable outcomes through automated risk scoring
greater visibility into policies for everyone involved in the process
better compliance through technology-enabled workflows
reduced risk through centralization and consistency
How to Transition Away from Spreadsheets
LogicGate’s approach is to meet customers where they are in the life cycle of developing their third-party risk management program. Our flexible vendor risk management software allows us to take your existing spreadsheets and configure them in LogicGate in a matter of days. Then using LogicGate’s visual workflow designer, we can create rules and logic that empower your process with consistency and enable compliance. External forms are then created to send requests to third-parties allowing you to easily capture results of risk assessments. Additionally, LogicGate has a best practice Vendor Risk Assessment template which allows organizations to more effectively manage vendor risk and track vendor relationships.
With increasing regulations and demands concerning governance and compliance, such as GDPR, companies can no longer risk using spreadsheets to manage third-party vendor policies and procedures. By using a centralized vendor risk management system, organizations can simplify and standardize their process, effectively managing vendor risks and relationships, and ultimately saving time and money throughout the entire enterprise.