by Ashley Poynter

Content Manager

The Missing Link When Building a Vendor Risk Management Framework

If you’re about to do a deep dive on building a vendor risk management framework, you should take a moment to level set on why what you are doing is so important.

Vendor relationships might feel as if they matter only to the vendor management team and the buyers from procurement, but these relationships are threads that weave through every single department in your organization. Everyone, in some capacity or another, deals with a vendor.

You can’t really do business without third-party involvement. Call them what you will (vendors, contractors, payees, suppliers, etc.), but be sure to call them essential to your business. These entities are what enable you to deliver your products and solutions to customers.

But they also bring risk. A lot of it.

Both common and emerging third-party risks can cost your organization in several ways. They can damage your reputation, cause you to rack up legal fees, and ultimately, they can cost you revenue. They can also cost you – or someone you know – a job.

With so much at stake, building a vendor risk management strategy is a no-brainer. I’m with you! However, I’m about to make the argument that most vendor risk management frameworks miss a crucial piece of the picture.

Vendor onboarding. Let’s dig in.

Vendor Risk Management Depends on Vendor Onboarding

Why a Vendor Risk Management Framework is Crucial

The Vendor Risks You Need to Know

Foolproofing Your Vendor Risk Management Framework

Steps for Building a Vendor Risk Management Framework

5 Considerations for Creating a Vendor Risk Management Framework

Ask the right questions
Get smart about third-party risk
Let automation lend a hand
Understand compliance risk and due diligence
Understand there’s no “I” in “team” (or “vendor management”)

Set It But Don’t Forget It

How Vendor Management Appreciation Day Can Help

Want Help Aligning Your Teams to Improve Your Vendor Risk Management Framework?

Interested In Regular Vendor Risk Management Framework Tips?

Want Personalized Guidance on Your Vendor Risk Management Framework?

Vendor Risk Management Depends on Vendor Onboarding

Not too long ago, we made some predictions about vendor onboarding for 2023. Namely, we predicted there would be an undeniable demand for vendor onboarding to be automated.

It makes sense when you consider just how rife with risk vendor onboarding processes are. Fraud, compliance issues, and human error can damage procurement machinery – and cause significant financial and reputational harm to your organization.

This is why I believe it pays to look at vendor risk management through the lens of vendor onboarding first and foremost. And when you want to mitigate risk, automation has to play a key role.

Removing unnecessary human intervention makes your vendor onboarding more secure and improves business continuity planning. Perhaps more importantly, it turbocharges productivity. Less manual intervention means fewer people to do the same functions more effectively.

And since staffing is a pressing issue for many procurement, AP and vendor desk teams (made worse by increased economic pressures), automation for vendor onboarding is practically mandatory at this point.

The best thing a business can do when building out a vendor risk management framework is to start right at the beginning. Automate vendor onboarding and data checks will reduce the risk of fraud and compliance issues, while also positively impacting the bottom line. With the right business controls, the vendor master file can remain in tip-top shape, reducing real and potential risks. Good, clean, vetted supplier data in your vendor master file results in a foundation to build the rest of your vendor risk management framework.

Why Building Out Your Vendor Risk Management Framework is Crucial

Beyond securing your vendor onboarding process, of course, does not completely solve the scope of vendor risk management. The risks related to your vendors are broad, and when you consider all of the real risks to your business, building your vendor risk management (VRM) framework becomes urgent. One “tiny” breach can cascade across the organization and really muck things up across the board.

A solid VRM framework can and should guard against catastrophe. It provides a structured way to identify, assess, and mitigate risks from third-party vendors. Like what? Glad you asked!

Firstly, it can prevent data breaches. Any mention of third-party data breaches sucks the air right out of a room, as it should. The average cost of a data breach in the U.S. in 2022 was $9.44 million. And that’s not to mention disruptions to business continuity, which are devastating in their own right.

Secondly, a vendor risk management framework can help to simplify compliance. Even the experts struggle to keep tabs on the ABCs of compliance (GDPR, KYC, PCI, oh my). Having a plan can help your organization level set about how you will maintain audit logs, ownership and tools related to these lists and keep you from running afoul of compliance mandates.

Finally, the right framework can make vendor onboarding a breeze. Yes, a breeze! Having an agreement that ties the importance of vendor onboarding to the entire framework gets your entire organization on board with what is at stake from day one. A vendor risk management framework simply must be closely tied to the vendor onboarding process.

Using a framework can help vendor management teams better understand what information to collect, how to set up vendor profiles, and how to assign vendor risk. It can make the entire process go much smoother – and allow everyone to rest easy at night.

The more thorough your vendor risk management framework, the more effectively you can mitigate risk. A structured approach to managing vendor relationships simplifies workflows – and makes your organization more secure.

The Vendor Risks You Need to Know

All risks are not created equal, but they all strike fear into the hearts of vendor onboarding and management teams everywhere. Here’s a quick overview of what can go wrong when you don’t do vendor risk management right:

Compliance – Compliance risks put your company at risk of violating laws and regulations that dictate processes your organization must follow. Given the sheer number of requirements a company is subject to, this is a big one – and one of the potentially most damaging.

Cybersecurity – Cybersecurity risks include breaches, hacks and cyber attacks. Not only can they result in data loss, but companies can feel the pain of substantial reputational losses, too. Without a handle on trending threats and internal vulnerabilities, these risks can become catastrophic. And they’re getting harder to prevent. Just ask Linda Miller, CEO of Audient Group:

Reputational – When your company messes up, whether it is breached, tricked or just handles sensitive data incorrectly, people take note. This can result in lost customers and partners – and an overall loss of faith in your brand.

Operational – Operational risk can happen when one of your vendors succumbs to its own disruption, which then impacts or disrupts your operations. If a vendor is hacked, there can be ramifications for your company.

Financial – Financial risk is almost inherent in every other type of risk. Companies that face breaches, compliance errors, reputational damage, or business disruption usually lose revenue or face excessive costs and fines. And of course, vendor impersonation scams and losses fall into this bucket.

Foolproofing Your Vendor Risk Management Framework

A vendor risk management framework with holes or oversights – or that doesn’t start with a look at vendor onboarding – isn’t very useful, so we’ve put together some steps you can take to make sure you cover as much ground as possible.

Another thing to keep in mind is that your plan should be flexible and adaptable as your organization and vendors change.

Finally, make sure your framework is scalable enough to grow with your company and as you onboard new vendors.

Steps for Building a Vendor Risk Management Framework

Assess risk – You need to understand all the risks tied to each vendor, which should occur at the vendor onboarding phase. This means looking at the onboarding data provided, the payment type selected, the sanctions lists and exactly the types of goods and services each vendor offers. Beyond this, what is their level of access to data and property? Are they in good standing as a business? Who are the beneficial owners? And any other inherent risks that affect how you pay them.
Document your goals – Define your scope and objectives. What do you want to achieve with this framework? Which vendors, risks and processes need to be addressed?
Define success – Define how you will measure performance. Likewise, understand your evaluation criteria. Be sure your metrics are consistent across vendors and risk profiles.
Document workflows and policies – Standardizing procedures for your risk management framework makes it easier for people to stay on the same page. After that, be sure to include and assign roles and responsibilities.
Apply controls – You’ll need both preventative and corrective controls to manage risk. Think about the role of contracts, audits, and monitoring in your framework.
Ensure compliance – This is a big one. Your company will have to consider federal, regional, state, and local compliance requirements – and how those play out on the internal front.

5 Considerations for Creating a Vendor Risk Management Framework

#1: Ask the right questions

Choosing the right vendor risk management framework means asking the important questions. This might include:

Which parts of our current vendor onboarding process can be automated and how does this help mitigate risk?
How do other current onboarding workflows tie into the framework?
Will we be able to update the framework regularly to account for evolving levels of risk?
How will we standardize our definitions of different risk tiers?
How will our choice of vendor risk management framework impact our vendor onboarding process – and the vendors themselves?
What industry-specific regulations and compliance factors must we account for?
What current processes could pose a problem for becoming or remaining insured? (Bring your internal Insurance Buyer into this part of the conversation.)

Hear Ayo Oshodi of Chubb speak more on that here:

What risks do each vendor pose? (Ask Risk Management Team)
How can we ensure continuous vendor monitoring? (Ask IT Department)
What controls are necessary for effective risk mitigation? (Consult Legal and Compliance Teams)
How often should the VRM framework be reviewed and updated? (Collaborate with all Stakeholders)

We’ve said it before and we’ll say it again, “because we’ve always done it that way” stymies innovation – and it can create unnecessary risk. So ask the tough questions. Upend the status quo. Do the difficult things that ultimately make your organization more secure from bad actors.

#2: Get smart about third-party risk

It’s time to stop looking at “third-party risk” as a big, bad, scary word and start focusing on the upside. Yes, risk is bad. And mitigating risk is good.

But if you look beyond those black-and-white statements, you’ll also see there’s an opportunity to gain a competitive advantage. In fact, Deloitte estimates that high performers in third-party risk mitigation stand to outperform their peers by an extra 4-5% ROE, creating a source of organizational value.

That’s right – you can squash risk and boost value! It’s a win-win. But again, it starts at the top with becoming more strategic with vendor onboarding. Strategic vendor onboarding starts with automation to remove unnecessary manual work from people’s plates.

#3: Let automation lend a hand

If you’re having difficult conversations and changing to a more strategic mindset, you know that automation has to play a part in your vendor risk management framework. It’s all part of the growth process.

You might start by looking at where the potential for costly mistakes and breaches lies. Is it due to too many cooks in the vendor onboarding kitchen? Is it ‘fatfinger’ typos from manual inputs dirtying your data? Or is it higher-ups that are willing to break processes “just this once” (sidebar: this tool can help with that)? It’s probably a little of all of the above.

The good news is that automation can flatten those threat vectors to a pulp. Identifying areas that need attention will require input from several teams, so make sure you cast a wide net when scheduling those meetings.

Even better news: you don’t have to go from 0-100 overnight. Huron consultant Snow Rutkowske points out that even a little automation can go a long way:

#4: Understand compliance risk and due diligence

Anyone in vendor management knows the stress and lost sleep that happens over vendor compliance. Mastering vendor compliance can seem daunting when you think about all of the rules and regulations. On top of that, vendors are constantly changing and internal folks may have shifting responsibilities.

It’s a lot.

Without the right tools and documentation (ahem, we may have put together a template for you here), you might feel lost.

A good start might be to outline your compliance procedures according to global, federal, state, local, and internal parts. This can help you get everyone on the same page about all requirements enforced by your country, state, city, and company.

Documenting compliance processes also turns it into a collaborative process. No one person should be on the hook and everyone should understand what is expected.

#5: Understand there’s no “I” in “team” (or “vendor management”)

Constructing a resilient vendor risk management framework is a winding journey. Effective collaboration means people from multiple departments—legal, IT, compliance, operations—should be involved.

Both vendor management and risk are multi-faceted. The more perspectives you can lean on, the better. Each department can offer its own expertise in risk identification.

In the same vein, it’s unfair to place an undue burden on one person or one department. Often, vendor management teams are expected to keep tabs on everything – from changing compliance regulations to super-sophisticated signs of fraud.

Reminder! Your vendor management team is not made up of security experts:

Without the proper automation and support, it’s simply too much and it puts the entire organization at risk.

A focused, collaborative approach that elicits nuanced input from multiple people and teams can foster better internal policies. The result is a more robust, comprehensive framework – and more restful Zzzs for everyone at night.

Set It, But Don’t Forget It

Unfortunately, risk is here to stay. Building a vendor risk management framework is a complex process, but you can’t do without it.

With the right documentation, a collaborative approach, alignment with regulatory requirements, and automation, you can rest easier knowing you’ve done your due diligence to guard against bad actors.

Remember, this isn’t a set-it-and-forget-it feat. Your best defense is a proactive offense. So meet regularly to keep all teams aware of the changing risk landscape. Your framework should evolve to meet your organization’s changing needs. So keep talking. Keep changing. And keep the bad actors at bay.

How Vendor Management Appreciation Day Can Help

Third-party vendor risk can be a ‘doom and gloom’ topic, but we’re in the mood to celebrate. If you are too, you should be sure to join the party.

What party?

The party that highlights the tremendously challenging job vendor management professionals do day in and day out: Vendor Management Appreciation Day (VMAD).

It’s time for everyone to come together in honor of one of the most important, sometimes under-recognized roles across industries.

Will you join us to celebrate on December 12th?