For risk managers, this strain on the supply chain means an increased focus on brand reputation, accelerated vetting of alternative vendors, and workplace safety, among many other associated risks. Specifically, the vendor risk management process should not be overlooked by risk managers during this year’s holiday rush. The operational, financial, and regulatory risks that vendors, third-parties, and contractors pose to an organization continue to expand unabated. Despite the magnitude of the threat posed by lax vendor management programs, many risk managers do not feel their organizations have the technology and capabilities in place to properly face the challenge.
Out with the Old, in with the New [Year]
Typically, these vendor risks are managed through a cumbersome, annual cycle of sending out assessments and then manually processing the results in an attempt to, somehow, identify vendors with risk profiles above the organization’s appetite. This, however, is not the strategic approach that effective vendor risk management requires. Third-party business relationships can potentially disrupt operations, threaten revenue streams, cause reputational damage, and expose the organization to regulatory penalties. That risk must be managed strategically like all other enterprise risks. Clear examples such as the Suez Canal, ransomware shutdowns, Colonial pipeline, and cargo ships stacked up outside LA ports, have increased the awareness of how much of an impact supply chain and third-party risks pose to every organization.
Read Next: What the Suez Canal taught us about global operational resilience
Managing Vendor Liability: Certificates of Insurance (COIs)
The right solution can help tame this process and limit an organization’s exposure to third-parties that maintain insufficient liability coverage. While this is certainly a required first step, it still does not provide an organization with the full ability to make strategic decisions on vendor management. COIs managed properly may limit the incidence of unexpected liability from a third-party, but do little to address the actual risks posed by any vendor or contractor. For this next level, vendor risk management is key.
Expanding Vendor Management: Risk Assessments
Just as COIs provide a bird’s eye view of liability exposure, a risk assessment can enable an organization to mitigate third-party risk. The process tends to follow familiar steps: create an assessment (sometimes using a one-size-fits-all form), send it off to a vendor (typically, this is done on an annual basis), collect the results, and file them away. This procedure is often highly manual and treated as an administrative chore by parties on both sides. Because of that, the focus typically centers on simply completing the process rather than using the process to inform better decisions.
The data collected via vendor risk assessment is, in theory, supposed to help the organization understand the risk profiles of all vendors and contractors allowing them to take action when risk thresholds are exceeded. If the data is buried in a spreadsheet or locked away in a file cabinet, it can offer no impact. Similarly, collecting non-relevant information also provides no context for decision makers. Assessments only hold value if they are timely, accurate, and actionable. Fail any of those conditions and the strategic benefit is lost. In the same way that the traditional risk assessment should be examined to determine if questions can be simplified to improve accuracy, it’s also important to confirm that the data needed to power strategic decision-making is actually being captured. The data you need may not be the data you are collecting, leaving your organization blind to the most critical warning signs.
Applying an Enterprise Risk Perspective to Vendor Risk Management
Vendor risk management is often approached as a required exercise instead of an opportunity to apply strategic decisions that mitigate or prevent future impacts on the organization. With Origami’s connected platform for managing both insurable and uninsurable risks, you can track, monitor, and assess vendors, simplify COI management, conduct audits, and much more. Through the use of this software, risk management professionals can streamline the vendor onboarding process, automate vendor assessments, access external risk content and scoring from ArgosRisk and SecurityScorecard, and download ready-made board presentations. It all works together to provide you and your organization with a more comprehensive view of vendor risk.
Watch Next: How to Go Beyond COI Tracking with Strategic VRM
Using Origami Risk audit tools, vendor corrective actions are automatically assigned and monitored for compliance. This allows your organization to determine best practices for assessments that fail to meet the standard and pushes those corrective requests back to the vendor at the moment that conditions warrant — shortening the follow-up cycle and ensuring that consistent instructions for corrective actions are issued every time.
Lastly, Origami Risk also allows you to set automatic notifications and reports that alert decision-makers whenever a vendor risk assessment contains information requiring further investigation. This puts critical information in the right hands at the moment action is required. Risk managers and the executive team can use this information to strategize on the right course of action for those vendors with shifting risk profiles while allowing normal procedures to be applied to those with assessments within an acceptable range.
With the right solution, your organization can take a holistic approach to vendor risk management, linking it with ERM strategies focused on meeting critical organizational objectives. By doing it in a sustainable way that doesn’t bury resources in a manual process, your organization can get an early holiday gift — a truly effective vendor risk management program.
To learn more about Origami Risk’s VRM solution, watch the 20-minute Solution Showcase or download the solution sheet.
If you’re interested in learning more about how Origami can help your organization apply an enterprise risk management perspective to vendor risk management, start a conversation with us.