If you’ve ever been intentional about setting personal or professional goals, you may be familiar with the criteria known as S.M.A.R.T. Specific, measurable, achievable, relevant, and time-bound goals are more likely to be achieved than those which are vague, unrealistic, and open-ended. Measuring goals is particularly important because it provides concrete data on the progress made towards your objectives.
Key performance indicators (KPIs) are an essential tool that helps measure many aspects of an organization’s functions, including third-party risk management (TPRM). It’s important to use KPIs not just to measure your vendor’s performance, but also to measure the overall effectiveness of your TPRM program.
This blog will walk you through both vendor KPIs and TPRM program KPIs and provide some examples of each.
What Are Key Performance Indicators?
KPIs are metrics that reveal the effectiveness of working towards a specific goal. Imagine that your organization developed a marketing goal to increase page views by 25% in Q1. The KPI would reflect the actual percentage increase at the end of Q1, whatever that number may be.
Some KPIs can be a specific, numerical target, while others allow for an acceptable range of values. KPIs can also be objective (based on facts) or subjective (based on personal opinions). It’s recommended that at least 80% of your KPIs should be objective (fact-based), because it’s easier to normalize fact-based data and determine trends over time.
Understanding Vendor Key Performance Indicators
Working with a vendor should come with certain expectations about their performance, such as service quality or product delivery. Poor vendor performance can expose you to additional risk, like reputational damage or operational disruptions, and can even impact your bottom line. For example, imagine that your cloud service provider experienced multiple outages in the previous month, which prevented your customers from accessing their accounts and processing transactions. These outages would likely damage your reputation and could result in dissatisfied customers taking their business to another organization.
Vendor KPIs help determine whether performance expectations are being met and whether your organization needs to address any issues before they become larger, costlier problems. The KPIs may have a numerical target or allow for a range for acceptable values with lower and upper limits.
Here are examples of specific target vs acceptable range in vendor KPIs:
Specific Target Vendor KPIs |
Acceptable Range Vendor KPIs |
Vendor's call center agent training was 90% in Q2 |
Vendor’s uptime percentage was 98% – 99.99% in Q2 |
The vendor's incident response time averaged 3 hours in Q2 |
The vendor’s defect rate was 10 – 15% in Q2 |
The vendor's help desk resolution was 88% in Q2 |
The vendor’s average speed of answer was between 50 – 65 seconds |
There are many factors to consider when developing vendor KPIs, such as the product or service, industry standards, and any service level agreements (SLAs) you have in place.
4 Tips for Developing Vendor KPIs
Here are four tips to help you develop vendor KPIs:
- Identify your goals and objectives – Think about 3-5 specific reasons why your organization is partnering with this vendor. Is the vendor necessary to meet a regulatory requirement? Will the vendor’s service improve your operations or provide additional expertise? Maybe your goal with this vendor is to acquire new customers or expand into a new market. Understanding your vendor relationship goals and objectives can help bring focus to relevant KPIs.
- Consider your data source – Make sure your KPIs can be measured and calculated with reliable and consistent data. Vendor performance data can come from a variety of sources, such as issue management and tracking systems, information security reporting, or customized vendor performance scorecards. Regular communication with vendor owners and your vendors is also essential to track KPIs.
- Define thresholds – It’s important to set thresholds so you have a specific target or acceptable range in mind when measuring your vendor KPIs. You should also create a plan of action to execute if a KPI is measured outside of the threshold.
- Review and revise – Vendor KPIs should be reviewed with stakeholders to ensure they’re clearly defined and realistic. Revisions may be necessary for several reasons, such as the data being too difficult to collect or interpret.
Third-Party Risk Management Program Key Performance Indicators
TPRM program KPIs serve a different purpose. These essentially demonstrate how well your organization is managing vendor risk through the various rules, tools, and processes you’re using.
Here’s a look at some of benefits and examples of TPRM program KPIs:
- Identifies gaps or weaknesses – TPRM programs require many interrelated activities and stakeholders across different departments. KPIs can help you discover any gaps or weaknesses that are creating inefficiencies in your program.
Example: Twenty-five percent (25%) of high-risk and critical vendors are past due for risk assessments. This KPI might reveal that your current risk assessment process isn’t being monitored to ensure on-time completion.
- Enables better decision making – Gathering data from TPRM program KPIs can help reveal trends on how your organization is managing vendor risk, whether you’re focusing on a specific activity or a stage in the TPRM lifecycle.
Example: Three critical vendors were terminated in Q2. This KPI might indicate that your organization needs to re-evaluate its vendor selection process for critical vendors.
- Highlights areas of improvement – Creating a mature TPRM program requires a commitment to continuous improvement. KPIs can help determine where your program needs to improve, whether it’s a more efficient process or adding resources for your team.
Example: Sixty percent (60%) of vendor owners rated TPRM training as “poor.” TPRM resources like training and education aren’t always prioritized, which can lead to confusion and frustration for many vendor owners who don’t understand their duties and responsibilities. This KPI would be useful in showing that the current training tools require significant improvement in order to be effective.
- Improves board reporting – According to regulatory expectations and best practices, the board should be setting the tone-from-the-top for TPRM. KPI metrics can add tremendous value to board reporting by showing that your TPRM program is effective and worth the investment.
Example: Ninety-five percent (95%) of high-risk and critical vendors were approved for contract renewal. This KPI could help demonstrate that your TPRM program is effectively managing high-risk and critical vendors throughout the lifecycle and reducing the need to invest time and resources necessary for identifying, vetting, and onboarding new vendors.
Measuring KPIs for vendor performance is essential, but it’s also important to consider the effectiveness of your TPRM program. Knowing how to effectively use and implement KPIs within your TPRM program and vendor relationships is crucial. This understanding can greatly enhance your overall TPRM approach, leading to improved decision-making in your vendor relationships and internal processes.