While third-party risk management (TPRM) doesn't usually generate revenue, it does enhance the bottom line. Some of your vendors can be categorized as high value, especially when they deliver strategic advantages to your organization and support your business objectives. On the other hand, some vendors may be considered low value because of their operational inefficiencies or risky behavior.
By understanding which of your vendors deliver the most value to your organization, you can improve your bottom line strategy. Let’s review some attributes of low-value and high-value vendors and some of the TPRM practices used to evaluate this criteria.
Three Values TPRM Brings Your Organization
To start, here are three ways effective TPRM brings value to your organization:
- Gives you a reliable method for sorting, risk rating and assessing your vendors
- Enables your organization to evaluate vendor value vs. vendor spend
- Allows you to make more informed strategic and tactical decisions regarding any low-value vendors that you may need to reconsider
Low-Value Vendors: How to Identify Them and Next Steps
Vendors may be considered low value based on the products and services they provide or their operational inefficiencies. By keeping these vendors in your inventory, you may be facing costly issues down the road, thus harming your bottom line.
Consider whether any of your vendors fall into these categories and establish next steps:
- The vendor delivers limited, redundant or outdated products/services. Do you rely on a vendor to provide a single product or service? Maybe the vendor has other offerings, but they're irrelevant or outdated. Sometimes the best course of action is to consolidate your vendors to only those that provide a more comprehensive range of the products and services your organization utilizes.
A strategic next step: Keep an updated list of all vendors and their products and services to improve vendor visibility and enable better purchasing practices.
- The vendor has a slow and ineffective approach when responding to issues and incidents. Dealing with unresponsive vendors can be frustrating and risky, especially when resolving a security incident. If you constantly have to chase down a vendor to get answers and updates, it's probably time to reassess that vendor's value.
A strategic next step: Record the vendor's response and timing for all issues and incidents as part of ongoing monitoring to assess one-time occurrences vs. a recurring trend.
- The vendor makes excuses and not improvements. No vendor is perfect and some vendors might miss the mark occasionally. Suppose you call out poor performance or a missed service level agreement (SLA) and your vendor responds with stalling tactics and a litany of excuses rather than a specific and actionable remediation plan. In that case, it's a good bet you are dealing with a low-value vendor.
A strategic next step: Regularly schedule performance reviews and reporting to reinforce the message that performance matters. Include the expectation that any declining performance must be effectively resolved ASAP.
- The vendor had a breach but waited to tell you because they weren't sure if your organization's data had been compromised. Incidents and breaches are very costly and can damage your reputation. Vendors who don’t have adequate preventative and detective data security controls for your data are high liability and low value.
A strategic next step: Perform robust due diligence and periodic risk reviews to enable better visibility into ineffective, missing or declining vendor security controls. Keep track of where your data is and what kind of data each vendor has access to.
High-Value Vendors: How to Identify Them and Ensure Continued Performance
High-value vendors aren't necessarily associated with cost, but rather the strategic advantages they provide for an organization.
The following examples reveal how high-value vendors can support an organization's goals and ways to validate continued high performance:
- The vendor aligns with your business objectives. Vendors who consistently deliver high-quality products and services while meeting required service levels are essential components of success. Developing solid partnerships with your best vendors can benefit both organizations and adds value for the long term.
Ongoing TPRM practice: Watch the vendor and keep a constant eye on their risk and performance through ongoing monitoring.
- The vendor enhances your business continuity and disaster recovery planning. Business disrupting events can quickly derail an organization's operations, so your vendors must be able to support your business continuity (BC) and disaster recovery (DR) plans. High-value vendors will have their own BC/DR plans in place to ensure they can continue providing products and services to your organization. They’ll also readily participate in your organization's BC/DR planning and testing when required.
Ongoing TPRM practice: Continue to review BC/DR plans as part of due diligence and after that through periodic risk reviews. Pay attention to critical vendors, ensuring they have well documented and tested plans.
- The vendor demonstrates a commitment to constant improvement and innovation. If you have a vendor that proactively looks for ways to enhance service, reduce processing time or save money, that is a high-value vendor. As the ones delivering the product or service, vendors often have the best insight into what’s working, what's not working, and possible improvements that can be made. Take notice of vendors who come to the table with ideas for improvement and innovation.
Ongoing TPRM practice: Encourage your vendors to partner in the performance monitoring process and provide time on the agenda for the vendor to present ideas during your regular performance reviews.
Best Practices for Monitoring High-Value Vendors
Keep track of a high-value vendor’s performance and pay attention to any new or emerging risks for the vendor and their industry. Effective monitoring of any vendor relationship is essential and will help your organization maintain an inventory of good quality, high-value vendors.
Keep the following practices in mind:
- SLA tracking: Consider using a platform to automate SLA tracking. When any issues arise, you'll be notified quickly so you can take action as needed.
- Regular reporting: Delivering regular reports to senior management and the board keeps them informed of high-value vendor activity.
- Utilizing risk alert and monitoring services: Subscriptions to these services provide you with continuous real-time alerts and notifications on your high-value vendors in between formal risk and performance reviews.
These examples hardly scratch the surface of how to identify your high-value and low-value vendors. Every organization is unique but should have methods to determine whether its vendors actually deliver their expected value. Having current, objective and accessible vendor risk and performance data enables your organization to identify those high-value vendors that present good partnership opportunities. This data can also help you pinpoint low-value vendors that should be addressed. Investing in effective third-party risk management tools and processes is a great way to enhance you're your bottom line and deliver more value to the organization.