Governance, Risk & Compliance: GRC
3 Reasons Why Automating Vendor Risk Management Can Fail
How many vendors will break the camel’s back? At a certain point – whether it’s 10, 100 or 1000 – organizations will seek an automated solution that will help them more effectively execute their vendor risk management program. SAI360’s VRM expert discusses why these projects can fail in a blog with Security Scorecard.
The decision to evaluate vendor risk management software is the right one. However, the assumption that it will solve all problems isn’t.
The components of a successful vendor risk management program combine efficient vendor onboarding, compliance training, automated assessments, security rating services, and continuous monitoring. Not all technology deployments for a VRM program run smoothly. With every implementation, there are lessons learned. Through our experiences, we’ve uncovered three key challenges to a successful deployment.
Before you sign on the dotted line, ensure you avoid these three missteps that can cause automation of your vendor risk management program to fail.
1. Who are your vendors anyway?
Step one to set up a successful vendor risk management program is knowing who all your vendors are. Not just the vendors that you know about — all your vendors. And for some organizations, that can be a big gap. Start by collecting a list of the vendors you do know. Then share that list with your organization’s departments and have them add any missing vendors. Then watch as your list doubles and sometimes triples.
Once you have a full list, add them to your vendor risk management solution to ensure you have the key information you need about each vendor, such as contact information and contract length. By keeping these data points in a centralized database, you can more easily stay on top of changes and reach out to the right stakeholders and contacts when needed. Plus, this process helps you get other departments involved so your team is included when changes are made or when a new vendor is evaluated.
2. All vendor data is a top priority
False — you can’t collect all information points about all vendors all at once. Just because you now have all your vendors entered in your vendor risk management software, it doesn’t mean you need to send a 1,000-question assessment to each of them. Start with a small batch of about 20 or so and send a customized questionnaire to them. As you get responses back, you will see which questions may have been redundant or which questions required long and overly detailed answers and didn’t get a response.
We’ve seen that, over time, more mature vendor risk programs have fewer questions because they have a more fine-tuned understanding of what information their business needs and what their vendors will tolerate.
Starting small and growing applies to both the number of questionnaires you should send out as well as the platform itself. Vendor risk management software is typically designed to be configured to meet your current requirements and grow with you. As you use the system more, you can decide which integrations you want to add or which types of reports you need. Doing too much configuration before you use the software will slow down the implementation process and will likely result in more changes later.
3. Even vendors are human — manners matter
No one wakes up in the morning and wants to complete a 1,000-question assessment. However, this is part of many people’s jobs and an important part of doing business. But consider the barriers your key vendor contacts will need to get started: login information, credentials, attachments, and time-out errors as they research information requests should not be hurdles within your intake process since they can create frustration and delay responses considerably.
By using a vendor portal as part of a vendor risk management solution, vendors do not have to create a login. Instead, they receive an automated email with a pre-configured identification link to login. You’ll be able to track their status and automate reminders, thus ensuring nothing falls through the cracks. Depending on the answers they provide, you can more readily determine their criticality and if additional questionnaires are required.
Choose the solution that fits your business needs
When assessing vendor risk management technology, rely on more than one source of information to ensure the software you select meets your own business requirements, today and in the future. You should see a product demo, ask for customer references, and read user reviews such as those on G2 Crowd.
The same advice to use multiple data inputs applies to your vendor assessments. Responses to the assessments are one source of data. By integrating your vendor risk management tool with SecurityScorecard, you can continuously monitor your vendors by tracking real-time changes to their cybersecurity scores. A lower rating and score help you identify the high-priority vendors that need more intensive assessments, such as penetration tests or on-site assessments. Since the system is always monitoring for new data, you are alerted when a vendor’s security status is compromised, or if there is a decrease in a vendor’s security rating.
This blog was originally published on SecurityScorecard.
Learn more about our VRM solution. Or, contact us to see how SAI360 has helped organizations like yours.