3 Critical Components of Vendor Risk

Tweet  

  

 delicious  

  

Identifying and measuring vendor risk is an important responsibility for nearly all enterprises.  Many assume vendor risk is simply the risk associated with a supplier delivering on their commitment.  In reality the risk related to a vendor relationship is much more complex and dynamic than just their ability to deliver. Investors, regulators, and your customers increasing realize this risk and expect it to be managed.

You can view vendor risk as made up of three primary components:

1. Relationship risk: Relationship risk is the inherent risk to your business that comes out the “what” you are doing with the vendor. Key areas of risk include strategic, business process, contract, information, compliance, and geographical exposure.  As the scope of your relationship changes (e.g. change of services, information shared) so does this risk. Relationship risk should act as your risk management guide in telling you what and where to focus your efforts.
2. Business profile risk:  Business profile risk is the “Who” part of your overall vendor risk equation. It looks at the vendor business profile outside of the relationship risk factors focusing on the vendor’s business, financial, credit, geographical, and compliance profile. The vendor’s business risk profile is also dynamic due to changing financial and geographical risk factors which must be monitored.
3. Control risk:  Control risk is the “How” part of your risk equation and measures how well the vendor is delivering it’s products or services in the context of critical operational controls that protect your information assets and business processes trusted to the them.

These three components can be combined together to present an overall indicator of Vendor Risk.

Vendor Risk = f( Relationship risk, Business Profile Risk, Control Risk)

Vendor Risk Visibility Gaps

As simple as the Vendor Risk equation may appear to be it has proven to be very difficult to create in most organizations. The reason is that each component of the equation is typically being assessed and managed in individual silos with the results never really coming together. Most commonly the vendor relationship owners or “the business” is the source and responsible party for managing Relationship risk while procurement drives business profile risk and information security or compliance handles control risk.

Unfortunately, each component is not the truce indicator of vendor risk themselves; they need to be viewed together. This split responsibility makes it difficult to take a holistic view of the vendor’s total risk.  As a result, companies often have difficulty consolidating these measures into a handful of actionable indicators.  This makes them vulnerable to vendor risk even though functional teams are monitoring it.

Photo credit: lumaxart

About the Author: Chris Bell is a founder and VP of Product Management at Evantix, an on-demand risk management solution that helps companies assess, manage, and monitor risk across their complex business relationships. He builds innovative risk management solutions for the market and advises companies about how to improve their programs.  You can read more from Chris on the Evantix blog.

Webinar: How Can Risk Intelligence Help You Reduce Vendor Risk?

In this educational personal webinar, you’ll learn how Evantix’s risk intelligence solution creates a credit bureau for your vendors enabling you to make intelligence decisions about your business risk.  Register for your personal webinar today.