5 Ways to Use a Supplier Scorecard to Manage Risk
There are various definitions for ”supplier scorecard,” but in the case of enterprise risk, it’s a management report that includes key performance indicators (KPIs) measuring key areas of risk for a supplier or vendor. The International Association for Contract and Commercial Management article Taking Charge of Supplier Risk states, “Scorecard solutions can help improve the efficiency and effectiveness of a risk management program. Getting greater visibility and control over existing contracts can be the quickest, most substantial contribution your organization can make to mitigating supplier risk.”
Applied correctly, supplier scorecards can be a powerful tool to mitigate vendor risk. Here are five ways to use supplier scorecards to manage your risk:
1. Improving Initial Supplier Selection
The supplier scorecard can weed out risky suppliers from your selection process because only those with mature controls will likely agree to provide the KPIs used in your scorecard. A supplier with a mature risk management or information security program should be able to easily provide the data. Because the supplier is already measuring internal KPIs, they should be willing to agree to your scorecard. An unwillingness to participate in your scorecard may be a red flag for issues down the road.
2. Measuring the True Cost of Supplier Relationships
You can use the results from the supplier scorecard to adjust the quoted product or service price from potential suppliers based on risk. This helps to assess the true overall cost of each potential supplier relationship. For example, a vendor with very poor IT risk controls will have a much higher probability of some kind of breach. Using industry averages for the cost of a breach, you might calculate that the relationship is going to cost an additional $200,000 if a breach occurs. Any price discount you may be receiving from this supplier should then be adjusted by that extra risk premium.
3. Providing Supplier Incentives
Build penalties and rewards into supplier contracts based on meeting or missing risk-based KPIs. For example, you could assess penalties for exceeding certain measures in the supplier scorecard. You may also provide a bonus for staying within a defined threshold. The scorecard acts like an independent arbiter—something not possible without a supplier scorecard.
4. Managing Your Supplier Portfolio
You could use a supplier scorecard to monitor which suppliers are above the level of risk tolerance your organization is willing to endure. When the time comes to renew contracts, these measures can be useful in determining which suppliers are too risky and shift business to others who have less risk. Suppliers are a component of your total risk, so getting rid of especially risky suppliers improves your own risk posture.
5. Focusing Your Supplier Risk Assessment Efforts
Most companies who rely on critical supplier relationships have some type of risk management program for regularly auditing suppliers. Using supplier scorecards allows you to determine the suppliers on which you should focus your risk mitigation resources. For those vendors that contribute an acceptable amount of risk to your business, you may decide to reduce the frequency in which they are audited. As a result, you reduce your overall risk mitigation expenses by focusing on only those vendors who meet your risk criteria.
What are some other ways you’ve used supplier scorecards to manage risk?
About the Author: Bradley J. Schaufenbuel, CISSP, CRISC, is Senior Vice President and Chief Information Security & Privacy Officer at Midwest Bank – Now Part of FirstMerit Bank, N.A. He is a regular speaker at industry conferences and has authored numerous books and professional journal articles on topics related to information security and I.T. risk management.
Learn How To Apply Supplier Scorecards to Vendor Risk