Business Driven Vendor Risk Assessment Template
The pace and level of outsourcing, although slowed in the past few years, continues to grow with almost no business processes left untouched. Outsourcing decisions often occur under the radar with limited risk management oversight. In addition, it is quite common to perform a
risk assessment after a contract has been signed leaving a company with very little leverage to address critical audit findings. In an ideal world, risk assessments should be performed before the contracts are signed so that the requirement to correct critical findings makes its way into the contract between the parties.
These relationships also tend to evolve rapidly from a risk perspective as the scope and location of services changes to accommodate business needs. The risk assessment templates traditionally used to manage this risk simply cannot keep pace or produce any type of actionable output for the business. Furthermore, these risk assessment templates typically require the active participation of a professional “risk manager” which is a scarce resource in most businesses if they have one at all!
What’s the solution? Use a risk assessment template written in business terms that:
- Is integrated into the business process for “business buyers” to execute
- Informs the buyer of the risks their purchase presents and
- Gives them clear guidance as to what they MUST do to manage this risk
In constructing this business driven risk assessment template here is a general five step approach to help you get started:
Step 1- Policy
Develop and communicate a policy that requires all vendor relationships of a certain nature (e.g. involve sharing of information or outsourcing certain business processes) be registered and a risk assessment performed by the relationship owner prior to approval or renewal.
Step 2- Questions
Develop the universe of risk factors (e.g. information exposure, compliance exposure, strategic value) you want to manage and translate them in the form of questions the business relationship owner can understand. For example, risk of compliance to the Payment Card Industry (PCI) for protecting card holder data is translated as “Are you sharing credit card data with the vendor?” as opposed to “Does the relationship require compliance with PCI?”.
Step 3- Score
Score the questions and answers relative to each other from a risk perspective so that the results can be
- Compared against other relationships to give you a portfolio view
- Tracked over time as the scope of the relationship changes and
- Aggregated with the total population of relationships for portfolio analysis
Step 4- Guidance
Based on specific results of individual questions and the overall score develop a set of required actions or guidance the business owner must take (e.g. assess/confirm the vendor’s compliance with PCI).
Step 5- Integrate
Look at the touch points within your business environment where buyers must interface (e.g. procurement and legal) and integrate the risk assessment template and supporting process for best results at those points.
Remember, the Business Driven Vendor Risk Assessment Template is all about integrating risk management into the outsourcing/procurement process by giving the relationship owners the tools and guidance to act as front line risk managers.
Photo Credit: mrbill
About the Author: Chris Bell is a founder and VP of Product Management at Evantix, who provides an on-demand risk management solution that helps companies assess, manage, and monitor risk across their complex business relationships. He builds innovative risk management solutions for the market and advises companies about how to improve their programs. You can read more from Chris on the Evantix blog.
How can you cost-effectively apply a risk assessment template to thousands of suppliers?
 |
In this educational personal webinar, you’ll learn how Evantix’s risk intelligence solution creates a credit bureau for your vendors enabling you to make intelligence decisions about your business risk. Register for your personal webinar today. |