The 3 Questions to Ask About Your Vendor Risk Program

The 3 Questions to Ask About Your Vendor Risk Program

diagram how how cloud computing works

Published September 18, 2014   •   2 minute read

Risk consulting firm Proviti recently highlighted questions a company should ask itself to determine if its risk management program was on track. Several stand out as being very relevant to establishing a vendor risk program that actually works.

The main focus of each is on moving beyond vague long-term goals and instead focusing on achievable objectives and accountability. Whether you are establishing a vendor auditing program or a supplier financial screening initiative, the following questions are key in determining if your risk program is on track.

1. Does our risk profile reflect the risks we face currently?

This seems like an obvious question but one which is easy to lose track of. Have the risks your organization faces increased or decreased over the last year? Clearly not all risks can be forecasted, but at the very least a comparison should be made between known risk exposure along with an honest assessment of whether you are better prepared to deal with them now versus one year ago. For example, by analyzing how many of your vendors are compliant with your terms and conditions today vs one year ago, you gain a sense of whether your overall vendor risk management approach is moving in the right or wrong direction.

2. Are directors and executive management on the same page in terms of risk appetite?

There must be a cohesive vision in place to work towards in executing a winning risk program. One approach is replacing overly vague company mission statements regarding risk with more granular, achievable objectives, and then revisit those objectives in 6 months to ask whether real progress is being made. Stagnation in executing a risk program often stems from setting overly lofty goals at the outset, and then having directors or operations managers not focusing on the same barometers of success over time, leaving nobody ultimately accountable.

To do this there must be accountability. Companies that succeed in executing a risk program usually find ways to eliminate redundant oversight of the program. Does a single person in your company have responsibility for owning a particular problem or program and reporting on its progress? As Proviti reports in their findings, the more institutional overlap an organization has with multiple people or departments sharing responsibility for the execution of a risk program and reporting on its success, the less likely that program is to succeed.

3. Is our risk culture encouraging the right behaviors? 

This is key. If you go to the trouble of auditing every single vendor who works on site at a facility, requiring them to submit updated COIs, endorsements, etc., that means nothing if nobody checks that info at the gate and lets them in regardless. Vendor standards for risk compliance must be enforced, otherwise it becomes very hard to continue enforcing standards, especially in today's environment of fast traveling information where a non-essential exemption for one vendor can quickly lead to other vendors requesting similar exemptions.

The key to a comprehensive risk management program must include ensuring vendors are safe, compliant, insured and financially stable. This is critical to minimizing potential loss. If your vendor risk management program cannot satisfy the above 3 questions, now is the time to evaluate what needs to change.

Business Credentialing Services can help you analyze whether your risk program is passing or failing the above three questions.

Leave a Comment