Vendor coverage is something that all organisations think about, but with finite resources, it’s difficult to optimise your vendor portfolio by rigorously assessing every single supplier. We will explore vendor coverage and how organisations can best identify third-party vendors that come with a high level of risk.
To begin, you should first address whether you have a clear picture of your vendors within your business? If the answer is “no,” this is a great place to start. Before any progress can be made to the assessment process, you need to be aware of what suppliers are working with your company and what goods and services they provide you. Without this data, you won’t know what you should be assessing! To address this, you should collect a list of your known vendors from procurement and add them to your vendor register. Key information such as the goods and service vendors provide and contact should be recorded.
Now you have your list, we should address the elephant in the room. You won’t have the option to assess all your vendors every year without a huge team. Therefore, it would help if you were aiming to get as close to 100% coverage of understanding your vendors while remaining realistic. Often businesses assess the top 25% of vendors by financial status, this is because there is usually a risk in the vendors you spend the most money with, and so we consider that a key factor. Although there are different angles to consider, we would suggest organisations developing a simple and repeatable strategy to quickly categorise vendors, often called a tiering assessment, to help with this.
It is critical to understand from the outset that while you should be aiming to achieve 100% coverage, this doesn’t mean evaluating every vendor. For most companies, it would be impractical to plan, test, evaluate, and remediate findings from each vendor on an annual basis. But because tiering provides you with an indicative importance and risk level of the vendor to your business, you can focus and put resources into the ones that matter most to you.
A fit for purpose tiering assessment should remove “gut feel,” be consistent, and ensure a focus on what matters to the business. Your tiering assessment should focus on key risk factors that could have a critical impact on your business. These factors might include things like:
One way to approach the assessment is using simple scores weighted against the factors as part of the tiering process, enabling you to successfully rank vendors with increasing trust levels such as Informal, Trusted, Partner, or Strategic. This will allow your third-party risk team to understand and prioritise their efforts to establish and assure trust.
You know who the vendors are, you have worked out the priorities and the activities. You now need to create the process to execute this. Every business will have an approach explicit to its requirements, but most have the following components.
Note: You must understand that a one size fits all assessment process simply won’t work. You should adjust questions directly to specific vendors depending on their individual risk profiles. For example, you wouldn’t have any desire to ask a technology vendor the same 50 questions you posed to your office supplier. It’s one of the numerous ways you can tailor tiered assessments to work for your company and significantly lessen its vulnerability.
To conclude, in most businesses, it’s not realistic to aim for 100% assessment of all vendors, however, you can strive to understand all your vendors and achieve that 100% coverage.
SureCloud is a provider of cloud-based, Integrated Risk Management (IRM) products, Cybersecurity, and Risk Advisory services, which reinvent the way you manage risk. SureCloud connects the dots with IRM solutions enabling you to make better decisions and achieve your desired business outcomes. SureCloud is underpinned by a highly configurable technology platform, which is simple, intuitive, and flexible. Unlike other GRC Platform providers, SureCloud is adaptable enough to fit your current business processes without forcing you to make concessions during implementation; meaning you get immediate and sustained value from the outset.