Business Driven Vendor Risk Assessment Template

The pace and level of outsourcing has continued to evolve and now includes any and all business areas and cloud services. Outsourcing decisions often occur under the radar focusing on the economics of the agreement and not risk management oversight. In these scenarios, it is quite common to perform a risk assessment after a contract has been signed leaving a company with very little leverage to address critical audit findings. In an ideal world, risk assessments should be performed before the contracts are signed so that the requirement to correct critical findings makes its way into the contract between the parties.

New relationships of this manner tend to evolve rapidly from a risk perspective as the scope and location of services changes to accommodate business needs. The risk assessment templates traditionally used to manage vendor risk simply cannot keep pace or produce any type of actionable output for the business. Furthermore, these risk assessment templates typically require the active participation of a professional “risk manager” which is a scarce resource in most businesses if they have one at all!

What’s the solution? Use a risk assessment template written in business terms that:

• Is integrated into the business process for “business buyers” to execute;
• Informs the buyer of the risks their purchase presents; and
• Gives your organization clear guidance as to what they MUST do to manage this risk.  

Here is a general five step approach to help you get started on an effective business driven risk assessment template:

Step 1- Policy

Develop and communicate a policy that requires all vendor relationships of a certain nature (e.g. those that involve sharing of information or outsourcing certain business processes) be registered and a risk assessment performed by the relationship owner prior to approval or renewal. While this sounds easy it could be something that takes months to complete. A trick is to focus on the procurement team(s) and help them to establish the practice of performing risk assessments for large contracts or contracts with certain business or information impact. Also, assist your contracts team and work with legal to get standard language to support assessments and remediation. 

Step 2- Questions

Develop the universe of risk factors (e.g. information exposure, compliance exposure, strategic value) that compels you to manage and translate controls into the form of questions the business relationship owner can understand. For example, risk of compliance to the Payment Card Industry (PCI) for protecting card holder data is translated as “Are you sharing credit card data with the vendor?” as opposed to “Does the relationship require compliance with PCI?”.

Step 3- Score

Score the questions and answers relative to each other from a risk perspective so that the results can be:

• Compared against other relationships to give you a portfolio view;
• Tracked over time as the scope of the relationship changes; and
• Aggregated with the total population of relationships for portfolio analysis.

Step 4- Guidance

Based on specific results of individual questions and the overall score, develop a set of required actions or guidance the business owner must take (e.g. assess/confirm the vendor’s compliance with PCI). Make sure these are in alignment with the contractual language. It is also a good practice to try to establish connections with your peer if you have not already.

Step 5- Integrate

Look at the touch points within your business environment where buyers must interface (e.g. procurement and legal) and integrate the risk assessment template and supporting process for best results at those points. 

Remember, the business-driven vendor risk assessment template is all about integrating risk management into the outsourcing/procurement process by giving the relationship owners the tools and guidance to act as front-line risk managers.