What is Vendor Risk Management?
Organizations often rely on a collection of vendors to perform day-to-day business operations. Vendor Risk Management (VRM) is the process of ensuring that those vendors do not create an unacceptable potential (or risk) for business disruption or lead to a negative impact on business performance. Here is a simple example:
A grocery store named Managed Foods has a relationship with a farmer in Iowa. That farmer, let’s call him Joe, has an outbreak of E. coli at his farm that contaminates the lettuce he sold to Managed Foods. Some customers get sick: everybody loses. Managed Foods interviews Joe and finds out that his lettuce crops were downhill from his cows. Rainwater washed the cows’ waste downhill and contaminated the lettuce. So Managed Foods sets up a questionnaire to send to their other farmers. Do any other vendors have crops downhill from cows? Based on their responses, Managed Foods can assign risk ratings for potential E. coli outbreaks at each farm (or vendor) they do business with. During their annual survey of vendors, it turns out one of their vendors expanded lettuce operations and now borders a nearby farmer’s dairy operation. Managed Foods decides to stop buying lettuce from that vendor, just months before that farm experiences an E. coli outbreak. Crisis averted!
VRM is the process by which organizations assess, monitor, and manage the risk associated with a vendor, which enables the risk level to be understood for each vendor, and allows the organization to take necessary action.
VRM is the process by which organizations (such as Managed Foods) assess, monitor, and manage the risk (such as an E. coli outbreak) associated with a vendor (such as a farm), which enables the risk level to be understood for each vendor, and allows the organization to take necessary action. Tolerance for the risk levels varies by organization, based on organizational policy and regulatory obligations.
What does ServiceNow do to help?
ServiceNow assists risk management teams by automating parts of the vendor risk management lifecycle. In addition to automation, it provides a centralized hub for each step of the Vendor Risk Management process.
1. Identify the vendor to assess
The vendor risk team can either set up a new vendor record or select an existing vendor to assess. This is a vendor that the organization wants to better understand the potential impact on their business.
Identify existing vendor based on reporting or create a new vendor record
Update vendor information or add contacts
2. Assign a Tiering Assessment to Set Vendor Tier
The vendor risk team performs a tiering assessment based on the knowledge of the vendor, so that the vendor tier can be established. (Note: They may not require a tiering assessment).
Setup a Tiering Assessment Record
Select the assessment to attach
Review the Assessment setup
Send to the assessors within the organization to complete
Analyze the completed Tiering Assessment
Accept or Modify the initial vendor tier (minor, low, moderate, high, critical)
3. Send Vendor Questionnaire
Submit the assessment to the vendor to be completed through the vendor portal. These assessments are based on templates which comprise questionnaire and document requests. Different assessments can be used, and these are completed by the vendor contact.
Trigger an assessment from the tiering assessment or create an assessment as required
Attach the Assessment Template
Review the Assessment Record
Submit to the Vendor through the vendor portal
4. Review Vendor Response
Once the assessment is completed by the vendor it is submitted back to the organization so that it can be reviewed by the vendor management team. The team will analyze the vendor response to generate observations.
Vendor receives the notification of the Assessment with a link to the vendor portal
Vendor completes the assessment and attaches relevant files based on the template
Address any issues or tasks on the portal
5. Remediate Issues
The observations generated from the vendor response may identify unsatisfactory results. These results will require further investigation internally by the vendor risk team to advance the relationship.
Organization receives assessments and moves to generate observations
Create Issues and tasks as required
Send Issues to the vendor to complete
Create internal tasks for the organization as required
6. Monitor Vendors (Continuous)
Once the vendor assessment is complete, ongoing monitoring can take place. This involves looking at the vendor overview dashboard to drive future engagements with the vendor. The monitoring process can also be used to track the progress of issues and tasks that are still open.
Use dashboards and reports to check on the state of vendors, assessments, issues
Trigger new assessments, issues and tasks as required
How does it work?
Watch this video for an end to end demo of the ServiceNow Vendor Risk Management application, presented by Phillip Roach.
Need Help with Vendor Risk Management?
No matter where you are on your maturity journey, Cerna Solutions has you covered when it comes to managing vendor risk on the ServiceNow platform. Recognized as a ServiceNow "Elite" partner, we are a team of 100% US-based ServiceNow professionals who specialize in ServiceNow Vulnerability Response. Our approach to Security Operations has earned us a repeat customer rate of 91%, and a customer satisfaction score of 9.7/10. Learn more about our Integrated Risk experience or contact us for more information.