Vendor management policies are especially important for enterprises. Vendor management policies assess and manage company risk. It asks companies to estimate how much vendor risk they are willing to take.
However, organisational risk is vast. How can companies quantify risk? The solution comes from an unexpected place.
NASA has a perfect risk assessment method for corporations, according to Ness Labs. In “Managing risk with the NASA Risk Matrix,” Ness Labs described how NASA scientists assess and manage business risk.
NASA’s Risk Matrix is remarkably simple and approachable for a rocket science organisation. After you understand the concept, the Risk Matrix can help your firm measure vendor risk and make better vendor selection decisions.
Defining NASA’s risk matrix
Risk conceptualization, navigation, and mitigation are crucial to science and space exploration. NASA scientists and researchers created the Risk Matrix as a simple picture to help their teams understand risk.
Risk is measured by likelihood and consequence in the graph.
After identifying a danger, ask two questions: How likely is it to occur and how severe are the consequences?
NASA’s Risk Matrix logic isn’t unique. Any risk assessor can utilise it.
What’s at stake while using vendors?
Implementing vendor management policies are crucial since working with vendors entails several hazards. The biggest risks are business continuity, reputation, and data security.
While discussing these three major risks, we’ll also explore vendor risk assessments.
Knowing the risks involved with third-party vendor risk management policies is helpful.
A third-party risk assessment questionnaire can assist companies identify outsourcing risks. The questions below can help you create a security or supplier risk questionnaire, however each questionnaire should be customised.
Company continuity
Deloitte found that 87% of organisations “have experienced an incident with a third party that disrupted their operations.” Late delivery and faulty orders put your firm at danger, resulting in unexpected fees or revenue loss.
If shampoo arrives late at your hair salon, you may need to buy a replacement. That goods may cost more, resulting in unexpected expenses. While the delayed shampoo is unavailable for retail sales, you’ll lose money.
Your business and revenue streams can suffer from business continuity loss. When selecting new or unproven vendors, continuity gap likelihood and repercussions must be assessed.
Risk assessment questionnaire for business continuity
- Does your company have all insurance binders? Claims coverage amounts?
- What plans does your company have to mitigate business repercussions from severe shipping delays or supply chain issues?
- Has a client of yours experienced business continuity issues or major delivery delays?
- What is your client communication policy for supply chain issues or delays?
Reputation
Consumers increasingly consider reputation when buying. Bad reviews discouraged 60% of buyers from buying from a firm. Businesses must carefully assess the dangers of working with any outside organisation when the stakes are so high.
If your business partners with a vendor who violates your principles or participates in illegal business activities, the media and consumers may hold you liable.
Consider a seller who illegally imports merchandise. Whether your business was involved or not, you risk a PR catastrophe. You could permanently ruin your reputation if the media reports your business receiving illegally imported goods.
New vendor due diligence is essential to third-party risk management. To avoid issues, learn about a possible partner’s business procedures and principles.
Questionnaire on reputational risk:
- Do you outline business processes, materials and product quality, vendor selection, and legal/regulatory compliance?
- Have local, state, or federal authorities investigated any occurrences in the past year?
- Such investigations yielded what results?
- Has your ESG policy addressed environmental and social impacts been documented?
- Document ESG data and environmental issues related to your product or service?
- Has company practice litigation occurred?
Secure Data
Data security may be a business’s biggest risk. Working with a vendor increases this risk, especially in IT. In 2020, 83% of Deloitte-surveyed companies “experienced an incident at one of their third-party suppliers/partners in 2019.”
New IBM Security research says breaches cost $4.43 million on average in 2022. Additionally, 19% of these data breaches were caused by third-party business partners.
Remember that a breach is worst-case scenario. Failure to follow laws that prevent violations is risky. Businesses must follow Federal Trade Commission and EU data-security laws depending on region. Violation might result in hefty penalty.
Data privacy and security rules are often complicated. According to Auth0, an application authentication company, “Even if your data collection policies are strictly in accordance with the law, if you’re not protecting that data with adequate security measures such as authentication and access management, you still may not be in legal compliance.”
With risks and costs so high, enterprises must closely monitor vendor security practices.
Risk assessment questionnaire for data security:
- Have you documented your company’s data and cybersecurity policy?
- What compliance risk-reduction policies do you have?
- Have you documented firm asset and customer data acceptable-use policies?
- Does your company implement data security protocols?
- Has your company encountered security breaches, data breaches, or other security issues in the recent [X] months?
- What were your remedial efforts?
- Are the breach’s cause, result, and recovery process known?
- What information security SLAs exist?
- Have your company or subcontractors found any system vulnerabilities?
- How were these identified and handled?
How can NASA’s Risk Matrix aid?
You may define, score, and manage risk with NASA’s approach. These are the three essentials of vendor management policies.
Define risk.
According to Ness Labs, NASA defines risks before applying the matrix using this formula:
Due to [CONDITION], [DEPARTURE] may harm [ASSET], resulting in [CONSEQUENCE].
In practise, how this looks?
Your speciality bakery makes solely gluten-free pastries. Pastries require almond flour. You depend on a seller to provide these things every three days.
One or two days can compromise your ability to produce enough gluten-free foods to meet customer demand. A week’s delay could shut down operations for days.
You find a cheaper gluten-free baking product seller during a vendor audit. The new vendor is highly recommended, however it ships from California, and your bakery and present seller are on the East Coast. That means your orders must travel 2,000 miles farther, causing delays.
According to NASA, ordering from the California vendor is risky:
Since the vendor is 2,000 miles away, shipping delays could affect our almond flour stock, preventing us from making gluten-free pastries, meeting consumer demand, and making a profit for up to three days.
Risk score
Score a vendor’s riskiness using NASA’s Risk Matrix. We’ll use it to rate events’ likelihood and impact from 1 to 5.
Since the provider is 2,000 miles away, our almond flour shipment is likely to be delayed. It gets 5 stars.
We may lose three days of profit, but it won’t sink the firm. Give it a 3.
On NASA’s Risk Matrix, they intersect at “highest risk.” Therefore, we should reconsider cooperating with them.
Regulate risk
Use your risk score from the Risk Matrix to determine ways to mitigate risk. Your company must control business continuity, reputation, data security, and other risks.
Business-continuity controls may include:
- Always stock an extra day’s supplies.
- Have a supply backup strategy in case of delays.
- Order half your supplies from another seller to reduce vendor dependence.
- Order only non-essentials from your seller.
- Stop using the vendor.
In our bakery example, a level 5 risk indicates we should ban the California seller, despite their cheaper items. Too much risk exists of business continuity disruption.
Best methods for vendor risk assessment
While vendor risk can’t be eliminated, following a few best practices can considerably minimise your organization’s risk.
Consider these best practices when creating a firm risk management policy:
Consolidate your vendor list: Refine your vendor list to a few, well-managed service providers. By consolidating your vendor list, you may better evaluate potential vendors. It also strengthens connections with frequent vendors. This reduces operational and financial risk.
Use a vendor risk questionnaire: Vendor due diligence includes self-reported data. Consider a vendor risk questionnaire to learn the company’s risk and mitigation procedures. Additionally, examine for security weaknesses that could introduce high-risk vendor practices.
Perform vendor performance reviews: Evaluating your vendor continues after the ink is dry. The vendor lifecycle includes periodical vendor performance evaluations to ensure suppliers maintain high security and compliance in their internal and external activities.
Track vendor performance metrics: KPIs let you evaluate your vendor risk management policy. Monitoring these data ensures vendor performance and compliance. Overall, it strengthens vendor relations.
Demand robust contract SLAs: Service level agreements (SLAs) describe how vendors will maintain performance. They outline compliance issue penalties and processes. SLAs should mandate tight uptime, disaster recovery, and data handling or deletion throughout and after the contract term.
