Assessing Your Vendors: Best Practices and New Approaches
Whether it’s for compliance, business continuity, or investigating an incident – vendor risk assessments are here to stay. Unfortunately, they seem more like a one-sided obligation – you assess the vendor to get the answers you need to feel comfortable working with them. However, perception does this create for the vendor? Off the bat, the vendor feels like they are being burdened and forced to do extra ‘homework’ that that don’t actually want to do.
To shift this way of thinking, businesses need to change the way they distribute vendor risk assessments and make it more of a two-way street. In doing so, the process becomes less of a burden and more of a collaboration exercise.
So, what can you do to streamline assessment completion and simplify vendor risk reviews? In this blog, we’ll outline the latest vendor risk assessment tips and tactics that you can implement to build a more efficient third-party risk program.
1. Navigate Internal Politics: There are hurdles to go through even before you start the assessment process. There is always going to be one critical employee involved no matter what – and that’s the business owner, also known as the person who intends on using that supplier or vendor. It is best to get the business owner involved in the process early, such that you aren’t going around them and they can act as your champion since they have an existing relationship.
2. Transparency is Critical: Beyond just notifying the business owner, keeping them looped in throughout the duration of the project is helpful. These are the people who know the context of the vendor relationship and can answer questions. From there, the business can take over.
3. When Reaching Out, Make Your Purpose Clear: When first reaching out to the vendor, your goal should be to make things abundantly clear as to why the assessment is being conducted. Teams should send a “context” email to the vendor first (e.g. include the who, what, when, where, and why) before sending a link to the assessment. This reduces the likelihood that an assessment will be ignored out of suspicion of phasing or the likelihood that a vendor will not have any idea why the assessment is coming in the first place.
4. Timeline is Key: Once you’ve provided context, there needs to be an aggressive timeline articulated because vendors will inevitably request an extension.
5. Maturity Matters: Next, consider the maturity of the vendor you’re assessing as their industry and size will likely impact the type of questionnaire you send. It’s important to manage expectations with less mature vendors as they will likely have less resources, take longer to respond, and leave questions unanswered.
6. Make Assessment Response Easy: Remember, the assessment process needs to be a two-way street. Make the assessment easy for a vendor to respond to. This could mean sending the assessment online through a tool, emailing the assessment with a formatted excel, or providing an industry standard questionnaire that the vendor may have already completed before.
7. Visibility into Assessment Progress: And while that vendor is responding, try and gain visibility into the assessments progress, this will help you step in at critical junctures. Oftentimes this is only possible with a live document or a technology solution.
8. Have a Methodology: It’s imperative to think through your process and document it. Every vendor is different, but if you build a playbook that you can build on and adapt, you can reduce work and human error for future assessments.
9. Help Your Future Self: Never start from scratch. Make things easier for yourself and save assessment details as well as vendor contacts.
10. Constantly Refine: The final tip is to identify what is and what is not working for your vendor assessment process. Make adjustments (e.g. change messaging, use local language, time zones) and consistently work on improving your relationships.
Want to try it out? We’re offering an extended free trial that includes access to 10 free and completed vendor risk assessments.