Developing Vendor Risk Management Program Metrics

Establishing risk and performance metrics for your vendors has long been an essential best practice, and is a regulatory requirement across various industries. However, vendor risk management metrics are only part of the bigger vendor risk management picture. It's essential to measure the performance of your entire vendor risk management program.

Vendor risk management program metrics ensure that your program’s rules, tools, and processes are working as intended. Identifying specific metrics can help evaluate your program's performance, identify gaps, and encourage data-driven decisions. More importantly, reporting vendor risk program metrics to the board can assure them that your third-party vendors' risks are well-managed, and that the program adds value.

Although it can sometimes be challenging to pinpoint the right metrics, it doesn't have to be. Read on to learn more about metrics and how to identify the right ones for your vendor risk management program.

Two Types of Vendor Risk Management Program Metrics

Metrics typically fall into two categories: key performance indicators (KPIs) or key risk indicators (KRIs). It’s essential to understand the difference between the two and how they should be used. It's also necessary to determine if your KPIs and KRIs are objective or quantitative, meaning something that can be measured or counted, or subjective or qualitative, meaning something experienced or felt.

Let's examine how these metrics are different and review some examples:

Key Performance Indicators

KPIs are lagging indicators and tell us about something that has already occurred. They look back on the performance of the vendor risk management program and can help measure how the program has performed against set goals or objectives.

Examples KPI Vendor Risk Management Metrics:

• Objective: The number of current risk assessments for high-risk and critical vendor engagements
• Subjective: Percentage of vendor owners rating vendor risk management training 3 or fewer stars (out of 5)

Key Risk Indicators

KRIs are leading indicators and tell us about something that might happen. They are meant to be predictive and help identify where risks may develop or increase.

Examples of KRI Vendor Risk Management Metrics:

• Objective: The number of high-risk and critical vendors with open issues that are at risk or past due
• Subjective: Average stakeholder satisfaction score

It's crucial to understand that the metrics used in your vendor risk management program should identify and manage risks and evaluate the program's performance. It's optimal to use both KPIs and KRIs.

How to Identify Vendor Risk Management Program Metrics

When choosing metrics for your vendor risk management program, consider objectives like compliance, risk management, performance, or efficiency. Let's review some examples and how they might be translated into KPIs, KRIs, or both:

1. Compliance metrics – These vendor risk management program metrics should identify regulatory and internal compliance with all policies and documented requirements. Examples include:
   
   
   • The number of compliance issues currently open – Compliance issues must be addressed immediately, whether vendor-related or internal. Failure to comply is taken very seriously by auditors and examiners.
     
     
     • KPI – Effective vendor risk management programs have few, if any, compliance issues. Remediating issues quickly demonstrates that the program prioritizes compliance.
     • KRI – The more compliance issues an organization has, the more likely it is to experience dissatisfied customers, revenue loss, litigation, and regulatory penalties.
   • Policy exceptions – Limiting policy exceptions demonstrates compliance with internal and external requirements.
     
     
     • KPI – Limited policy exceptions show that your existing requirements are achievable and there's a reduced need for administrative work and approval requests.
     • KRI – If the number of exceptions increases, compliance risk rises and regulatory scrutiny intensifies.
2. Risk metrics – These vendor risk management program metrics should demonstrate effective identification, assessment, management, and vendor risk monitoring. Examples include:
   
   
   • Number of engagements without a current risk assessment – Active vendor engagements without a current risk assessment decreases your organization's ability to identify and manage risks effectively.
     
     
     • KPI – Per the vendor risk management policy, all engagements must have a current risk assessment. Adhering to this process shows effective risk identification and management.
     • KRI – The more engagements without current risk assessments, the higher the likelihood that new and emerging risks remain unidentified and unmanaged.
   • Due diligence reviews resulting in a pass decision – Due diligence is meant to validate that your vendors have the appropriate risk management practices and controls to mitigate known risks sufficiently.
     
     
     • KPI – Effective processes, subject matter expertise, and risk avoidance are evidenced when vendors are rejected as a result of due diligence.
     • KRI – A due diligence process that results in the approval of every vendor is likely not rigorous enough and may expose the organization to unnecessary risk.
3. Performance or operational metrics – It's essential to demonstrate that your program runs efficiently and effectively and has the right processes, tools, and people to do the job.
   
   
   • Percentage of due diligence assessments completed within the estimated timeframe – A swift decision on vendor approval or rejection is crucial for timely issue resolution and seizing opportunities.
     
     
     • KPI – Processes, tools, and people are working effectively and meeting expectations.
     • KRI – Not completing due diligence assessments within the estimated time may impact business or indicate a lack of resources.
   • The ratio of vendor risk management program full time employees (FTEs) to the number of critical and high-risk vendors – These vendors require the most vendor risk management rigor and attention.
     
     
     • KPI – A reasonable ratio of FTEs dedicated to vendor risk management in comparison to elevated risk vendors illustrates an appropriate allocation of resources for risk management.
     • KRI – Insufficient number of vendor risk management FTEs can lead to process delays, approval delays, and reduced vendor risk management effectiveness.

Additional Considerations for Vendor Risk Management Program Efforts

Before finalizing your vendor risk management program metrics, it’s important to ensure you have access to data that can be easily calculated, is repeatable, and clearly illustrates vendor risk management or operational effectiveness.

Ask yourself the following questions:

• Does the metric help tell the right story?
• Do I have an accessible and reliable data source to support the metric?
• How easy is it to calculate the metric?
• Is the metric better used as KPI (lagging measure) or a KRI (leading measure)?

Keep in mind that identifying metrics isn’t enough, it’s also essential to determine what actions will be taken when the metric isn’t within the acceptable thresholds.

In summary, developing and tracking metrics for vendor risk management is considered a best practice and is an essential aspect of effective programs. These metrics can provide valuable insights into resource allocation, risk identification, and program impact. Additionally, they offer crucial information for the board, management, and stakeholders, enabling organizations to make informed decisions to improve their vendor risk management program.