There's a question I get asked often - "Why must I risk rate EVERY one of my vendors?" Many times at conferences and in follow up to webinars, this is a popular question, because I think it drives so much confusion and a fear of unnecessary work.
The easy, short answer is: “Because the regulatory guidance and prudent business practices dictate it.”
The more comprehensive answer is...necessary because the guidance and sound businesses dictate risk rating every vendor, regardless of the degree of risk present.
How to Risk Rate
For every active vendor that falls in your active inventory, you should do some level of a risk assessment. Obviously, for some, there may be very little risk at all, but you should at least document it, even if it's a very cursory review.
For others, you’ll want to do a very comprehensive risk assessment, this would involve:
- Thorough due diligence:
Asking experts from around your company and learning as much as you can about the company before engaging in a business relationship.
- Robust ongoing monitoring:
Robust reporting and service level agreements, supported by evidence obtained through mystery calling, call center listening, and reviewing independent audits are just a few easy examples.
What to Do With the Risk Ratings
Once you determine the risk rating, particularly if they're critical and/or high risk vendors, make sure you have a thorough understanding of where the risks lie and how best to manage them.
Risk ratings provide insight to contract term considerations. What you learn in the due diligence and risk rating processes may lead you to additional contract requirements, such as obligations to disclose material issues, provide regular reporting, advance approval of significant new third parties and rights to terminate if these obligations are not met.
From time to time, you’ll want to update the risk assessment, particularly noting any changes and, if significant, include them in your reports to senior management and the board to update risk ratings as needed. It is all about the risks and how best to control them.