Let's Talk about the VRP and PCM Requirements

VendorInsight can be an out-of-the-box solution for your vendor management program, but VI also allows for the configuration of the system per your organization’s vendor management policy. As a matter-of-fact, we highly encourage the latter type of configuration! Your organization worked hard to create a policy that incorporates their risk appetite and known best practices for vendor management. This should absolutely reflect in the system that you choose to help you with processes to follow the written policy.

• How do I establish the organization’s vendor management policy in VI?

What do we mean when we talk about adding your vendor management policy to VendorInsight? Are we talking about saving the document somewhere in the system? While you can upload the document to save for easy access, this is not quite what we mean.

The Vendor Relationship Profile (VRP), or Inherent Risk assessment, has categories of risk and Inherent Risk scores for each category that can be customized to fit your organization’s risk appetite. Categories of Risk may include, but are certainly not limited to: New Vendor Relationship, Physical Access, Logical Access, NPPI Access, Cloud Service, ESG, Company Confidential Information Access, Critical Customer-Facing and Mission Critical Vendor. The categories should be selected to reflect what is most important to your organization at the start of a vendor relationship, as well as what you would like to continue to review as the relationship progresses. We do recommend reviewing the VRP once a year for critical vendors or whenever the Vendor Risk Assessment expires. The reviewer should keep in mind that the assessment is determining the risk before thinking about the mitigating factors whether it is a brand-new relationship or an ongoing review.

Since Inherent Risk is the risk that is established before knowing what mitigating factors may exist, the scoring of each risk category should be set to reflect this. For example, if you are using a Mission Critical Vendor category, you would want to set the risk score for this category to the highest score. In VendorInsight the Inherent Risk scores range from 0-5, so for our example, the Risk Score would be 5 and would be considered “High Risk”. The Mission Critical Vendor’s potential risk would be accepted by your organization because of the product or service the vendor will provide which would be essential to the internal process. 

But what about the gathering of documentation? What do we do with this information? The due diligence documentation that your organization has determined will be collected at the beginning of the relationship with a vendor, and during ongoing monitoring, is an important piece of the puzzle. We haven’t forgotten about it! VendorInsight has what we call the Policy Compliance Matrix or PCM. This matrix ties the VRP categories to due diligence documentation requirements defined by your organization. PCM Requirements are customizable, and may include but are not limited to the following: Non-Disclosure Agreements, W-9s, Insurance Certificates, Financials, SOC Reports, Info Sec Questionnaires, Business Continuity and Disaster Recovery Plans, Customer Complaint Monitoring, ESG Policy Proof, as well as reviews on this information. The gathering and maintaining of proper documentation is key to showing that you know your vendor, whether you are showing their strengths or what they lack. When the documentation is housed in VendorInsight it is able to become part of review and approval processes, and helps to show the compliance of the contract records within the system. The due diligence review is a must to round out your Vendor Management Program.

• What happens if I need to update my VRP or PCM Matrix?

Don’t worry! This happens. As time goes on, you may find that maybe categories or questions no longer apply or are no longer as important to know at the beginning of a vendor relationship. Maybe the shift has focused internally to more consequential topics. This change in risk appetite can lead to a change in due diligence documentation gathered. VendorInsight was designed to adapt to inevitable changes within organizations. Remember, you have a tool that stays with you through your entire VendorInsight journey: your VendorInsight Program Administrator! As changes need to be made, you can certainly reach out and we will walk you through them.

• Keep in mind, you can reach out to your VI Program Administrator!

If you are still unsure about Best Practices establishing the VRP Categories and/or selecting PCM Requirements, remember you can always reach out to your VI Program Administrator for help.