Using an ERM Assessment Process to Understand Vendor Risks

Every organization – even my boutique consulting firm – has vendors who provide a range of products or services. These can include things as simple as Internet services and office supplies to data storage, software, and raw materials to manufacture a product, and more.

Any disruptions with a vendor will inevitably spill over and impact your organization. This story from 2018 about an explosion at an auto parts plant is a great example.

Contrary to what many may think, managing risks around vendors (a.k.a. your “supply-chain”) is not exclusive to manufacturing.

In the end, vendors are an “external dependency” to an organization achieving its goals, so it is imperative any risks are understood so alternatives or mitigations can be put in place. As an external dependency, vendors need to be an important consideration during any scenario planning.

And it’s not just your direct vendors (3rd party) you have to consider, but any of their vendors (4th party) as well. The common tendency is to focus on the largest vendors, but as experience has shown, disruptions can occur in places in the supply chain that are not easily visible.

Why understanding vendor risks are important from an enterprise perspective…

Chances are procurement people in your organization are covering the basics of managing vendor risks already. (At least I hope so!) These activities can include contract compliance, service-level agreements, contract pricing, and more.

However, vendor disruptions can present a wide array of risks to the enterprise beyond the product or service in question. Examples include financial, reputational, compliance, and technological, among others. This is why understanding all the factors or dimensions that influence the risk a vendor poses is so important.

To understand these factors, you have to assess the risk(s) around a vendor beyond contract language and other “insurable” risks.

Only then can you ensure that your organization either works with vendors that align with your risk profile or that plans can be in place should an adverse event occur. Assessing vendor risks also helps you determine the level of due diligence a particular vendor requires.

As risk professionals, our tendency is to jump headfirst into conducting an assessment because we understand the concept. However, one important precursor is there should be an agreed-upon (high-level) approach approved by the board and senior management to ensure results are comparable and consistent. It is possible that some elements of the assessment will need to be customized to the specific vendor or department, but the methodology will ultimately remain the same.

In the end, executives will use this information to make decisions on which vendors to engage with, which ones require a change in how a contract is worded, and even which ones should be dropped altogether.

General steps for assessing vendor risks from an enterprise perspective…

To better understand enterprise risk assessment in general, I strongly recommend taking a few minutes to read this article published in 2018. Many of the steps outlined here will apply to assessing vendor risks.

The first step in assessing vendor risks is to gather information.

Methods for gathering this information are much the same as strategic and other risks (i.e. surveys and interviews). However, other examples of information around a particular vendor includes financial reports, any risk management activities they currently undertake, any news stories, and more.

Some questions you can ask include:

  • What vendors support critical processes and functions in the company?
  • Can the company function without those vendors?
  • How much do you know about your vendors (third party) and your vendors’ vendors (fourth party and so on)?

The goal here is to see which vendors pose the greatest risks over a variety of areas.

With this information in hand, you can then analyze it to see what is in line with your risk profile and what isn’t. As I explain in this piece on risk analysis, trying to focus on every risk will stretch scarce resources so thin that no value from these efforts will be realized.

Once the research and analysis phases are complete, vendors can then be ranked. The level at which you rank a vendor can be based on the product or service provided and the level of risk the particular vendor presents to your organization.

The following is just an example of how you can categorize assessment results.

  1. Low Risk (Commodity Vendor) – The product/service the vendor provides can easily be found elsewhere at a similar cost. Due diligence and monitoring of these vendors can be on the lower end of the scale, but other activities such as contracting invoicing must adhere to established protocols.
  1. Medium Risk (Significant Vendor) – The product or service plays a significant role in the organization’s operations and the vendor is replaceable, but at some additional expense. Therefore, additional due diligence and monitoring of these vendors is required. Relationship management is important.
  1. High Risk (Critical Vendor) – Products or services that fall into this category are not only extremely expensive or time-consuming to replace, the organization cannot operate with them. Vendors falling into this category will require the highest level of due diligence and hands-on monitoring. These high-risk vendors may also require special contract language or different invoicing protocols. Hands-on relationship management with the vendor is critical to ensuring both parties are satisfied with the arrangement; close relationship management may also benefit your organization at contract renewal.

(Venminder has great resources for learning more about managing vendor risks.)

Of course, methods for assessing vendor risks and categorizing them are highly dependent on factors internal to your organization, such as current processes, culture, and more. You may find that you can integrate a vendor risk assessment into existing processes.

The key is to strike a balance between a process that produces the information decision-makers need but is not so cumbersome that it is quickly abandoned.

To learn more about using ERM to better manage vendors, visit 4 Steps to Integrating ERM into Vendor Management.

Has your organization experienced issues on an enterprise-wide scale due to unanticipated vendor risks?

How does your organization assess vendor risks to provide decision-makers with relevant, actionable information?

I welcome your thoughts on integrating ERM processes with vendor risk management. Feel free to leave a comment below or join the conversation on LinkedIn.

And if your organization is struggling to articulate a workable process for assessing vendor risks, contact me to discuss how we can develop policies and procedures that can ensure your organization doesn’t suffer disruptions to operations or damages to its reputation due to a vendor.

12th Edition: Third Party Risk Management & Oversight for Financial Services

I want to take this opportunity to let you know about an upcoming special event. Marcus Evans Group is hosting a virtual conference in November focused on improving the U.S. financial service industry’s third-party (i.e. vendor) risk management practices. These events are limited to 50-60 people to allow for meaningful discussion and learning opportunities.

Seats will fill up fast, so click here to learn more.

Featured image courtesy of Craig Adderley via

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Receive Our Weekly Blog Updates

Meet Carol Williams, SDS Founder & Lead Strategist

To our readers:

This blog was launched to provide strategy and risk practitioners with a go-to resource to better guide their efforts within their companies. Thank you for bringing me and my team along to be part of your journey towards better risk management, strategic planning and execution, and overall decision-making. Happy reading!

Find more SDS Insights