Using an ERM Assessment Process to Understand Vendor Risks

Every organization – even my boutique consulting firm – has vendors who provide a range of products or services. These can include things as simple as Internet services and office supplies to data storage, software, and raw materials to manufacture a product, and more.

Any disruptions with a vendor will inevitably spill over and impact your organization. This story from 2018 about an explosion at an auto parts plant is a great example.

Contrary to what many may think, managing risks around vendors (a.k.a. your “supply-chain”) is not exclusive to manufacturing.

In the end, vendors are an “external dependency” to an organization achieving its goals, so it is imperative any risks are understood so alternatives or mitigations can be put in place. As an external dependency, vendors need to be an important consideration during any scenario planning.

And it’s not just your direct vendors (3rd party) you have to consider, but any of their vendors (4th party) as well. The common tendency is to focus on the largest vendors, but as experience has shown, disruptions can occur in places in the supply chain that are not easily visible.

Why understanding vendor risks are important from an enterprise perspective…

Chances are procurement people in your organization are covering the basics of managing vendor risks already. (At least I hope so!) These activities can include contract compliance, service-level agreements, contract pricing, and more.

However, vendor disruptions can present a wide array of risks to the enterprise beyond the product or service in question. Examples include financial, reputational, compliance, and technological, among others. This is why understanding all the factors or dimensions that influence the risk a vendor poses is so important.

To understand these factors, you have to assess the risk(s) around a vendor beyond contract language and other “insurable” risks.

Only then can you ensure that your organization either works with vendors that align with your risk profile or that plans can be in place should an adverse event occur. Assessing vendor risks also helps you determine the level of due diligence a particular vendor requires.

As risk professionals, our tendency is to jump headfirst into conducting an assessment because we understand the concept. However, one important precursor is there should be an agreed-upon (high-level) approach approved by the board and senior management to ensure results are comparable and consistent. It is possible that some elements of the assessment will need to be customized to the specific vendor or department, but the methodology will ultimately remain the same.

In the end, executives will use this information to make decisions on which vendors to engage with, which ones require a change in how a contract is worded, and even which ones should be dropped altogether.

General steps for assessing vendor risks from an enterprise perspective…

To better understand enterprise risk assessment in general, I strongly recommend taking a few minutes to read this article published in 2018. Many of the steps outlined here will apply to assessing vendor risks.

The first step in assessing vendor risks is to gather information.

Methods for gathering this information are much the same as strategic and other risks (i.e. surveys and interviews). However, other examples of information around a particular vendor includes financial reports, any risk management activities they currently undertake, any news stories, and more.

Some questions you can ask include:

  • What vendors support critical processes and functions in the company?
  • Can the company function without those vendors?
  • How much do you know about your vendors (third party) and your vendors’ vendors (fourth party and so on)?

The goal here is to see which vendors pose the greatest risks over a variety of areas.

With this information in hand, you can then analyze it to see what is in line with your risk profile and what isn’t. As I explain in this piece on risk analysis, trying to focus on every risk will stretch scarce resources so thin that no value from these efforts will be realized.

Once the research and analysis phases are complete, vendors can then be ranked. The level at which you rank a vendor can be based on the product or service provided and the level of risk the particular vendor presents to your organization.

The following is just an example of how you can categorize assessment results.

  1. Low Risk (Commodity Vendor) – The product/service the vendor provides can easily be found elsewhere at a similar cost. Due diligence and monitoring of these vendors can be on the lower end of the scale, but other activities such as contracting invoicing must adhere to established protocols.
  1. Medium Risk (Significant Vendor) – The product or service plays a significant role in the organization’s operations and the vendor is replaceable, but at some additional expense. Therefore, additional due diligence and monitoring of these vendors is required. Relationship management is important.
  1. High Risk (Critical Vendor) – Products or services that fall into this category are not only extremely expensive or time-consuming to replace, the organization cannot operate with them. Vendors falling into this category will require the highest level of due diligence and hands-on monitoring. These high-risk vendors may also require special contract language or different invoicing protocols. Hands-on relationship management with the vendor is critical to ensuring both parties are satisfied with the arrangement; close relationship management may also benefit your organization at contract renewal.

(Venminder has great resources for learning more about managing vendor risks.)

Of course, methods for assessing vendor risks and categorizing them are highly dependent on factors internal to your organization, such as current processes, culture, and more. You may find that you can integrate a vendor risk assessment into existing processes.

The key is to strike a balance between a process that produces the information decision-makers need but is not so cumbersome that it is quickly abandoned.

Has your organization experienced issues on an enterprise-wide scale due to unanticipated vendor risks?

How does your organization assess vendor risks to provide decision-makers with relevant, actionable information?

I welcome your thoughts on integrating ERM processes with vendor risk management. Feel free to leave a comment below or join the conversation on LinkedIn.

And if your organization is struggling to articulate a workable process for assessing vendor risks, contact me to discuss how we can develop policies and procedures that can ensure your organization doesn’t suffer disruptions to operations or damages to its reputation due to a vendor.

12th Edition: Third Party Risk Management & Oversight for Financial Services

I want to take this opportunity to let you know about an upcoming special event. Marcus Evans Group is hosting a virtual conference in November focused on improving the U.S. financial service industry’s third-party (i.e. vendor) risk management practices. These events are limited to 50-60 people to allow for meaningful discussion and learning opportunities.

Seats will fill up fast, so click here to learn more.


Featured image courtesy of Craig Adderley via

Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More