Reporting

Hi all, please can someone tell me the metrics they recommend for reporting on vendor management KPIs/KRIs.

Hi there

I can provide a few suggestions for metrics to demonstrate the health and effectiveness of your Vendor Risk Management program.

However, your first consideration regarding metrics will be whether you are going to use KPIs, KRIs, or a combination of both.

KPIs (Key Performance Indicators) measure the program's performance against its stated objectives. They are also known as lagging indicators, meaning they measure something that has already happened.

KRIs (Key Risk Indicators) help you identify where risk might be increasing or is beyond your organization's risk appetite. KRIs are known as leading indicators, which help identify where action must be taken to prevent risks from increasing in the future or to lower the potential impact of the risk.

Metrics are most effective when you set a target or acceptable range. For example, assess inherent risk for every product and service provided by vendors to ensure 98% of all engagements have a current inherent risk assessment. Or keeping the percentage of critical vendors between 15-20% of total inventory, which is the best practice.

When choosing metrics for TPRM programs, consider objectives like compliance, risk management, performance, or efficiency. As a starting point, you can always evaluate the actual processes used in vendor management, such as risk assessments, due diligence, risk and performance monitoring, issue management, etc.  Let's review some examples and how they might be translated into KPIs, KRIs, or both.

Compliance Metrics – These metrics should identify regulatory and internal compliance with all policies and documented requirements. Examples include:

The number of Compliance Issues Currently Open:  Compliance issues must be addressed immediately, whether vendor-related or internal. Compliance failures are taken very seriously by auditors and examiners.

KPI: Effective third-party risk management (TPRM) programs should have little to no compliance issues. Quickly remedying issues demonstrates that the program prioritizes compliance.

KRI:   The more compliance issues a company has, the greater the chance of unhappy customers, revenue loss, legal action, and regulatory fines.

Risk Metrics – These metrics should demonstrate effective identification, assessment, management, and vendor risk monitoring. Examples include:

Percentage of Engagements without a current risk assessment. Active vendor engagement without a current risk assessment decreases your organization's ability to identify and manage risks effectively.

KPI: Per the policy, all engagements must have a current risk assessment. Adhering to this process demonstrates effective risk identification and management

KRI: The more engagements without current risk assessments, the higher the likelihood of unidentified and unmanaged new and emerging risks.

Performance or Operational Metrics: It's essential to demonstrate that your program runs efficiently and effectively and has the right processes, tools, and people to do the job.

Percentage of due diligence assessments completed within the estimated timeframe – A swift decision on vendor approval or rejection is crucial for timely issue resolution and seizing opportunities. 

KPI:  Due diligence processes, tools, and people work efficiently and meet expectations.

KRI: Completing due diligence assessments beyond the estimated time prevents the business from making timely decisions and can indicate a lack of resources.

Additional Considerations

Before finalizing your TPRM program metrics, it's essential to ensure that you have access to data that can be easily calculated, is repeatable, and clearly illustrates risk management or operational effectiveness. Ask yourself the following questions.

•Does the metric help tell the right story?

•Do I have an accessible and reliable data source to support the metric?

•How easy is it to calculate the metric?

•Is the metric better used as a KPI (lagging measure) or a KRI (leading measure)?

Finally, it is essential to determine what actions will be taken when the metric is outside the acceptable thresholds. 

I hope this information is helpful, but I would love to hear from other members if there is more to add.

Hi all, please can someone tell me the metrics they recommend for reporting on vendor management KPIs/KRIs.