Due Diligence and Ongoing Monitoring

I am wondering if other organizations find Vendor Scorecards to be a role of Third Party Risk Management (TPRM), Contract Management, or Vendor Management?  Is it a collaborative effort with all three and the relationship owner?  How often are Vendor Scorecards shared?  Do you share with just your most critical vendors?

Our Vendor Management Office uses vendor scorecards. We aren't a large department so we have had to start small and concentrated on our top vendors. We collaborate with our operational stakeholders. The VMO sits in ITS so we also pull in the analysts for collaboration as well. We do share with the vendors ahead of our meeting. We then schedule time for everyone to have a conversation. The transparency is much appreciated by our vendors and they are willing to work with us on our issues.

Original Message:
Sent: 08-17-2022 11:08 AM
From: Dan Even
Subject: Vendor Score Cards

I am wondering if other organizations find Vendor Scorecards to be a role of Third Party Risk Management (TPRM), Contract Management, or Vendor Management?  Is it a collaborative effort with all three and the relationship owner?  How often are Vendor Scorecards shared?  Do you share with just your most critical vendors?

Goof Afternoon

Scorecards are a valuable monitoring and reporting tool

In my experience, the TPRMO is the same as Vendor mgt

The TPRMO scorecard should focus Critical vendors (risk based approach - most TP Teams are short on resources) and collect data such as: # of Critical Vendors/services, related concentration risks, Residual risk scores, # of findings from executed due diligence, Critical Vendors with incidents, Critical vendors that process our PII data, etc,,,

Procurement often has their own ​scorecard and mostly focused on "spend". Although that can vary from organization to organization

Overall, it should be a collaborative process and one universal scorecard can be produced and sent to Enterprise Risk Mgt​

Happy to chat

Regards John
Original Message:
Sent: 08-17-2022 11:08 AM
From: Dan Even
Subject: Vendor Score Cards

I am wondering if other organizations find Vendor Scorecards to be a role of Third Party Risk Management (TPRM), Contract Management, or Vendor Management?  Is it a collaborative effort with all three and the relationship owner?  How often are Vendor Scorecards shared?  Do you share with just your most critical vendors?

Vendor Scorecards should be part of the TPRM/VRMO process to support "On-Going Monitoring" 
However, it should be the business unit (1st line of risk defense) responsibility to report on performance. 
TPRM should be the group to request, gather and maintain the score card.
I'd also suggest that SLAs and KPIs are the main data points be gather. However, from a metrics reporting perspective, you should consider Categories with specific and unique data elements bucketed in those Categories, as not all vendors are going to fit a single scorecard. 
A one size fit's all scorecard doesn't really work... 
We have a few categories Performance, InfoSec, Reputation, Financial, Compliance...(it's early days, so we might change those) however,  with in the categories, we develop with the 1st line the unique SLAs and KPIs... that way I can report metrics across all the vendors we track with scorecards. (I have 85 in the on-going monitoring bucket; and the scorecard is a quarterly requirement of the 1st line.)
I also uses an inner and outer threshold... Red, Amber, Green (the RAG). 
So from a metrics reporting perspective, Vendor Performance Management reports on the number of vendors with Red or Amber rating; and in which categories. If the executive team wants to drill down, we can then get specific. 

But don't stop there... the scorecards are best shared with the Vendor. We do an Annual Service Review meeting and use the Scorecard as the basis for the meeting. I break those meetings into three sections. Technology review; Business review and Executive review.... 

Bring in the IT and InfoSec team to review the tech and what its doing, good and bad; and where it's going... 
Business review, how well is the product supporting the business and what's on the roadmap for the future. 
Executive review is where the C-suite from both sides can do a meet and greet... and set escalation expectations. 

Hope that helps. Good luck!

------------------------------
Bradley Martin

------------------------------

Original Message:
Sent: 08-17-2022 11:08 AM
From: Dan Even
Subject: Vendor Score Cards

I am wondering if other organizations find Vendor Scorecards to be a role of Third Party Risk Management (TPRM), Contract Management, or Vendor Management?  Is it a collaborative effort with all three and the relationship owner?  How often are Vendor Scorecards shared?  Do you share with just your most critical vendors?