Vendor Scorecards should be part of the TPRM/VRMO process to support "On-Going Monitoring"
However, it should be the business unit (1st line of risk defense) responsibility to report on performance.
TPRM should be the group to request, gather and maintain the score card.
I'd also suggest that SLAs and KPIs are the main data points be gather. However, from a metrics reporting perspective, you should consider Categories with specific and unique data elements bucketed in those Categories, as not all vendors are going to fit a single scorecard.
A one size fit's all scorecard doesn't really work...
We have a few categories Performance, InfoSec, Reputation, Financial, Compliance...(it's early days, so we might change those) however, with in the categories, we develop with the 1st line the unique SLAs and KPIs... that way I can report metrics across all the vendors we track with scorecards. (I have 85 in the on-going monitoring bucket; and the scorecard is a quarterly requirement of the 1st line.)
I also uses an inner and outer threshold... Red, Amber, Green (the RAG).
So from a metrics reporting perspective, Vendor Performance Management reports on the number of vendors with Red or Amber rating; and in which categories. If the executive team wants to drill down, we can then get specific.
But don't stop there... the scorecards are best shared with the Vendor. We do an Annual Service Review meeting and use the Scorecard as the basis for the meeting. I break those meetings into three sections. Technology review; Business review and Executive review....
Bring in the IT and InfoSec team to review the tech and what its doing, good and bad; and where it's going...
Business review, how well is the product supporting the business and what's on the roadmap for the future.
Executive review is where the C-suite from both sides can do a meet and greet... and set escalation expectations.
Hope that helps. Good luck!
------------------------------
Bradley Martin
------------------------------
Original Message:
Sent: 08-17-2022 11:08 AM
From: Dan Even
Subject: Vendor Score Cards
I am wondering if other organizations find Vendor Scorecards to be a role of Third Party Risk Management (TPRM), Contract Management, or Vendor Management? Is it a collaborative effort with all three and the relationship owner? How often are Vendor Scorecards shared? Do you share with just your most critical vendors?