Contract Management

 View Only

  • 1.  KPIs & KRIs for Contract Mgmt & Third Party Risk management

    This message was posted by a user wishing to remain anonymous
    Posted 02-04-2022 01:57 PM
    This message was posted by a user wishing to remain anonymous

    Hello everyone!

    Hope everyone is doing well!

    Can anyone suggest KPIs & KRIs related to contract reviews,risk assessment,onboarding ,due diligence in TPRM to measure the effectiveness of the program & which could be useful in reporting to the Board.

    Thanks in advance!






  • 2.  RE: KPIs & KRIs for Contract Mgmt & Third Party Risk management

    Posted 02-08-2022 04:57 PM

    When it comes to TPRM program metrics, there are many ways you can go. First, I recommend thinking about the story you want to tell. Do you want to show that the program is effective or efficient? Do you want to measure internal compliance? How about the amount of risk across the vendor portfolio?

    When it comes to reporting to the board, I advise keeping it simple. Think of two basic categories instead of a metric for each phase in the lifecycle. Program Health and Portfolio risk.

    Program Health

    • Number of Critical and High-risk vendors with satisfactory and current due diligence or risk reviews (within one year) And trend from the previous year or reporting period
    • Number of Critical or High-Risk Vendors with open issues ( trend from the previous year or reporting period)
    • The number of critical issues surfaced outside of regular risk monitoring ( data breaches etc.)
    • Dedicated TPRM ratio to elevated risk vendors. For example, if you have 22 critical and 83 High-risk vendors, you have 105 elevated risk vendors. Divide 105 by 3 TPRM FTE; your staff to vendor risk ratio is 35 ( which would be pretty high). The higher the vendor to staff ratio, the more likely risk management shifts from proactive to reactive.
    • Program compliance and exceptions: The number of engagements out of process vs. the number of approved exceptions.

     

    Portfolio Risk

    • Total number of Critical vendors (trend from next year and identify any new or terminated vendors)
    • The number of Critical or High-Risk vendors that could be considered a single point of failure (no available replacement)
    • Total number of High-Risk Vendors(trend from next year and identify any new or terminated vendors)
    • % of total vendor population with high information security, business continuity, or compliance risk
    • Total number of vendors under management by risk level (trend from previous year or reporting period)

     

    These, of course, are suggestions; there are many more metrics out there. I would love to see suggestions from other members.


    Original Message