Proactively Identify and Mitigate Vendor Risk
Promote a collaborative approach to vendor risk management and guard against regulatory, security, operational, and financial risk.
- IT priorities are focused on daily tasks, pushing risk management to secondary importance and diverging from a proactive environment.
- IT leaders are relying on an increasing number of third-party technology vendors and outsourcing key functions to meet the rapid pace of change within IT.
- Risk levels can fluctuate over the course of the partnership, requiring manual process checks and/or automated solutions.
Our Advice
Critical Insight
- Every IT vendor carries risks that have business implications. These legal, financial, security, and operational risks could inhibit business continuity and IT can’t wait until an issue arises to act.
- Making intelligent decisions about risks without knowing what their financial impact will be is difficult. Risk impact must be quantified.
- You don’t know what you don’t know, and what you don’t know, can hurt you. To find hidden risks, you must use a structured risk identification method.
Impact and Result
- A thorough risk assessment in the selection phase is your first line of defense. If you follow the principles of vendor risk management, you can mitigate collateral losses following an adverse event.
- Make a conscious decision whether to accept the risk based on time, priority, and impact. Spend the required time to correctly identify and enact defined vendor management processes that determine spend categories and appropriately evaluate potential and preferred suppliers. Ensure you accurately assess the partnership potential.
- Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
Client
Experience
Impact
$ Saved
Days Saved
Tenneco
Guided Implementation
9/10
$95,000
50
Aidle is an awesome resource for InfoTech. Thank you.
University of Wisconsin-Madison
Guided Implementation
9/10
$1,229
2
I enjoyed the conversation and introduction to the tool's use. Steven's insight and auditing experience was helpful.
San Manuel Band of Mission Indians
Guided Implementation
10/10
N/A
N/A
Workshop: Proactively Identify and Mitigate Vendor Risk
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Prepare for the Workshop
The Purpose
- To prepare the team for the workshop.
Key Benefits Achieved
- Avoids delays and interruptions once the workshop is in progress.
Activities
Outputs
Send workshop agenda to all participants.
- All necessary participants assembled
Prepare list of vendors and review any contracts provided by them.
- List of vendors and vendor contracts
Review current risk management process.
- Understanding of current risk management process
Module 2: Review Vendor Risk Fundamentals and Establish Governance
The Purpose
- Review IT vendor risk fundamentals.
- Assess current maturity and set risk management program goals.
- Engage stakeholders and establish a risk governance framework.
Key Benefits Achieved
- Understanding of organizational risk culture and the corresponding risk threshold.
- Obstacles to effective IT risk management identified.
- Attainable goals to increase maturity established.
- Understanding of the gap to achieve vendor risk readiness.
Activities
Outputs
Brainstorm vendor-related risks.
Assess current program maturity.
- Vendor risk management maturity assessment
Identify obstacles and pain points.
Develop risk management goals.
- Goals for vendor risk management
Develop key risk indicators (KRIs) and escalation protocols.
Gain stakeholders’ perspective.
- Stakeholders’ opinions
Module 3: Assess Vendor Risk and Define Your Response Strategy
The Purpose
- Categorize vendors.
- Prioritize assessed risks.
Key Benefits Achieved
- Risk events prioritized according to risk severity – as defined by the business.
Activities
Outputs
Categorize vendors.
Map vendor infrastructure.
Prioritize vendors.
- Vendors classified and prioritized
Identify risk contributing factors.
Assess risk exposure.
- Vendor risk exposure
Calculate expected cost.
- Expected cost calculation
Identify risk events.
Input risks into the Risk Register Tool.
Module 4: Assess Vendor Risk and Define Your Response Strategy (continued)
The Purpose
- Determine risk threshold and contract clause relating to risk prevention.
- Identify and assess risk response actions.
Key Benefits Achieved
- Thorough analysis has been conducted on the value and effectiveness of risk responses for high-severity risk events.
- Risk response strategies have been identified for all key risks.
- Authoritative risk response recommendations can be made to senior leadership.
Activities
Outputs
Determine the threshold for (un)acceptable risk.
- Thresholds for (un)acceptable risk
Match elements of the contract to related vendor risks.
Identify and assess risk responses.
- Risk responses
Module 5: Monitor, Communicate, and Improve IT Vendor Risk Process
The Purpose
- Communicate top risks to management.
- Assign accountabilities and responsibilities for risk management process.
- Establish monitoring schedule.
Key Benefits Achieved
- Risk monitoring responsibilities are established.
- Transparent accountabilities and established ongoing improvement of the vendor risk management program.
Activities
Outputs
Create a stakeholder map.
- Stakeholder map
Complete RACI chart.
- Assigned accountability for risk management
Establish the reporting schedule.
- Established monitoring schedule
- Risk report
Finalize the vendor risk management program.
- Vendor Risk Management Program Manual
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 4 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Review vendor risk fundamentals and establish governance
- Call 1: Review vendor risk fundamentals
- Call 2: Establish a risk governance framework
Guided Implementation 2: Assess vendor risk and define your response strategy
- Call 1: Assess vendor risk and define your response strategy
Guided Implementation 3: Monitor, communicate, and improve vendor risk process
- Call 1: Monitor, communicate, and improve vendor risk process
Contributors
- Daniel J. Enneking, Founder, Strategic Procurement Partners
- Donald H. Hopkins, Adjunct Assistant Professor, Wright State University in the College of Business
- Deepak Bansal, Director Vendor Performance Relationship, Management, Willis Towers Watson
- Steve Jeffery, First Vice President Strategic Sourcing, SunTrust
Looking at Risk in a New Light: The Six Pillars of Vendor Risk Management
Manage Exponential Value Relationships
Jump Start Your Vendor Management Initiative
Capture and Market the ROI of Your VMO
Cut Cost Through Effective IT Category Planning
Design and Build an Effective Contract Lifecycle Management Process
Maximize Value From Your Value-Added Reseller (VAR)
Drive Successful Sourcing Outcomes With a Robust RFP Process
Reduce Risk With Rock-Solid Service-Level Agreements
Slash Spending by Optimizing Your Software Maintenance and Support
Identify and Manage Financial Risk Impacts on Your Organization
Identify and Manage Strategic Risk Impacts on Your Organization
Identify and Manage Reputational Risk Impacts on Your Organization
Identify and Manage Security Risk Impacts on Your Organization
Evaluate Your Vendor Account Team to Optimize Vendor Relations
Elevate Your Vendor Management Initiative
Prepare for Negotiations More Effectively
Implement Your Negotiation Strategy More Effectively
Evaluate and Learn From Your Negotiation Sessions More Effectively
Proactively Identify and Mitigate Vendor Risk
Master the Public Cloud IaaS Acquisition Models
Essentials of Vendor Management for Small Business
Identify and Manage Regulatory and Compliance Risk Impacts on Your Organization
Identify and Manage Operational Risk Impacts on Your Organization
Don’t Allow Software Licensing to Derail Your M&A
Identify and Reduce Agile Contract Risk
Improve Your Statements of Work to Hold Your Vendors Accountable
Understand Common IT Contract Provisions to Negotiate More Effectively
Master Contract Review and Negotiation for Software Agreements
Master the MSA for Your Managed Services Providers
Negotiate SaaS Agreements That Are Built to Last