It’s a sad that in this digital world, it is difficult to know who you are dealing with. David Rennie, Head of Industry Engagement, Identity Assurance Programme, UK Government Digital Service believes that the “The challenge in any transaction is how do you know the person is, who they say they are, and that you are contracting with the ‘right’ party.” This is particularly true if the transaction is on-line, because on the Internet: “No-one knows if you are a dog or not”. 

This is important in Vendor Risk Management when knowing exactly who you are dealing is vital to avoid all sorts of sanctions, etc. Yet companies don’t want to delay accepting the vendor and then lose the sale altogether, so speed and rigorous systems and processes are needed in VRM. But spreadsheets are often used for VRM which bring with them all the well know problems corporate treasury departments have in using spreadsheets to run their operations. Not surprisingly, there are now a number of well established dedicated VRM solutions as full due diligence on vendors is a complex task.

Categories of vendor due diligence

ProcessUnity a cloud based supplier of governance, risk and compliance solutions including VRM analysis shows, their analysis has shown that there are nine categories of due diligence: four internal and five external that need to be reviewed, see figure below:

Source & Copyright©2018 - ProcessUnity

In their ebook “VENDOR RISK MANAGEMENT - Conducting Pre-Contract Due Diligence in a Digitally Connected World” ProcessUnity explain how they tackle each area.

Are your systems and processes good enough?

ProcessUnity believe that the best way to manage vendor risk is by intercepting it at the start, and that companies should: formalize your pre-contract due diligence process, and automate their processes for efficiency, transparency, and consistency. ProcessUnity have a  VRM solution to sell and promote their methodology, nevertheless their questions about corporates’ interal VRM process and systems are very relevant:

• Is your pre-contract due diligence process consistent, vendor by vendor?
• Can your internal lines of business initiate due diligence quickly?
• Do these lines have an easy way of articulating their needs, and the company’s potential exposure to vendor risks?
• Are you able to capture relevant information across all nine domains of due diligence?
• Have you established risk thresholds for approving, restricting, or denying a vendor relationship?
• Do you have a repository of questions and templates you can use to assemble external questionnaires?
• Have you created an easy way for collecting supporting documentation?

---

CTMfile take: Vendor Risk Management needs to protect without restricting.