David Medrano, Director of Third Party Risk Management at MorganFranklin Consulting 

Third-party key risk indicators (KRIs) are a growing trend for all industries. Utilizing third-party KRIs enables an organization to assess different potential risks and demonstrate the progress and maturity of its third-party risk management program. Although KRIs vary from organization to organization, a few common industry-neutral indicators exist and should be considered.

1. Percentage of Critical Vendors 

Designating a vendor as critical indicates that the loss of the vendor or its services will make a significant impact on the organization. It is essential that an organization knows not only which of its vendors are critical but also the percentage of critical vendors in its total vendor list.

Consider the following example: Company A utilizes 1,000 vendors. If 10 of the vendors are classified as critical, then 1% of the vendor population is crucial to meeting the organization’s goals and objectives. Company B also utilizes 1,000 vendors; however, 200 are classified as critical, meaning 20% of the vendor population is crucial to meeting the organization’s goals and objectives.

In this scenario, Company A is facing much less risk than Company B. Company B may over-rely on its vendors to complete critical processes. Furthermore, Company B may benefit from reviewing its vendor risk classification methodology. As organizations grow and evolve and the environment in which they operate changes, it is beneficial to regularly revisit the parameters of a company’s vendor risk classification approach.

 

2. Total Number of Vendors With an Active Risk Acceptance/Exception 

Third-party risk professionals understand that although vendor control gaps should be remediated quickly, vendors are not always able to resolve the issues. Companies then need to decide if or how extensively a vendor with unresolved control gaps will be engaged.

Establishing a risk acceptance/exception process helps ensure that necessary stakeholders are informed of the risks and that a standardized approach is utilized to evaluate a vendor’s risk per the company’s risk tolerance level.

Appropriate metrics to report include:

·         The frequency with which risk acceptance/exceptions are submitted

·         The types of vendors with exceptions and their respective control gaps

These metrics or KRIs are vital to determining if an organization is accepting too much vendor risk.

 3. Number of Vendors with High Residual Risk 

Although the number of vendors with high inherent risk is important, the quantity of vendors with high residual risk should also be considered.

Inherent risk is unlikely to change (assuming a vendor’s service or tiering methodology remains the same); however, a vendor’s residual risk can change based on remediated control gaps.

This KRI (number of vendors with high residual risk) may convince a company to consider vendors with stronger controls to help minimize risk exposure.

4. KRI Considerations 

When implementing KRI reporting, there are a few key considerations: 

To ensure relevance and value-driven attributes, consider the following best practices for KRI reporting:

1.     Establish a baseline to determine the appropriate risk thresholds when applying KRIs for decision-making purposes.

2.     Develop KRIs and related information based on your audience. A steering committee or board of directors may not need to understand the detail that caused the KRI to reach its threshold. Higher level information, such as how many times the threshold was breached and which direction it is trending (e.g., upward, downward), may interest this audience the most.

3.     Set your frequency. Not all KRIs should be reported at the same frequency. Consider how often a data point will refresh and set your reporting cadence accordingly.

4.     Focus on objective/consistent data points. Some organizations include subjective data points when developing KRIs. Although this approach is not necessarily incorrect, subjective KRIs can cause inconsistency when reported at certain frequencies (e.g., month-over-month, year-over-year).

How MorganFranklin Can Help 

MorganFranklin helps organizations implement and optimize a third-party/vendor risk management program that is tailored to each company’s needs and growth strategy. Our certified third-party risk experts bring proven success in implementing mature third-party risk lifecycles; governance, risk and compliance systems/tools; and/or supplemental process (e.g., key risk indicators, exit strategy considerations, maturity model analysis).

Talk to one of our cybersecurity experts