November 29, 2018 – Copyright 2018 Compliance Education Institute LLC


VENDOR PERFORMANCE MANAGEMENT. (click on our 3rd Party Toolbox above for more info) Over the past several years I’ve spoken with hundreds of companies in a variety of market sectors about the challenges they face regarding 3rd party risk management. Certainly there are issues with vendor relationship owners not conducting reviews on time, signing contracts before collecting due diligence, and senior execs not understanding the importance of a vendor management program. However, our discussions have revealed challenges common to small, medium and large companies alike surrounding vendor risk and performance management. In fact, during the audits and assessments we conduct on vendor management programs through our Advisory Services Group, we find that many contracts lack Service Level Agreements (SLA’s) which are the quantitative metrics by which we measure contract compliance. And even when they are contained in the contract, we frequently find there is no tracking and assessment of whether the vendor is meeting those contractual commitments.

Most often, SLA’s are forgotten about or not assigned to anyone to track and assess or nobody has time given the huge workload already in place. There is frequently no assessment methodology in place resulting in purely subjective ratings without any documented factual basis. Compounding the issue is that Key Performance Indicators (KPI’s), the qualitative aspect of performance, are all but forgotten about or not even considered. While a vendor might be meeting its SLA’s, they might not be very good at achieving them. For example, a vendor might meet its Customer Support SLA of responding to a call within 2 hours but it might never be able to resolve the issue at the first level and always have to escalate it to second level support. Thus, they meet their SLA’s 100% of the time but don’t perform well resulting in a poor KPI rating. This leads us to identification of red flags, otherwise known as Key Risk Indicators (KRI’s). In the aforementioned example, it’s an indicator of the vendor not having staff with proper skillsets to adequately and effectively provide support which ultimately becomes an obstacle to achieving the strategic objective of outsourcing the service in the first place.

Within the past year, I have seen the trend towards implementation of a Shared Services model as a part of 3rd party risk management in larger companies. From the perspective of the classic 3 Lines of Defense, Shared Services is more like Line 1B, sitting between 1st Line (risk owner) and 2nd Line (governance) and has responsibility for managing the relationship after the contract has been signed, inclusive of vendor performance. While I have seen several large financial institutions manage and assess SLA’s fairly well, for most it’s a major challenge despite the fact that they’ve implemented sophisticated 3rd party risk management solutions for which they have spent 7 figures. And even with such a large amount of capital invested, they have yet to develop and assess the qualitative KPI’s, thus leaving them with just one component of the performance story. Assessing SLA’s and KPI’s and relating them to one another provides us with significant advantages:

  • Drives continuous vendor performance improvement
  • Keeps vendors on track to meeting your strategic goals
  • Controls budget
  • Identifies early signs of elevated risk
  • Provides a documented factual basis for possible termination of contract when required

VENDOR CATEGORY MANAGEMENT: But let’s not stop at SLA’s and KPI’s. In fact, let’s take a few steps back. Categorization. Many large companies outsource a variety of services to vendors who provide similar functions. Thus, categorizing our vendors (sometimes called stratifying by examiners) helps us segment our vendors for the purpose of peer performance comparisons. It also helps us understand where our risks are concentrated and where our attention should be focused. For example, more of my time will be focused on my Technology vendors than my Grounds-keeping vendors. By assessing SLA’s and KPI’s of vendors within the same category, I begin to develop a more granular view of vendor performance in a relative perspective, i.e. how does Vendor A compare to Vendor B within the same category. By categorizing, I can see that I have 6 vendors within a specific category and only three of them are performing well quantitatively (SLA’s) and qualitatively (KPI’s). Why should I bother keeping the 3 that are underperforming? Too many vendors to manage… too much risk… not achieving our strategic objectives… costing too much money to manage them. Maybe spread those services to the vendors that are performing well and achieve price reductions based upon the additional business. Now we start seeing some value come from our program!

Let’s drill down even further. Vendors within a similar category might provide multiple services, some of which may be quite different and on separate contracts. While taking an aggregate view of performance across all services within a category certainly drives value, it’s equally important to understand how our vendors are performing on individual contracts, i.e. Service Types. By categorizing the service types, we can then refine vendor performance comparison down to the individual contract level. Thus, we not only compare performance of each vendor within a category, we narrow it down to comparing the same services which provides a true apples-to-apples comparison. Very likely, the SLA’s and KPI’s are quite similar which gives us the ability to compare SLA’s and KPI’s on a line-item basis should we care to take it that far.

VENDOR RISK MANAGEMENT: I honestly have never seen people agonize more over a single issue in vendor management as they do over risk, Inherent (risk before controls) and Residual (risk after controls). Many are confused as to the difference. Many are unsure which questions to ask or ask too many or too few or throw a laundry list of questions at their vendors and hope they answer the appropriate ones.

An Inherent Risk questionnaire should be simple and apply to all vendors in the vendor inventory. I have seen some of the largest companies create simple and very effective Inherent Risk questionnaires that focus on 3 key areas: 1) Data; 2) Physical/Remote Access; 3) Dimensions of Risk. In general, there are typically no more than 10 – 15 questions asked in total.

Residual Risk questionnaires should be a product of Category Management meaning that questions should pertain to the Vendor Type. Would you ask a Communications vendor the same questions you’d ask an Appraiser? Of course not! This approach helps you ask only the questions that apply to what the vendor does. Any vendor within of the same Vendor Type will be asked the same questions for due diligence and periodic review. This methodology and framework ensures consistency regardless of who within your organization is asking the questions.

Utilizing this global inherent risk assessment approach and category-based approach to residual risk assessment described above creates a very streamlined, consistent and efficient process. It ensures that all parties within your company define and understand risk in the same way which empowers you to make better and faster business decisions. It also provides an additional element to a vendor’s profile by which to measure it against its peers. We begin to see a meaningful picture appear that relates the facets of risk and performance across the vendor inventory but, more importantly, within categories:


=>            Category     Inherent Risk     Residual Risk     SLA Rating     KPI Rating     Vendor Value Rating


VENDOR VALUE MANAGEMENT. We’re not finished yet! What about Vendor Value? As Warren Buffet said, “Price is what you pay, value is what you get for your money.” You know, the intangibles that a vendor brings to the table. It’s great to assess and compare vendor SLA’s and KPI’s across the vendor inventory, within a category and down to the service type. Tremendous value and great information to base business decisions upon. However, Boards and senior management want to know what they’re getting for their money beyond what the contract calls for… Innovation, Commitment, Subject Matter Expertise, Thought Leadership, Flexibility or anything else that’s important to you. Is our vendor a strategic business partner or do we sign a contract and never hear from them again? Measuring intangibles is certainly a dichotomy but quantifying certain qualities allows us to compare similar vendors and provides an even more detailed view of how they compare to one another and which should be at the top of our list within their respective categories.

360 DEGREE VIEW. Ultimately, we begin to see the inter-relationship of risk, performance and value emerge across the vendor inventory and within vendor categories. This 360 degree view of our vendors and the ability to compare them on an apples-to-apples basis becomes a powerful tool that transforms our 3rd party risk management program from a compliance checklist to Enterprise Value Strategy.

You will never look at your vendors nor your vendor management program in the same way again.