Recently, I’ve been working on developing an easy way for smaller and medium sized clients manage their Vendors and perhaps more importantly track which Vendors present the most risk. One of the more challenging exercises has been thinking through two things:

1. What are elements that would make a given Vendor risky;
2. What weight to I assign to each risk; and
3. What are all of the data points I would want to track for a given Vendor?

Vendor Risk

As for the first question, I have come up with a dozen data elements I would gather about a Vendor, but here are my top 7. More importantly, this list forces IT management to think through tracking such data on their vendors (and most are not at present).

1. Annual Spend – How much do you spend on a given vendor. Higher spend = Higher risk.
2. Security Incidents – What is the volume of security incidents related to a particular vendor? More incidents = More risk.
3. Service Incidents – What is the volume of service incidents related to a particular vendor? A service incident would be failure to meet up-time requirements, for example. More incidents = More risk.
4. IT General Controls – How strong is the Vendor’s control environment? Are you measuring it and verifying it aligns to your companies minimum standards?
5. Compliance Reports – Are you looking at SOC reports and Vulnerability scans?
6. Level of Reliance – How much to you rely on this Vendor to run your business? Would you shut down if your vendor does?
7. Contract Strength – How strong are the terms in your contract. Including price, standards, etc. When is the last time your negotiated terms?

Questions for the Readers:

1. Which elements do you find most important and what weight would you assign them (1 – 100%)?
2. Are there other data elements you would add to this list?
3. Thoughts on this list?

Let us know in the comments and we’ll share the final spreadsheet!