The client drew up a comprehensive plan for Vendor Risk Management (VRM) which was then ratified with the OCC. To effectively implement the plan, the client needed a robust VRM solution. After an evaluation of multiple solution providers, MetricStream was selected due to their integrated approach to VRM, as well as their ability to facilitate compliance with the OCC guidelines.
The MetricStream solution was deployed over MetricStream’s highly secure, private GRC Cloud. Today, the cloud-based solution is helping the client consistently identify, evaluate, track, and report risks across more than 200 vendors. Built on a centralized and scalable platform, the solution provides a single point of reference to manage vendor risks, maintain vendor information, conduct due diligence, remediate issues, and generate reports for analysis and decision-making. The solution has also automated vendor governance and risk management workflows for optimal efficiency.
Below are the specific capabilities of the solution that are helping the client:
A common vendor database
The MetricStream solution provides a central, Web-based repository to document and maintain information on all the client’s 200+ vendors. Authorized users from anywhere across the enterprise can log into the solution at any time, and view or search the vendor data. Pre-configured data upload templates have simplified the process of gathering vendor information, and feeding it into the solution.
Central risk library
The solution maintains a centralized library of all vendor risks, including business continuity risks, contract risks, country risks, credit risks, customer complaints risks, IT risks, information security risks, insurance risks, and performance quality compliance risks. Each vendor is mapped to the associated risks, so that at a glance, the client can immediately understand the vendor’s risk profile - including risk severity and impact, consequences, risk score, mitigation plan, and associated issues.
Vendor selection and due diligence
Every time a new vendor is required, the MetricStream solution streamlines the process of vendor selection and due diligence. It also helps users select which due diligence process and risk applies to which vendors. Robust survey management tools and templates make it easy for users to create and send out surveys to internal business teams, assessing the need for a new vendor. Another set of surveys and checklists are sent to the vendor to evaluate their risks. Based on their responses, a risk score is assigned to the vendor. All risk assessments and computations are automated through the solution’s configurable algorithms which help calculate vendor risk impact, likelihood, and other factors.
Ongoing vendor risk assessments
All existing vendors listed in the MetricStream solution are classified based on their “criticality” to the client organization. The most critical vendors are automatically prioritized for periodic risk assessments. In compliance with OCC guidelines, the solution facilitates vendor risk assessments based on three broad pillars - (1) the vendor’s financial condition, (2) strength of the vendor’s control environment, and (3) quality of the vendor’s service and support. All vendor risk assessments and risk reports are built around these pillars to help ensure compliance with the OCC guidelines.
After a risk assessment is completed, any issues identified are routed for investigation, root cause analysis, and corrective action. Intuitive tabs in the MetricStream solution make it easy to log a risk issue, create an action plan, and track its implementation by the vendor. The solution enables a systematic, closed-loop approach to the entire issue management process to help ensure that nothing slips through the cracks, and that the risk issue is mitigated in a timely manner.
Vendor risk reporting
A powerful reporting engine in the MetricStream solution automatically consolidates risk data from across the vendor network, and populates risk reports, helping the client analyze and compare vendor risks and issues at the enterprise level. Drill-down capabilities provide access to data at finer levels of detail. Additional tools such as risk heat maps, executive dashboards, and risk analytics further strengthen reporting. Users get all the data they need at their fingertips to proactively track vendor risk metrics, analyze trends, and make informed decisions. The solution also gives vendors access to track their risk reports and associated metrics.