MetricStream provides a comprehensive, scalable, and Web-based solution that is designed to help organizations effectively manage vendor risks, performance, and governance. Leading institutions are replacing their point solutions and paper-based systems with MetricStream's solution to streamline and automate the vendor management life-cycle, and gain real-time visibility into vendor risks and controls.Download a Solution Brief
Corporations often depend on hundreds of vendors to fulfill their business processes. Single sourcing puts institutions at risk by making them too dependent on one vendor. On the other hand, multiple sourcing dilutes vendor accountability, and makes vendor collaboration and coordination much more challenging.
In both sourcing models, vendor risks are high, and should be managed and mitigated through a robust Vendor Risk Management (VRM) approach. Regulations such as FCPA, FDA, Basel II, AML, SOX, PCI DSS and EPA all require effective VRM, especially for vendors who have direct access to an institution´s assets and systems.
Why Organizations are increasingly Collaborating with Vendors:
Most companies outsource many vital functions to third-party vendors, as well as procure diverse set of product and services from them. This approach provides multiple benefits, including:
- Performance boosting: Working with vendors lets the company focus on their core competencies. When non-core activities are outsourced, an institution is better able to dedicate attention and resources to the tasks it does best.
- Cost reduction: With a vendor, payment needs to be done only for resources as and when the requirement arises. There is no fixed cost of maintaining staff when they are not needed. Thereby, investments and fixed costs are lowered.
- Access to specific expertise: There are multiple vendors with deep domain knowledge and expertise in non-core activities. Companies stand to gain by utilizing these vendors´ specialized resources and skills, and making their processes more efficient.
Some of the areas where institutions are outsourcing their processes to third party vendors are:
- Customer facing activities:
- Product selling and promotions
- Order management processes
- General operations:
- Application development and maintenance
- IT Infrastructure Management
- Data processing and management
- Regulatory compliance activities:
- Audit management
- Disclosure preparation
- Compliance reviews
Types of Vendor Risks
Although hiring a third-party vendor makes processes simpler and more cost-effective, it also brings in multiple risks such as breach of confidentiality, breach of contract, data errors, fraud, and loss of data - all of which have the potential to lead to financial and reputational loss. However, such vendor associated risks are unique, and depend on the type of vendor chosen, as well as the process or service outsourced.
Typical areas of vendor risks include:
- Strategic risk: Strategic risk arises from poor and faulty business decisions that adversely affect earnings and capital. If organizations don´t have effective processes to carefully select vendors and monitor them, they may be unable to recognize and tackle strategic risks and issues in a timely manner.
- Reputation risk: Reputation risk arises when a vendor´s service is poor and not up to the standards of the company. This can result in the institution itself losing customers, and brand loyalty.
- Industry risk: A vendor´s processes or offerings can become obsolete if new technologies come into the picture. This needs to be taken into account during annual vendor reviews.
- Geographical risks: Institutions should be careful about doing business with a vendor who is located in a high-risk geographic area e.g., prone to certain natural disasters. This could adversely impact investments.
- Compliance risks: Institutions are responsible for ensuring that all their vendors comply with the full range of applicable industry and geography-specific regulations. This becomes complicated in developing countries, where it is often difficult to assign a strict compliance monitoring process across vendors.
- Operational risks: Operational risk results from events such as failures in vendor-supplied technology, improper financial conduct, information security breach and fraud.
- Transaction risks: When a vendor engages in fraud or is unable to deliver products or services in time or manage information effectively, the organization confronts transactional risks.
- Credit risks: Credit risk arises when a vendor defaults on a payment, thereby causing operational and transactional failures.
It is becoming increasingly important to identify, understand, and effectively manage and mitigate all the above risks, especially in light of the global economic downturn which has resulted in greater regulatory scrutiny.
MetricStream Vendor Risk Management Solution
MetricStream provides a comprehensive, scalable, and Web-based solution that is designed to help organizations effectively manage vendor risks, performance, and governance. Leading institutions are replacing their point solutions and paper-based systems with MetricStream´s solution to streamline and automate the vendor management life-cycle, and gain real-time visibility into vendor risks and controls.
Vendor Information Management:
The MetricStream solution enables organizations clearly define the risk profile of each vendor through capabilities for risk identification and integration, risk analysis and classification, control evaluation, and risk treatment and reporting. The solution also supports the mapping of risks to the associated vendor compliance requirements, policies, and business units.
Using the solution, companies can gain complete visibility into each vendorâ€™s operational, financial, and performance data. The solution also enables a systematic and automated approach to managing the full range of processes in the vendor management life-cycle, including:
- Vendor on-boarding
- Vendor qualification
- Vendor name change
- Annual re-qualification processes
- Contract management
An inbuilt central repository helps store and organize different types of vendor contracts in a tree-like structure with linkages to the appropriate vendor. Integrated collaboration and workflow tools help access, create, modify, review, and approve vendor contracts globally. In addition, advanced analytics and reporting tools, coupled with graphical dashboards, help in tracking and monitoring each contract, right from origin to obsolescence.
Policy and Procedure Management
MetricStream provides a flexible framework to streamline the creation and management of vendor related policies. The solution enables organizations to adopt an electronic and automated approach to developing, maintaining, and communicating policies and procedures across the vendor network.
Policy Creation and Revision: The solution offers a centralized system to create, edit, review, and approve vendor policies and procedures, assign roles and responsibilities for policy management, and define due dates for completing policy related tasks. Cross-functional teams and external users can add comments/instructions to each policy, and efficiently route them for analysis and approval via predefined workflows and process maps. If a policy is in the process of being drafted or edited, the solution automatically flags it, and notifies the relevant stakeholders. Once a policy is approved, the solution automatically publishes the policies, and sends out notifications to all users.
Policy Communication: Automatic notification and alert functionalities with configurable workflows facilitate the distribution and acceptance of vendor policies. The solution also helps configure and execute surveys, certifications, and self-assessments to ensure that policies have been effectively communicated and accepted across vendors. Inbuilt capabilities support electronic sign-offs and executive certifications at various organizational levels.
Policy Assessment and Maintenance: The MetricStream solutionâ€™s built-in workflow engine allows policy owners to create and assign tasks to reviewers and approvers. This approach facilitates seamless collaboration, and helps ensure that feedback is well-captured before vendor policies are finalized. Based on the policy type, process, and associated department, the solution automatically adds/omits reviewers and approvers. Â It also allows documents and initial policy drafts to be attached, and helps link policies to regulations and controls.
Versioning and check-in/ check-out capabilities for each policy can be easily configured. Meanwhile, the underlying relational data model enables a many-to-many relationship to be drawn up between controls, policies, documents, and relevant external references.
Policy Monitoring and Tracking: Built-in templates and workflows facilitate tracking of each vendor policy throughout its lifecycle. A unique identifier given to the policy help users easily search and access it. InÂ addition, a built-in calendar and event monitoring engine keeps track of all policy related schedules, renewal dates, policy validity, and other important criteria.
Policy Retirement: The MetricStream solution automates the vendor policy retirement process. The selected policy is sent to reviewers with multiple questions and surveys to capture their feedback and votes on policy retirement before it is finally approved. During the process, the solution automatically locks the policy against edits, distribution, or publishing.
Policy Archiving and Record Keeping: The MetricStream solution supports the archival and retaining of all vendor policy records and data. Both automatic and manual policy archiving can be enabled by setting up rules/ conditions to specify when, whose, which, and what type of policy data (full system, partial system, specified system data or file areas) should be archived, what type of compressed file formats should be used, and where the files should be stored.
Vendor Risk Assessment
MetricStream uniquely combines software and content in its VRM solution. It brings together all vendor risk related data in the form of risk-control libraries, results from individual control assessments, Key Risk Indicators (KRIs), events such as losses and near-misses, and issues and remediation plans -- in a single framework.
Vendor Risk Assessment: The MetricStream solution integrates inputs from the Vendor Information Management application, to define vendor risk. It also helps define vendor risk assessment templates, and enables them to be reused across different processes and time intervals. In addition, it enables independent control evaluations, with action plans and milestones established upon the completion of tests or assessments.
The solution provides a systematic mechanism for managing vendor risk surveys and self-assessments in a consistent and reliable manner. Accountability is facilitated by streamlining the flow of information and records, and documenting attestations and representations at appropriate stages.
Inbuilt capabilities help create and maintain vendor checklists and questionnaires in a central repository. These checklists can be organized in pre-defined hierarchies such that specific sections and sub-sections are assigned to different vendors. Multiple checklists and questionnaires can be selected for a full vendor audit, while specific checklists and questionnaires can be selected for a focused vendor audit, depending on the scope of the risk assessment.
The solution also supports procedures for affirming the strength of internal controls. This information is routed to the management team who can review and certify the risk and control assessments in compliance with internal or regulatory requirements.
The solution integrates with reliable industry sources such D&B in order to aggregate, validate, and enrich vendor data, vendor risk information, and certifications. Vendor scorecards combine this industry data with internal Key Performance Indicators (KPIs) and metrics to provide a complete picture of vendor risks and compliance. Integration of the solution with the Office of Foreign Assets Control (OFAC) and other industry sources allows organizations to receive regulatory alerts and up-to-date security-based information on vendors, thereby enabling well-informed vendor assessments.
MetricStream also includes standard questionnaires from Shared Assessments to assess a third-partyâ€™s environment or for a company to self-assess its own control environment. These consist of sections which gather detailed information relevant to the nature of the services from the vendor. The sections include Risk Management, Security, Health and Safety, Asset Management, Access Control, Incident and Issue Management, Business Continuity, Compliance etc.
For managing risks from cloud-based vendors, MetricStream leverages Cloud Security Allianceâ€™s (CSA) Consensus Assessments Initiative Questionnaire (CAIQ), which provides a set of questions a cloud consumer and auditor may wish to ask of a cloud provider, including a series of "yes or no" control assertion questions which can then be tailored to suit their evidentiary requirements.
Vendor Risk Analysis
Risk Universe Management: The MetricStream solution provides the ability to create a vendor risk universe, conduct vendor risk-control assessments, set priorities, and define action plans. The solution offers multiple data entry and analysis capabilities for risk factor definition, risk and control summary scoring, comments, and historical information management.
Vendor Risk Identification: The MetricStream solution captures detailed information on vendor risks, assigns tasks to the appropriate risk owners, and helps define risk categories and sub-categories. All vendor risk related data is consolidated in a centralized risk register that includes a description of each risk, including its severity and impact, consequences, rating, mitigation plans, and related emerging issues. This register helps ensure that consistent risk information is maintained across the enterprise.
The solution also provides best practices for vendor risk management, as well as the capability to define and maintain user-defined risk classifications. This information is important in risk reporting and KRI analyses. Additional features help in tracking risk metrics and thresholds, with automated notifications indicating when thresholds are breached.
Risk Prioritization: The MetricStream solution has configurable options to classify vendors at various levels within the vendor hierarchy. Classification formulae can be based on any parameters, attributes, purposes, or objectives. The solution has its own built-in vendor classification formula based on multiple variables such as risk characteristics, impact, and likelihood. The underlying relational data model maintains a many-to-many relationship between vendors and the relevant variables.
The solution also has built-in capabilities to weigh risk data attributes/ risk characteristics. Weightage formulae and options can be configured depending on the each companies specific requirements. Risk scores are automatically aggregated based on a defined risk hierarchy.
Risk Scoring: The MetricStream solution supports user-defined vendor risk scoring to calculate inherent risk, residual (unmitigated) risk, and risk tolerance. Risk assessments and computations are based on configurable methodologies and algorithms, and include risk impact, likelihood, and controllability. This information is essential to reporting and KRI analyses.
Key Functionalities of the Solution:
- Helps define streamlined workflows to assess risks, controls, and compliance
- Helps in assessing risks by measuring their probability and impact
- Includes capabilities to correlate, analyze, and visualize risks
- Supports the creation of a risk register with a list of all risks, including their rating and classification
- Provides a flexible dashboard to define and monitor internal and external KRIs
- Helps monitor risk values vs. threshold values
- Delivers automated alerts and notifications if risk thresholds are crossed
Vendor Risk Mitigation and Action Planning: The MetricStream solution enables organizations to establish and follow systematic and consistent procedures for vendor risk mitigation planning, controls and action documentation, and status reporting. These processes are supported by a built-in workflow engine that facilitates real-time collaboration on vendor risk-related matters, and streamlines the flow of information across the enterprise.
Control Design and Assessments: Once the key vendor risks are identified and prioritized, the MetricStream solution helps organizations define a set of controls that can mitigate those risks. The solution also allows the associated policy and procedure documents to be attached for reference.
Control assessments are enabled based on predefined criteria and checklists, with inbuilt capabilities for scoring, tabulating, and reporting results. A centralized repository of all control assessments with an easy search capability helps users check at any time if a specific control was tested, what the results were, and whether or not a remedial action plan is required.
Control Scoring: The MetricStream solution supports control scoring to determine the strength and likelihood of these controls and adherence to policies. This information rolls up to the executive management team who can review and certify overall control assessments for the enterprise. The system also allows user-defined control criteria and scoring methodologies to be developed for any type of vendor risks. Controls can have the desired likelihood scoring (Scale of 1-5, or Low, Medium, and High).
Control Test: The MetricStream solution enables organizations to adopt an electronic and automated approach to manage control testing across the enterprise. The Web-based solution provides a central repository to store, organize, and implement all control tests based on various templates and classification criteria. It also provides an interactive view of the control tests, and categorizes them in a hierarchical format. Revision histories are maintained, while review periods or obsolescence rules can be set for all tests.
The solution also includes functionalities to create or change control tests through simple pre-defined workflows and process maps. Tasks for defining and executing control tests are assigned based on roles and responsibilities along with due dates for completion.
Vendor Risk Monitoring and Performance Management
The MetricStream solution supports the process of defining vendor performance metrics, scorecards, KPIs such as quality, cost, service, risk, innovation, and corporate social responsibility. The solution maps vendor scores for KPIs, and also helps defines KRIs with thresholds.
To measure and analyze vendor performance, the solution incorporates data from various systems and processes, and includes capabilities for audits, inspections, and quality assessments.
Each vendor KPI is supported by a built-in calculation engine and conditional logic mechanism that helps users update the weightage percentage for the KPI. In addition, the solutionâ€™s survey functionality allows all KPI results for vendors/ vendor relationships to be captured on a periodic basis. Any number of questionnaires can be created and used for capturing KPI results.
The solution helps drive business decisions by comparing vendor performance scores, benchmarking how vendors are improving over time, providing insights into trends, helping identify preferred vendors, facilitating vendor SWOT analyses, and supporting vendor negotiations. Simultaneously, powerful reports and dashboards allow vendors to monitor their own risk status and performance.
Reports and Dashboards
The MetricStream solution includes a set of pre-built standard vendor reports, as well as a simple Reports Wizard that can be set up to create custom/ ad-hoc vendor reports without any programming. The underlying reporting engine gathers vendor risk data from the risk management framework, and helps analyze and compare results at the enterprise level or across specific vendor governance programs.
In addition to reports, the solution also provides heat maps, executive dashboards, and analytics and business intelligence capabilities which help customers realize significant value. Users can proactively track vendor risk metrics and indices, as well as control programs, and make decisions based on hard facts and data.
The solution provides a unique drill-down capability that allows users to click on a vendor report to see the underlying data at the finest level of detail. Charts include interconnection maps, heat-maps, Gantt charts, histograms, pie-charts, and spreadsheet charts and graphs. Since all of the data is stored as â€œstructured dataâ€ (i.e., data stored in separate fields and with common values), it can easily be reported and tracked across multiple sources, allowing trends to be identified based on vendor risks, business units, vendor issues and their root cause, and other factors.
Executive dashboards provide enterprise-wide visibility into the vendor risk and control management process, and underscore issues that need to be addressed. The real-time status of controls and issue remediation activities can be tracked on graphical charts that are accessible globally. Automated alerts for events such as exceptions and failures eliminate any unpredictable events.
Benefits of the MetricStream Solution
- An integrated approach to manage vendor risks and issues
- Streamline vendor risk assessments by providing them with secure access to an online application for assessment completion, viewing performance and alerts & notifications
- Map vendor risk assessments to organizational policies and regulations to ensure compliance
- Automatically update vendorâ€™s risk profile based on benchmarking and assessment responses
- Measure and manage vendor risk based on multiple performance indicators
- Enable collaboration and data consolidation with vendors across regions and countries
- Generate flexible vendor risk reports to manage vendor relationships and strategies