Saltar a la navegación Saltar al contenido principal Ir al pie de página

For a better Vendor Risk Management program, use a Continuous Process Improvement Approach

26 noviembre 2016

By Chris Gida

It’s understandable why anyone implementing a vendor risk management program would aim for perfection on the first pass. However, when dealing with such a large, complex process, over-engineering, scope creep, and missed deadlines are not only possible but likely.

Instead, you should focus on getting a solid process in place and make iterative updates and additions over time.

Continuous Process Improvement Approach

Continuous Process Improvement Approach

Map Existing Processes

Make sure the process is formally documented. As you are executing on the process, review and/or modify each step to improve efficiency. Add new processes as needed and assess how they will impact/interact with existing processes.


Identify Value-Add Activities & Bottlenecks

Which steps are operating as intended and which are not? Which steps are slowing down the process? Review and hypothesize which activities are value-add and/or bottlenecks. Leverage your KPIs and metrics to be more specific in this determination.


Build Ideal Process

Make modifications for process improvements based on the analysis in Step 2. Make sure you understand the impact of these changes inclusive of costs and dependencies.


Acquire Resources

There may be resources required for changes to process. Ideally the timing of these continuous process improvements will be completed regularly and prior to budgeting cycles.


Implement & Communicate Change

Communicate changes to all stakeholders prior to implementation. Given the process is likely dependent on other departments within the organization, it’s important that stakeholders are all on the same page.

Review the Process

After improvements have been implemented, start the process over again.

Key Takeaways for Vendor Risk Management Efficiency

According to a study published by Gartner, implementing business process management (BPM) techniques boosts the success rate of projects by 70%. Utilizing a continuous process improvement methodology contributes to a reduction in wasted time and effort. If process improvement is not baked in by design, it will either be forgotten or addressed on the fly (as with many tasks we perform on a daily basis).

Cost is the most common pain point echoing throughout the information security industry. To stretch investments further while also improving your ability to decrease vendor risk, a standardized approach for continuous process improvement must be incorporated directly into your vendor risk management program.

NCC Group recommends the following approach

  1. Address core issues with the VRM program as necessary
  2. Improve your program’s overall maturity to “Measured and Managed"
  3. Establish metrics and KPI’s to determine if processes are operating effectively
  4. Institute a continuous process improvement approach and leverage the metric/KPI data captured
  5. Repeat

Still curious about Third-Party Risk Management?

Learn about setting metrics and KPIs for TPRM, or reach out to an NCC Group expert to see how our services might be a good fit for your organization.