It’s understandable why anyone implementing a vendor risk management program would aim for perfection on the first pass. However, when dealing with such a large, complex process, over-engineering, scope creep, and missed deadlines are not only possible but likely.
Instead, you should focus on getting a solid process in place and make iterative updates and additions over time.
Continuous Process Improvement Approach
Map Existing Processes
Make sure the process is formally documented. As you are executing on the process, review and/or modify each step to improve efficiency. Add new processes as needed and assess how they will impact/interact with existing processes.
Identify Value-Add Activities & Bottlenecks
Which steps are operating as intended and which are not? Which steps are slowing down the process? Review and hypothesize which activities are value-add and/or bottlenecks. Leverage your KPIs and metrics to be more specific in this determination.
Build Ideal Process
Make modifications for process improvements based on the analysis in Step 2. Make sure you understand the impact of these changes inclusive of costs and dependencies.
Acquire Resources
There may be resources required for changes to process. Ideally the timing of these continuous process improvements will be completed regularly and prior to budgeting cycles.
Implement & Communicate Change
Communicate changes to all stakeholders prior to implementation. Given the process is likely dependent on other departments within the organization, it’s important that stakeholders are all on the same page.
Review the Process
After improvements have been implemented, start the process over again.
Key Takeaways for Vendor Risk Management Efficiency
According to a study published by Gartner, implementing business process management (BPM) techniques boosts the success rate of projects by 70%. Utilizing a continuous process improvement methodology contributes to a reduction in wasted time and effort. If process improvement is not baked in by design, it will either be forgotten or addressed on the fly (as with many tasks we perform on a daily basis).
Cost is the most common pain point echoing throughout the information security industry. To stretch investments further while also improving your ability to decrease vendor risk, a standardized approach for continuous process improvement must be incorporated directly into your vendor risk management program.
NCC Group recommends the following approach
- Address core issues with the VRM program as necessary
- Improve your program’s overall maturity to “Measured and Managed"
- Establish metrics and KPI’s to determine if processes are operating effectively
- Institute a continuous process improvement approach and leverage the metric/KPI data captured
- Repeat