Vendor Management Spreadsheet

Recently, I’ve been working on developing an easy way for smaller and medium sized clients manage their Vendors and perhaps more importantly track which Vendors present the most risk. One of the more challenging exercises has been thinking through two things:

1. What are elements that would make a given Vendor risky;
2. What weight to I assign to each risk; and
3. What are all of the data points I would want to track for a given Vendor?

Vendor Risk

As for the first question, I have come up with a dozen data elements I would gather about a Vendor, but here are my top 7. More importantly, this list forces IT management to think through tracking such data on their vendors (and most are not at present).

1. Annual Spend – How much do you spend on a given vendor. Higher spend = Higher risk.
2. Security Incidents – What is the volume of security incidents related to a particular vendor? More incidents = More risk.
3. Service Incidents – What is the volume of service incidents related to a particular vendor? A service incident would be failure to meet up-time requirements, for example. More incidents = More risk.
4. IT General Controls – How strong is the Vendor’s control environment? Are you measuring it and verifying it aligns to your companies minimum standards?
5. Compliance Reports – Are you looking at SOC reports and Vulnerability scans?
6. Level of Reliance – How much to you rely on this Vendor to run your business? Would you shut down if your vendor does?
7. Contract Strength – How strong are the terms in your contract. Including price, standards, etc. When is the last time your negotiated terms?

Questions for the Readers:

1. Which elements do you find most important and what weight would you assign them (1 – 100%)?
2. Are there other data elements you would add to this list?
3. Thoughts on this list?

Let us know in the comments and we’ll share the final spreadsheet!

2 thoughts on “Vendor Management Spreadsheet

  • Another big one is whether the service you get from the vendor impacts customer-facing apps and services. That’s a bigger risk than a vendor who supports only in-house stuff.

    Also, does the vendor have access to any internal systems? That’s a risk, especially if they have admin access.

    Finally, does the vendor store your confidential information offsite? That’s related to your general IT controls point above, but I think it needs to be a separate evaluation.

    • I agree. Two possible columns could be:

      1. Impact (Customer or Internal)
      2. Information Management (None, Confidential, PHI, etc.)

      I think those are good suggestions.

Leave a Reply