Skip to content

Vendor risk management: The trials and tribulations of triaging.

Congratulations, you’ve got a vendor risk management programme up and running! One of the first stages in the vendor risk management lifecycle is the initial triaging of those vendors. It’s obvious that you will need to conduct some due diligence and risk assessments on your vendors – but how much effort do you need?

In this blog we will cover:

  • The definition and purpose of triaging
  • Domains to consider when triaging
  • Tips for effective triaging

Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:

Subscribe now

The definition and purpose of triaging in vendor risk management

Triage originates from the French ‘trier’, which means ‘separate out’. And while most formal definitions lean towards medical settings, it has transitioned into the broader lexicon. Merriam-Webster offer this definition for triage:

“The assigning of priority order to projects on the basis of where funds and other resources can be best used, are most needed, or are most likely to achieve success”.

Turning to vendor risk management (VRM), there are lots of due diligence questions which are practical on the surface: you can envision an obscure scenario where knowing the answers to those questions will help you. But some of those offer marginal, if any, information to inform your decisions. You probably don’t need to know the financial condition of the company who cleans your office windows. And while automation helps, each additional question you ask requires more resources – both yours and the vendors.

The purpose then of triaging is to ensure that the limited resources allocated to VRM are applied in the most effective manner to achieve success – a strong relationship with reasonable assurance that risks have been assessed and managed.

 

Domains to consider when triaging

You’ve got a new vendor – so what do you need to consider when triaging? Here are some of the common areas you should consider as part of your tiering process. While the answers to these questions can drive the overall level of due diligence, specific answers should also drive specific due diligence in the areas that matter.

Strategic importance

How important is this vendor to your organisation’s success? Are they a strategic partner, whose exit would potentially cause a blow to your organisation? For strategic alliances, they may take many months to replace. On the other hand, they may be a supplier who can be replaced at short notice with negligible impact.

Vendors of high strategic importance might drive additional due diligence on ownership, their strategic direction, and financial condition.

Business continuity and operational resilience

Some vendors provide services or resources that, if disrupted, would have significant impact on your own operations. For the purpose of triaging, you should measure the potential impact over timeframes, aligned with your own business continuity or operational resilience frameworks.

Vendors who support important business services should drive additional due diligence on their own business continuity planning efforts. For those where disruption would be felt but is not critical, you might seek assurance they have a business continuity framework. For the most critical, you should seek assurance that plans relevant to your relationship are tested.

Information security

For many vendors, information security is an important issue – but that is not universal. During triaging, consider how much access the vendor will either have to your systems, or what information you will be sharing with them. These questions are aimed at evaluating the impact an information security incident at the vendor would ultimately have on your own organisation. If applicable, consider overlaps with business continuity – would a cyber incident shut down their ability to provide you critical resources?

The higher the level of access and volume of data, the higher the amount of due diligence required. For some, reviewing their information security framework might provide sufficient assurance. For others, reviewing specific controls may be needed.

Compliance

Vendors need to meet their own compliance requirements, but some vendors will be helping your organisation manage your own compliance obligations, particularly if you are outsourcing all or a large part of a function. While you can outsource the function, you still own the obligations.

If your licence to operate is on the line, you will need to apply additional due diligence over their capability and capacity to meet your obligations, such as their internal training, their own licences, qualifications of people, or remuneration policies. You should also increase due diligence over any disclosed breaches or violations and understand their approach to managing breaches.

Financial

While a simple measure, the overall value of the engagement with the vendor is important, simply because you don’t want to make a high value investment that quickly falls over.

Often this increases the overall level of due diligence across the board even if other domains are not highly important. Consider additional assessments over ownership structures, business plans, and financial condition.

Reputational

Consider how visible the engagement will be to peers in the industry and particularly the public. If the vendor were to suffer an event that caused them reputational damage, would you also potentially suffer as a result? Are they supporting your back office functions, or are all customers visibly engaged with this vendor when accessing your products?

When reputation is on the line, this can drive additional due diligence across the board, but you may focus particularly here on matters like ESG and their compliance posture.

Tiering your vendors

The results of the triaging process should result in the vendors being tiered. This tiering can then dictate the overall level of due diligence required, enhanced by the specific areas that may bringer higher risk to your organisation.

If a vendor scores low on all the above criteria, you might exclude them from formal vendor risk management processes. Going back to our window washer example, that might get captured from a purely contractual perspective, but not require any ongoing due diligence. This returns us to our purpose – effective triaging to make sure our resources are used where they are most likely to help us achieve success.

Tips for triaging

Here are a few tips to establish and use your triaging process:

  • Come to common agreement on the domains you will use and what they mean for you
  • Use consistent tools and criteria so that all vendors are assessed equally
  • Define who is responsible for the initial triage process, when it must be completed, and whether cross-collaboration is required
  • Use your triaging process to not only tier your vendors, but also to determine the specific types of due diligence that is required. Standardised questionnaires aligned to those answers can streamline the process
  • Determine whether any types of vendors will be excluded from formal VRM processes

While triaging is primarily done at the beginning of a new engagement with a vendor, you should also establish a process to review whether the tier or assessment needs to be updated. The nature of an arrangement might change, which might also change the level of assurance that you need.

By way of example, consider outsourcing the delivery of a regulated financial service to a vendor. If the volume significantly increases over time, or regulator scrutiny and expectations increase, this might trigger a review as the risk exposure has changed.

If you want to know more about vendor triaging, download our Vendor Risk Management eBook for a detailed step-by-step guide of to build an effective vendor risk management programme.

Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:

Subscribe now

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.