by David Walter - February 27, 2009
From my experience in working with many Fortune 500 companies, vendor assessments have become a “check the box” exercise. Often completed pre-contract and on a pre-determined basis after the contract is signed, vendor assessments are being used to ensure certain security practices and other contract covenants are being followed by the third party. With the economic downturn and resulting budget tightening, vendor management departments are being downsized and companies are no longer able to place as much focus on this area. Both of these factors are reducing the benefits of vendor assessments and the fewer companies are able to perform them.
Companies need to be more efficient and effective in their assessment processes. This requires automated solutions which enable completion of self-service assessments, automated workflows and notifications, automatic generation of findings based on the company’s pre-configured criticality ratings, and the ability for the vendors to respond to the resulting findings without the burden of vendor management intervention.
There are also opportunities to increase the effectiveness of the assessment. Companies must have the ability to link multiple corporate objectives to each question asked of a vendor. Corporate objectives may include data privacy regulations, environmental, health and safety practices and even non-regulatory based initiatives such as corporate ethics and social responsibility. The ability to link questions to multiple references will enable companies to gain that much richer and meaningful reporting from the assessment process.
These practices would definitely enhance the efficiency of collecting the necessary data from the assessment program and provide management with the reporting necessary to make the right decisions about who they decide to do business with.