Establishing metrics and KPIs for your vendor risk management program

14 November 2019

By Chris Gida

Guides & Datasheets Third-Party Risk Management

The first step towards establishing a vendor risk management program is to fully define and document how the program works. Once you resolve the core issues that typically hinder processes and goals, we can focus on efficiency.

According to a study by Ben Mulholland, only 4% of companies measure and manage their documented processes. A mechanism must be in place to determine if the process is operating as intended. In the context of vendor risk management, we are looking for an efficient process that maximizes the resources used on the program while also reducing risk.

Measuring and managing vendor risk

Vendor Risk Management Program Process

Process maturity models are tools used to promote behaviors that lead to improved performance. The below is an example of a process maturity model.

Ad-hoc

The control may be partially in place; may be predominantly manual in nature; and/or may not be executed consistently.

Repeatable

The control is typically implemented consistently, basic policies and other documentation are in place.

Defined

The control is documented in detail, such that it is executed consistently; design effectiveness is achieved.

Measured and Managed

Performance indicators and associated performance targets are defined and reported against; any underperformance is remediated; operating effectiveness is achieved.

Optimized

Proactive continuous improvement of the control, rather than just remediating issues/underperformance in a reactive manner.

Establishing metrics and key performance indicators (KPIs)

Establishing metrics is critical to the success of your vendor risk management program. Without metrics, you cannot truly make a process efficient; there isn’t really much to base your decisions on except gut instinct. And when dealing with vendor risk, poor decisions can really put your organization in a tough spot.

During our engagements, we’ve seen organizations achieve an average maturity score of 2.43; a score of 4.0 or higher is required to begin working toward design effectiveness. The following metrics and KPIs help measure process inefficiencies and track improvements.

Four key program metrics to live by

Throughput

The output of a process for a unit of time, which can be used to measure bottlenecks. The steps with the lowest values have the lowest throughput and are bottlenecks. An example formula here would be the ratio of completed tasks to time.

Team Productivity

The output of a process for each hour worked. This is not intended to focus on a particular individual, but instead will show how process improvements are cutting down the overall time to complete tasks. This ratio is amplified when the task is automated. The formula here would be the ratio of completed tasks to hours worked.

Resource Efficiency

The measurement of resources (not just people) consumed by a process. Resource efficiency can be measured for any task in order to optimize costs. This can be measured at both the micro and macro level, such as per onsite or per vendor. Two formulas work well for this metric: the ratio of time to completed assessments; or the ratio of total costs to time needed to complete the assessments.

Process Efficiency

The measurement of value-added activities as compared to the total time to complete the task or assessment. In many VRM assessments, there can be quite a bit of time consumed to complete the assessment that are not a value-add. An issues and escalations process that is adhered to, for example, could reduce this wasted time. The formula for process efficiency is the ratio of value-add time to total time needed to complete the assessments.

Key performance indicators to track your progress

Business Process Efficiency

  • Percentage of assessments where completion falls within +/- X% of the estimated completion
  • Average process or task age
  • Average time to complete assessment
  • Cycle time from start to delivery
  • Average cycle time from request to delivery
  • Volume of tasks per staff
  • Number of staff involved

Service Level Agreement (SLA) and Service Quality

  • Number of outstanding issues/gaps against the vendor
  • Percentage of correspondence replied to on time (response to inquiries on time)
  • Percentage of correspondence or actions completed by internal stakeholders
  • Number of open escalations
  • Number of sent reminders and/or late tasks

Compliance

  • Average time lag between identification of external compliance issues and resolution
  • Frequency (in days) of compliance reviews
  • Number of assessments completed on time in comparison to policy

Budget

  • Sum of deviation in dollars of planned budget of projects
  • Total costs in a given quarter compared to budget
  • Number of total assessments that are completed based on budget

Still curious about Vendor Risk Management?

Learn more about Third-Party Risk Management, or reach out to get in touch with an NCC Group 

Read More Contact Us