Like most industries, in Risk Management, acronyms abound. Let’s sort through the acronym soup to understand the most important KRIs (Key Risk Indicators) and KPIs (Key Performance Indicators) for TPRM (Third Party Risk Management) or VRM (Vendor Risk Management). We asked risk experts
What is the one metric that is essential for TPRM programs?
In this post, experts in risk offer their views on key Risk Management Metrics. These concepts are sorted into two categories – Key Risk Indicators which pertain to risk itself and Key Performance Indicators which pertain to the TPRM program overall.
Key Risk Indicators (KRIs)
Charlie Miller, Senior Advisor, Shared Assessments’, points to “financial viability of high risk and critical vendors” as being the KRI to keep an eye on. ( Shared Assessments’ Vertical Strategy Groups and Continuous Monitoring Working Groups collaborated to discuss the financial health of third parties in this blogpost.)
Phil Bennet, Manager of Information Security Governance at Navy Federal Credit Union, recommends getting an understanding of overall risk with “A holistic third party ecosystem risk score measured against a standardized framework.”
External Threat Intelligence
Alpa Inamdar, formerly with BNY Mellon Corporation, suggests that understanding the “combination of Security Incidents & Losses as well as External Threat Intelligence” will put TPRM programs in good stead.
Supplier Risk Ranking
Finally, Marcus Rose, Senior Analyst, Cyber Risk Management, Trane Technologies, offers “a metric that supplies a trend based on risk levels of third party vendors. Being able to report on third-parties by risk ranking can lead to KPIs that in turn help improve vendor relationships and improve processes.”
Key Performance Indicators (KPIs)
Nasser Fattah, Executive Advisor at RiskLogix LLC, says that for TPRM programs an important indicator of performance is around supplier onboarding or supplier relationship management (SRM): “the average time to onboard a vendor in a secure and sound manner by tier. For the business, percent of vendors removed due to overlaps and cost-savings due to consolidating contracts under the same vendor.”
In conclusion, Catherine Allen, Founder and Chairman of The Santa Fe Group/Shared Assessments, weighs in with advice somewhere between a KRI and a KPI. Allen recommends “passing an assessment and mediating what needs work.” Hungry for more? Find a recording of our webinar on Risk Management Metrics here and this blogpost gives an extensive list of KRIs and Mitigants to keep on your radar