Everyone Wins | The Case for Collaboration with Vendors

Blog Post by Jay Stewart, Vice President of Sales at CORL Technologies

Vendors can sometimes be treated less like business partners and more like adversaries for some third-party risk programs. This confrontational approach, however, often leads to breakdowns in communication that can impede the shared business objectives between customers and clients for driving down information security risks for all parties involved.

When communication breaks down, it can result in a host of negative outcomes including increased risk exposure & risk blind spots for the business, delayed assessments, and frustrations on all sides. Such delays can also mean lost revenue due to delays in sales cycles for vendors and increased time & assessment costs for customers.

By contrast, establishing a partnership and high-collaboration model between customers and vendors throughout the security risk assessment process means that everyone wins. Efficient and effective communication yields:

  • High quality, accurate, and reliable assessment results
  • Timely assessment turnaround times
  • Limited impacts to business workflow
  • Reduced risk exposure via timely remediation
  • Faster sales cycle and deal closure for vendors
  • Less time, money, and frustration on all sides
  • Reduction in vendor risk ratings when more information is received and validated

CORL is dedicated to collaboration and open communication with vendors. We have developed some best practices over the years and recommendations for ensuring streamlined communications and partnerships for the assessment process.

Best Practices for Vendor Communication
  1. Gather implementation and scope details before launching the assessment (what product, who is the business owner, what department, etc.)
  2. Establish a support model and communication plan for questionnaire clarifications and bi-directional communication
  3. Set expectations up front with all parties, what is the process, what’s required, how long will it take, etc.
  4. Educate and gain buy-in from stakeholders before launching assessments
  5. Have business owners inform vendors up front of the risk team’s role and importance
  6. Engage business owners in the assessment process from the get-go
  7. Set realistic timeframes for assessment responses (e.g. 12-15 business days)
  8. Calibrate your approach based on the vendor’s program maturity (e.g. a phone call vs a 500-point questionnaire for very small vendors)
  9. Establish escalation points and alternative communication beyond email (e.g. direct phone numbers, chat platforms, etc.)
  10. Establish secure communication model and tech up front to exchange sensitive information
  11. Have several assessment types and models (e.g. cloud assessment, med device assessment)
  12. Establish routine reporting for stakeholders
  13. Keep business owners in the loop; escalate when necessary
  14. Establish a mechanism for tracking and responding to vendor feedback and questions about the process
  15. Create user-friendly documentation and tools that is straightforward to navigate, understand, and process in business terms
  16. CORL Customers: leverage CORL’s existing relationships with vendors to find the right contact
  17. Be transparent about constraints
  18. Establish professional, courteous, and even friendly communication outreach language for vendors

You can read more about CORL’s approach to collaboration with vendors in our infographic: CORL is Committed to Partnership & Collaboration with Vendors.

Contact our team here at CORL to learn more about how our managed services and next generation exchange for healthcare vendor risk data improves communication with vendors and gets results in lowering supply chain risks.

Most Recent Posts
Essential Guide for Vendors: Key Features to Look for in a Cyber Security Assessment Tool for Healthcare TPRM   Read More
Change Healthcare Cyber Attack: Implications for Third-Party Incident Response in Healthcare Cybersecurity Read More
Do You Understand Your Vendors' SOC 2 Reports? Read More