Everyone Wins | The Case for Collaboration with Vendors
Published On April 16, 2021
Blog Post by Kim Rose, Manager, Project Management Office at CORL Technologies
Vendors can sometimes be treated less like business partners and more like adversaries for some third-party risk programs. This confrontational approach, however, often leads to breakdowns in communication that can impede the shared business objectives between customers and clients for driving down information security risks for all parties involved.
When communication breaks down, it can result in a host of negative outcomes including increased risk exposure & risk blind spots for the business, delayed assessments, and frustrations on all sides. Such delays can also mean lost revenue due to delays in sales cycles for vendors and increased time & assessment costs for customers.
By contrast, establishing a partnership and high-collaboration model between customers and vendors throughout the security risk assessment process means that everyone wins. Efficient and effective communication yields:
- High quality, accurate, and reliable assessment results
- Timely assessment turnaround times
- Limited impacts to business workflow
- Reduced risk exposure via timely remediation
- Faster sales cycle and deal closure for vendors
- Less time, money, and frustration on all sides
- Reduction in vendor risk ratings when more information is received and validated
CORL is dedicated to collaboration and open communication with vendors. We have developed some best practices over the years and recommendations for ensuring streamlined communications and partnerships for the assessment process.
Best Practices for Vendor Communication
- Gather implementation and scope details before launching the assessment (what product, who is the business owner, what department, etc.)
- Establish a support model and communication plan for questionnaire clarifications and bi-directional communication
- Set expectations up front with all parties, what is the process, what’s required, how long will it take, etc.
- Educate and gain buy-in from stakeholders before launching assessments
- Have business owners inform vendors up front of the risk team’s role and importance
- Engage business owners in the assessment process from the get-go
- Set realistic timeframes for assessment responses (e.g. 12-15 business days)
- Calibrate your approach based on the vendor’s program maturity (e.g. a phone call vs a 500-point questionnaire for very small vendors)
- Establish escalation points and alternative communication beyond email (e.g. direct phone numbers, chat platforms, etc.)
- Establish secure communication model and tech up front to exchange sensitive information
- Have several assessment types and models (e.g. cloud assessment, med device assessment)
- Establish routine reporting for stakeholders
- Keep business owners in the loop; escalate when necessary
- Establish a mechanism for tracking and responding to vendor feedback and questions about the process
- Create user-friendly documentation and tools that is straightforward to navigate, understand, and process in business terms
- CORL Customers: leverage CORL’s existing relationships with vendors to find the right contact
- Be transparent about constraints
- Establish professional, courteous, and even friendly communication outreach language for vendors
You can read more about CORL’s approach to collaboration with vendors in our infographic: CORL is Committed to Partnership & Collaboration with Vendors.
Contact our team here at CORL to learn more about how our managed services and next generation exchange for healthcare vendor risk data improves communication with vendors and gets results in lowering supply chain risks.