We’ve been measuring and mitigating vendor risks for 14 years. We learned a long time ago how important it is to communicate your vendor risks and mitigation steps to your Board. We also know how difficult it is to communicate highly technical issues to Board members who have little background in technology or information security.
Six years ago we introduced our Board-friendly vendor risk scorecards that summarizes our comprehensive vendor risk reviews and vendor risk mitigation recommendations. Using a powerful vendor risk management methodology and scoring system, we convert your unique vendor risk areas into a 0-100 scale (vRisk™ scores) with red, yellow and green indicators and present it in a simple, one page report. Board members may not know which audit controls should be included in your vendors’ SSAE 16 reports, but they do know to ask a lot of questions about vendors that score in the yellow or red.
1,200 vendor risk scorecards later, our vRisk™ scores and red/yellow/green indicators have become the industry standard for vendor management Board reporting. Now that lack of effective Board oversight and reporting is the third most common matter requiring attention (MRA) in vendor management exams, you might want to see what everyone is talking about.
Let us gather and review your vendors due diligence documents, review them, score then and make risk mitigation improvement recommendations, so you can focus your time on making the best business decisions from our recommendations.
We are in the vendor evaluation business, so we are evaluating all aspects of the major vendors every day. Not only do we review vendor financials and attend vendor earnings calls, but we meet with vendor executives every Friday to get product, company and security updates. We track vendor wins and losses , monitor changes in marketshare , evaluate their products and know about problems before they’re public.
Many competing vendor management software and services are actually resold by your moderate to high risk vendors .
This means they will only share publicly available information. We on the other hand are Gonzo and share non-public vendor dirt every day, all day.