Vendor Risk Management (VRM) Scorecard

Third-party vendor validation has become an integral part of cybersecurity, procurement, compliance, and supply chain strategies. Previously, we discussed general practices behind the evaluation scorecard; in this article, we will discuss the creation of a vendor evaluation scorecard, using vendor risk management as an example.

A template for vendor risk scorecard in BSC Designer

A template for a vendor risk scorecard in BSC Designer Source: View Vendor Risk Management Scorecard online in BSC Designer Vendor Risk Management Scorecard.

We will demonstrate how to:

  • Calculate the overall security score,
  • Collect required evidence,
  • Track security scores dynamically, and
  • Align the results with other functional scorecards.

Define the Set of Evaluation Criteria

Follow current best practices to define the set of evaluation criteria for the vendor risk scorecard. This may include:
KPI Existence of a formal cybersecurity program
KPI Implementation of multi-factor authentication
KPI Regular vulnerability testing
KPI Adoption of the ‘Least Privilege’ practice
KPI SOC 2 compliance of the data center
KPI Data encryption in transit and at rest
KPI Cybersecurity insurance
KPI Intrusion prevention and detection systems
KPI Cybersecurity awareness training
KPI Data breaches reported
KPI The number of data breaches reported

Depending on the type of criteria, it can be configured as:

  • Binary – with possible states “yes” or “no.”
  • Quantitative (for example, measured in %) or qualitative (natural choice or Likert scale).
  • Criteria can be optimized for maximization (like % of employees who passed cybersecurity awareness training) or minimization (like the number of data breaches).

Define evaluation criteria, calculate overall score, align evaluation scorecard with other strategy and function scorecards.

Learn more about best practices for managing evaluation scorecard.

In BSC Designer:

  1. Switch to Strategy Workspace.
  2. Navigate to New > New Scorecard > More templates…
  3. Use the “Vendor Risk Management” scorecard template.

Assign Weight Depending on Risk Profiles

Weight the evaluation criteria according to the risk profile of the vendor.

For example:

  • Vendors with access to sensitive information will have a high weight for criteria like “Cybersecurity Insurance” or “Data breaches reported,” while
  • Vendors with no access to sensitive information will have a high weight for more common criteria like “Multi-factor Authentication” and implementation of the “Least Privilege” practice.

Assign the weight to the evaluation factors.
In BSC Designer:

  • Select an evaluation criterion.
  • Switch to the Performance tab.
  • Adjust the relevant weight in the Weight property.

Build Hierarchy of Vendors

Group vendors into a hierarchy based on the vendor tier. Propagate evaluation criteria for each vendor.

In BSC Designer:

  • Create groups using the “Add” button,
  • Copy and paste a set of evaluation criteria into each group, and
  • Rename the set name to match the vendor name.

Initiate Evaluation of Vendors

Assess vendors based on the evaluation criteria to identify relevant vulnerabilities.

  • Enter evaluation scores manually into the scorecard or
  • Import them from an Excel spreadsheet for self-assessment by the vendor.

Attach relevant evidence provided by the vendor, such as certifications and policies in practice.

In BSC Designer:

  • Update scores manually via the Data tab.
  • Use Tools > Export data to export evaluation criteria to Excel for the vendor’s self-assessment.
  • Attach evidence to the evaluation criteria or to the mitigation plans articulated via the Initiatives dialog.

Continuous Risk Monitoring

Track changes in vendor evaluation scores over time, such as changes in relevant certifications or the number of data breaches.

  • Define the revision period for each evaluation criterion
  • Monitor issues relevant to the evaluation criteria.
  • Plan for the improvement of vendor evaluation scores.
  • Plan for vendor offboarding.

A template for an evaluation scorecard in BSC Designer.

A template for an evaluation scorecard in BSC Designer. Source: View Evaluation Scorecard online in BSC Designer Evaluation Scorecard.

In BSC Designer:

  • Setup Update Interval for an indicator via Values Editor
  • Use Values Editor to assign scores to specific dates.
  • Use Dynamic columns to see how the score changes over time.
  • Use Initiatives to track data breaches and mitigation actions—update status and time span.
  • Use comments for the score to track issues and Initiatives to map improvement plans.

Alignment with Strategy

Align the vendor risk assessment scorecard with other strategy and function scorecards, such as governance or compliance scorecards.

  • Use the overall risk score of the vendor portfolio.
  • Use the risk scores of specific vendors.
  • Cross link initiatives from various scorecards.

Cascading Method 4: Alignment by Context

In BSC Designer:

  • Copy the Vendor score item and Paste it into the relevant scorecard.
  • Select the “Link by data” or “Link by context” option.

Conclusions

In this article, we discussed the steps to create a vendor risk management scorecard:

  1. Definition of evaluation criteria
  2. Assigning weights depending on the risk profile of the vendor
  3. Continuous risk monitoring
  4. Alignment of vendor risk score with other scorecards

Learn more about more specific mechanics of evaluation scorecards.

Cite as: Alexis Savkín, "Vendor Risk Management (VRM) Scorecard," BSC Designer, February 22, 2024, https://bscdesigner.com/vendor-scorecard.htm.