The Vendor Risk Management (VRM) module in the KnowBe4 KCM Governance, Risk, and Compliance (GRC) platform is available in Platinum subscriptions. This module helps you assess and manage the inherent risks associated with using a third-party organization or vendor.
The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts all in one place. You can set a frequency for how often your vendors are assessed to continually monitor the associated risk.
The following user roles can work in all areas of the KCM GRC Vendor Risk Management Module:
- Account Administrator
- Vendor Administrator (Does not have access to any other module in your console)
This article provides an overview of the workflows and areas of the console you'll become familiar with when working in the VRM module, use the links below to see more information.
Adding Vendor Profiles to your Vendor Risk Management Module
You'll begin using your VRM module by adding each of your third-party vendors' information under the Vendor List area. By adding contact information and other details relevant to business operations, you'll create a vendor profile for each internal or external third-party. Vendor profiles help you prequalify the level of risk associated with each third-party, and the Vendor List area of your console provides a central repository of internal and external third-party risk profiles.
Organization Contact Details
- Navigate to the Vendor List area by selecting Vendor Management from the navigation panel, then clicking Vendor List.
- You have two options for adding the organization's contact details: You can either import a CSV file or add the information directly to your console.
The organization's contact details consist of: Vendor name, primary contact's name, primary contact's email address, vendor mailing address (city, state, postal code, country), and vendor phone number.
- To upload the contact details, click the Import Vendor CSV button from the Vendor List page.
- To add the contact details manually, click the Create New Vendor button from the Vendor List page.
- After you've added the contact details, continue adding the details outlined below.
- Vendor Type: Select Internal or External from the drop-down menu. For example, an internal vendor may be a contracted business unit that provides services to your organization, while an external vendor is one outside of your organization.
- Organization Industry: Select the vendor's industry from the drop-down menu.
- Data Types: Select all applicable categories of data that your vendor will store, process, or transmit in order to carry out operations for your organization.
- Details of Services/Goods: You can optionally add details about the vendor in this field.
- Once you've added all vendor details, answer the Qualifying Questions at the bottom of the page.
- Click the Save Vendor button to add the vendor details to the vendor profile.
The qualifying questions found under each vendor's profile in your Vendor List will help you assess the level of risk associated with using this third-party. You must answer all of the qualifying questions in order to send your vendor a questionnaire.
Answer the qualifying questions as you're creating your new vendor in KCM GRC, or answer the questions at a later time by navigating to the Vendor List (Vendor Management > Vendor List) and clicking the vendor's name under the Name column.
You'll create your vendor questionnaires from the Questionnaire List section of your console. You can create fully-custom questionnaires, use questions from the templates provided*, or questionnaires composed of both free-form questions and questions from the templates.
*Questionnaire templates will be available to use upon the full release of the Vendor Risk Management Module.
Follow the steps below to create a questionnaire.
- Navigate to the Questionnaire List section of your console by clicking Vendor Management, then Questionnaire List from the navigation panel on the left-hand side.
- Click the Create New Questionnaire button
- From the New Questionnaire page, give the questionnaire a Name and Description.
- Select a Type (Public for external vendors or Internal for internal departments).
- Select Active from the Status drop-down in order to use the questionnaire at this time.
- From the Available Questions portion of the page, begin creating your free-form question entries, or add questions from one or more of the templates provided.
- If using a template: Click the + Questionnaire Templates button at the top right. Then, use the checkbox to select one or more templates to choose questions from. Then click the Save button. An additional tab will be added to the Available Questions section of the page for each template you selected. Click the template tab and use the checkboxes to select the questions you want to use from the template.
- If adding free-form questions: Continue with step 7, below.
- Use the Type your question field to type your question, then hit return on your keyboard or click the checkmark button to add the question and form its answer option.
If you have a large number of free-form questions to add, you may want to optimize the workflow by adding all questions at once and forming the answers afterward.
- Use the Type drop-down menu to select the type of answer that the questionnaire assessee–or the individual completing your questionnaire on behalf of the third-party organization–will respond with:
- Free Form Text: Provides a blank field that the user must fill (user cannot leave field blank).
- Multiple Choice: Specify the number of answer options and the text for each option. Then specify which answer is correct, using the radio buttons under Correct Answer, on the right side of the page (user can only choose one answer).
- Checkbox: Specify the number of answer options and the text for each option (user can pick one or more answers).
- Yes/ No / N/A: Provides radio buttons for the user to select from. Specify which answer is correct, using the radio buttons under Correct Answer (user can only choose one answer).
- To add another question, type it in the Type your question field, then repeat steps five and six, until you've added all of the necessary questions.
- Click the Next button to save your questions and move on to the answer configuration.
Once you click the Next button, questionnaire questions cannot be edited.
Configure and Finalize Questionnaire
Your organization will need to determine an approach for measuring the "weight" of each answer option in your questionnaires. Weight, in this case, refers to a point scale to determine the level of risk that is inherited when working with the third-party. The points assigned to questions will determine the score your vendor gets on their assessment. After you assign points to each question, you will mark the questions as "configured", then they must be reviewed once more before they can be sent.
Follow the instructions below to configure and review your questionnaire.
- If you're not already working in your questionnaire, navigate to the Questionnaire List (Vendor Management > Questionnaire List).
- Click on the name of the questionnaire that needs attention.
- From the Questionnaire - [[Questionnaire Name]] page, click the Configure button on the right-hand side.
- Review each question and assign a weighted number in the Points field on the right-hand side.
- If you're using multiple questionnaire templates, or a template and custom questions, use the template menu on the left-hand side to toggle between your question types to assign points to each.
- Once you've configured points for all of your questions, click the Mark as Configured button toward the top-right of the page.
- After the questions are configured, they must be reviewed once more before they can be sent to your questionnaire assessee. Once you're sure all questions are finalized, click Mark as Reviewed.
Add Vendor User Accounts
Once you're ready to send your questionnaire to a vendor, you'll add a user account in KCM for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal for your account, a portal specifically for answering questionnaires and addressing issues resulting from the questionnaire responses. This user will not have access to any of your organization's information in KCM GRC.
Follow the steps below to add a vendor user account to your console.
Once you add the user account, the vendor will immediately receive an email to confirm their KCM GRC account. You may want to inform your existing vendor contacts that you will be implementing a new process before adding the users to KCM GRC. Vendor users do not count against your KCM GRC user allowance.
- Navigate to the vendor profile by clicking Vendor Management > Vendor List from the navigation panel, then click on the vendor's name from the Vendor List page.
- From the Vendor Details page, click the Contacts tab (shown below), then click the Create Vendor Contact button on the right-hand side.
- Fill out the user information, then click the Create button.
See our Working with Users article for more information about creating users.
Once you've configured and reviewed your questionnaire, and added a user account in KCM for the questionnaire assessee, you can send the questionnaire directly from your KCM GRC portal.
Follow the steps below to send a questionnaire to a third-party organization, or other questionnaire assessees.
- Navigate to the vendor's profile from the Vendor List area of your console.
- From the Vendor Details page, you'll see the Available Questionnaires tab. This tab will list all questionnaires that have been created, configured and reviewed.
- Find the appropriate questionnaire, and click the Send Questionnaire button in the far-right column of the questionnaire table.
- You'll be prompted to select a Schedule Frequency, Start Date, and End Date. See below for more details.
- Schedule Frequency: Choose a frequency from the drop-down menu to determine how often you want this questionnaire to be automatically sent to your vendor.
- Start Date: Define the date you want the questionnaire schedule frequency to begin.
- End Date: Define the date you want the questionnaire schedule to end–meaning the vendor will no longer receive the questionnaire on an automatic frequency after this date.
If you would only like to send the questionnaire to the vendor one time, use any schedule frequency and put tomorrow's date in the End Date field. The questionnaire will not be sent after the End Date.
- Click the Schedule button to send the questionnaire to the user you created under the vendor profile.
Once you've sent the questionnaire to your vendor, they'll receive an email (click to view) requesting them to complete the questionnaire. Once the vendor has activated their account (see: Add Vendor User Accounts, above), they'll log in and see the Vendor Portal Dashboard, as shown below.
From the Questionnaires portion of the screen, the vendor will click the link under Name or Template columns to begin the questionnaire or questionnaires you've sent to the user.
The user will address their questions by selecting one or more checkboxes, a multiple choice answer, or by typing a response in the Answer field–depending on which answer type(s) you selected when creating your questionnaire.
Questionnaire assessees are also able to add comments or upload supporting files for each of the questions, by using the Add Comment or Attach File buttons, shown above.
The file attachment limitations are as follows:
- File Size: Maximum of 47 MB.
- File Name: Maximum of 250 characters (including file extension)
- File Types: Please see this question in our Frequently Asked Questions article for details
Once the user has finished the questionnaire, they'll click the Finalize Questionnaire button at the bottom of the page. You'll receive an email notification and the questionnaire will be available for review in KCM.
Reviewing Questionnaires and Creating Issues (KCM Administrator)
Once the vendor has completed the questionnaire, you'll receive an email notification. You can review the questionnaire from the vendor's profile (Vendor Details page), under the Vendor List area of your console. See the steps below to review your questionnaire.
- From the Vendor Details page, click the Assigned Questionnaires tab in the middle of the screen. Then click on the questionnaire name to open it, as shown below.
If you're waiting on your vendor to complete the questionnaire, you can use the Nudge Vendor button under the Assigned Questionnaires tab to send the vendor an additional email to remind them to complete the questionnaire.
- From the Questionnaire Review page, you'll see the answer the user added or selected for each question. You'll also be able to see any file attachments or comments that were added during the questionnaire assessment.
- If the vendor provided an undesirable answer to one or more questions, you'll use the + Create Issue button to request additional information or discuss your concerns with the vendor.
- Once an issue has been created for a question the + Create Issue button will be disabled, as shown below.
Responding to Issues (Vendor)
When you create an issue in response to the vendor's answer to a question, the vendor receives an email informing them of the issue. See the steps below for an explanation of how the vendor will address the issues you've created.
- They'll log in to their vendor portal to respond to the questionnaire issues. The vendor can see the open issues from both their Vendor Dashboard or by clicking Issues from the navigation panel on the left-hand side of their account, as shown below.
- The vendor will click on an Issue Description to open the issue, as shown below.
- The vendor can then type a response to your issue in the Response field, and click the Save Response button to send the response to your account.
Closing Issues (KCM Administrator)
Once you're satisfied with the vendor's response, you will close the questionnaire issue.
Follow the steps below:
- From the navigation panel, click Vendor Management, then click Vendor List.
- From the Vendor List page, click the vendor name.
- Click the Issues tab, then click on a description under the Issue Description column, as shown below.
- You will change the issue's status by selecting an option from the Status drop-down menu (shown below):
- Open: If you haven't addressed the vendor's response or the vendor has not made a response keep the issue Open.
- Pending: Change the issue to Pending status if you need a response from the vendor.
- Closed: Change the issue to Closed once no further communication is needed.
Frequently Asked Questions
Question: How do I know when my vendor has completed their Questionnaire?
Answer: The owner of the vendor profile will receive an email when the questionnaire is complete. The KCM user who created the vendor profile is the vendor owner. You can see and modify the Vendor Owner from the Vendor Details page.
You can also see the status of the questionnaire at any time by looking under the vendor's profile in your KCM GRC account. Navigate to the vendor profile by selecting Vendor Management, then Vendor List from the navigation panel. Click on the vendor's name from the vendor list, then click the Assigned Questionnaires tab in the center of the page. The Status column will show a label reflecting the questionnaire's current status.
If you're waiting on the vendor to complete the questionnaire, you can use the Nudge User button from this tab to automatically send them another email.
Question: When adding a new vendor to my Vendor List, will my vendor receive an email when I add the Contact Email from the Create New Vendor Page?
Answer: No. After you've saved the vendor profile to your Vendor List, you'll go back into the vendor profile and create a KCM GRC user account for your vendor from the Contacts tab. See the Add Vendor User Accounts section above for more information.
Question: Where do I instruct my vendor to log in to complete the questionnaire?
Answer: Your vendor can use the link in the email they receive when you send a questionnaire (click to view). Alternatively, you can provide your vendor with the same URL that you use to log into your KCM GRC account. The vendor's login credentials will direct them to the vendor portal to complete the questionnaire.
Question: Will the vendor receive an email once I've created issues in a questionnaire?
Answer: Yes. Once you've reviewed the questionnaire and created one or more issues, the vendor user will receive an email notification with a link to log in to the console.
- Question: Will the questionnaires and vendor information I've created remain in my account once the Vendor Risk Management module is no longer in beta?
Answer: Yes. All of the information you've added to your Vendor Risk Management module will remain in your account.