The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform is available in Platinum subscriptions. This module helps you assess and manage the inherent risks of working with third-party organizations or vendors.
The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your KCM GRC platform. You can even set a frequency for how often your vendors are assessed to continually monitor the associated risk.
This article provides an overview of the workflows and areas of the console you'll become familiar with when working in the VRM module. The jump links below are listed in the recommended order of steps you will take to implement your Vendor Risk Management module, see each section to learn more.
Before You Begin
Before you begin using your VRM module, here are a few things you might consider to better implement this platform into your third-party risk management program.
- What types of KCM GRC user roles will I create for users working in the VRM module?
- As an account administrator, you can assign the following user role so they can work in all areas of the Vendor Risk Management module:
- Vendor Administrator
- As a vendor (or account) administrator, you'll create user accounts for your questionnaire assessees–or the individuals completing questionnaires on behalf of the third-party organization (see: Add Vendor User Accounts).
These user accounts will have the following role:
- Vendor User
- As an account administrator, you can assign the following user role so they can work in all areas of the Vendor Risk Management module:
- What kinds of questionnaires will I need for the different types of third-party affiliates working with my organization?
- KCM GRC offers industry-standard templates to build questionnaires, and you can also create custom questions for your vendor assessments. Learn more in our Creating and Configuring Questionnaires article.
- What is the best workflow, or order of tasks for onboarding with my VRM module?
- The jump links at the top of this article are listed in order of our best practice workflow recommendation for implementing the VRM module into your risk management program.
You'll create your vendor questionnaires from the Questionnaire List section of your console. You'll use the questionnaire builder to create fully-custom questionnaires, use questions from the industry-standard templates provided, or create questionnaires composed of both free-form questions and questions from the templates.
For details, see the Creating Questionnaires section of our Vendor Risk Management Module: Creating and Configuring Questionnaires article.
Configuring and Finalizing Questionnaires
Once you've added questions to your questionnaire you will configure points for each answer in order to "score" your vendor on their assessment responses. Your organization will need to determine an approach for measuring the "weight" of the questions in your assessments. Weight, in this case, refers to a point scale to determine the level of risk that is inherited when working with the third-party.
After you assign points to each question, you will mark the questions as "configured", then they must be reviewed once more before they can be sent.
For details, see the Configure Questionnaire Points section of our Vendor Risk Management Module: Creating and Configuring Questionnaires article.
Adding Vendor Profiles to your Vendor List
Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendor List area of the VRM module. By adding contact information and other details relevant to business operations, the vendor profile helps you prequalify the level of risk associated with each third-party, and the Vendor List area provides a central repository of internal and external third-party risk profiles.
Organization Contact Details
- Navigate to the Vendor List area by selecting Vendor Management from the navigation panel, then clicking Vendor List.
- You have two options for adding the organization's contact details: You can either import a CSV file or add the information directly to your console.
The organization's contact details consist of: Vendor name, primary contact's name, primary contact's email address, vendor mailing address (city, state, postal code, country), and vendor phone number.
The email address you enter for the Vendor Contact under the Vendor Details is where the email notifications are sent when you request your vendor to complete a questionnaire. Though, you will still need to create a user account for your vendor contact. See the Add Vendor User Accounts section below for details.
- To upload the contact details, click the Import Vendor CSV button from the Vendor List page.
- To add the contact details manually, click the Create New Vendor button from the Vendor List page.
- After you've added the contact details, continue adding the details outlined below.
- Vendor Type: Select Internal or External from the drop-down menu. For example, an internal vendor may be a contracted business unit that provides services to your organization, while an external vendor is one outside of your organization.
- Organization Industry: Select the vendor's industry from the drop-down menu.
- Data Types: Select all applicable categories of data that your vendor will store, process, or transmit in order to carry out operations for your organization.
- Details of Services/Goods: You can optionally add details about the vendor in this field.
- Once you've added all vendor details, answer the Qualifying Questions at the bottom of the page.
- Click the Save Vendor button to add the vendor details to the vendor profile.
The qualifying questions found under each vendor's profile in your Vendor List will help you assess the level of risk associated with using this third-party. You must answer all of the qualifying questions in order to send your vendor a questionnaire.
Answer the qualifying questions as you're creating your new vendor in KCM GRC, or answer the questions at a later time by navigating to the Vendor List (Vendor Management > Vendor List) and clicking the vendor's name under the Name column.
Add Vendor User Accounts
Once you're ready to send your questionnaire to a vendor, you'll add a user account in KCM for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal for your account–a portal specifically for answering questionnaires and addressing issues resulting from the questionnaire responses. The Vendor User, user role does not count against your licensed seat count for KCM, nor will this user have access to any of the information in your organization's account.
Once created, the vendor will immediately receive an email to activate their new KCM GRC account (click to view). You may want to inform your existing vendor contacts that you will be implementing a new process before adding these users to KCM GRC.
Follow the steps below to add a vendor user account to your console:
- Navigate to the vendor profile by clicking Vendor Management > Vendor List from the navigation panel, then click on the vendor's name from the Vendor List page.
- From the Vendor Details page, click the Contacts tab (shown below), then click the Create Vendor Contact button on the right-hand side.
- Fill out the user information, then click the Create button.
See our Working with Users article for more information about creating users.
Once you've finalized your questionnaire and added a user account for the questionnaire assessee, you can send the questionnaire directly from the vendor's profile in your VRM module.
This section provides an overview of the vendor's experience when completing your questionnaire. If you'd like to share an instructional guide with your vendors, see our Guide for Vendor Users article.
Once you've sent the questionnaire, the assessee will receive an email (click to view) requesting them to complete the questionnaire. Once they've activated their account (see: Add Vendor User Accounts, above), they'll log in and see the Vendor Portal Dashboard, as shown below.
From the Questionnaires portion of the screen, the assessee will click the link under Name or Template columns (shown above) to begin the questionnaire or questionnaires you've assigned.
The assessee will address their questions by selecting one or more checkboxes, a multiple choice answer, or by typing a response in the Answer field–depending on which answer type(s), or template(s) you used when creating your questionnaire. Then, they must use the Save button to finalize each answer.
Questionnaire assessees are also able to add comments or upload supporting files for each of the questions, by using the Add Comment or Attach File buttons, shown above.
The file attachment limitations for individual questions are as follows:
- File Size: Maximum of 5 MB (for each question)
- File Name: Maximum of 250 characters (including the file extension)
- File Types: Please see this question in our Frequently Asked Questions article for details
Once the user has finished the questionnaire, they'll click the Finalize Questionnaire button at the bottom of the page. You'll receive an email notification and the questionnaire will be available for review in KCM.
Reviewing Questionnaires and Creating Issues (KCM Administrator)
Once the vendor has completed the questionnaire, you'll receive an email notification. You can review the questionnaire from the vendor's profile, under the Vendor List area of your console. If the vendor provided an undesirable answer to one or more questions, you'll create an "issue" so you can request additional information or further discuss your concern with the vendor.
See the steps below to review your questionnaire and create issues for questions.
- From the Vendor Details page, click the Assigned Questionnaires tab in the middle of the screen. Then click on the questionnaire name to open it, as shown below.
If you're waiting on your vendor to complete the questionnaire, you can use the Nudge Vendor button under the Assigned Questionnaires tab to send the vendor an additional email reminding them to complete the questionnaire.
- From the Questionnaire Review page, you'll see the answer the user added or selected for each question. You'll also be able to see any file attachments or comments that were added during the questionnaire assessment.
- If the vendor provided an undesirable answer to one or more questions, you'll use the + Create Issue button to request additional information or discuss your concerns with the vendor.
- Once an issue has been created for a question the + Create Issue button will be disabled, as shown below.
Responding to Issues (Vendor)
This section provides an overview of the vendor's experience when responding to the issues you've created as a result of their questionnaire responses. If you'd like to share an instructional guide with your vendors, see our Guide for Vendor Users article.
When you create an issue in response to the vendor's answer to a question, the vendor receives an email informing them of the issue. See the steps below for an explanation of how the vendor will address the issues you've created.
- They'll log in to their vendor portal to respond to the questionnaire issues. The vendor can see the open issues from both their Vendor Dashboard or by clicking Issues from the navigation panel on the left-hand side of their account, as shown below.
- The vendor will click on an Issue Description to open the issue, as shown below.
- The vendor can then type a response to your issue in the Response field, and click the Save Response button to send the response to your account.
Closing Issues (KCM Administrator)
Once you're satisfied with the vendor's response, you will close the questionnaire issue.
Follow the steps below:
- From the navigation panel, click Vendor Management, then click Vendor List.
- From the Vendor List page, click the vendor name.
- Click the Issues tab, then click on a description under the Issue Description column, as shown below.
- You will change the issue's status by selecting an option from the Status drop-down menu (shown below):
- Open: If you haven't addressed the vendor's response or the vendor has not made a response, keep the issue Open.
- Pending: Change the issue to Pending status if you need a response from the vendor.
- Closed: Change the issue to Closed once no further communication is needed.
Frequently Asked Questions
Question: How do I know when my vendor has completed their Questionnaire?
Answer: The owner of the vendor profile will receive an email when the questionnaire is complete. The KCM user who created the vendor profile is the vendor owner. You can see and modify the Vendor Owner from the Vendor Details page.
You can also see the status of the questionnaire at any time by looking under the vendor's profile in your KCM GRC account. Navigate to the vendor profile by selecting Vendor Management, then Vendor List from the navigation panel. Click on the vendor's name from the vendor list, then click the Assigned Questionnaires tab in the center of the page. The Status column will show a label reflecting the questionnaire's current status.
If you're waiting on the vendor to complete the questionnaire, you can use the Nudge User button from this tab to automatically send them another email.
Question: When adding a new vendor to my Vendor List, will my vendor receive an email when I add the Contact Email from the Create New Vendor Page?
Answer: No. After you've saved the vendor profile to your Vendor List, you'll go back into the vendor profile and create a KCM GRC user account for your vendor from the Contacts tab. See the Add Vendor User Accounts section above for more information.
Question: Where do I instruct my vendor to log in to complete the questionnaire?
Answer: Your vendor can use the link in the email they receive when you send a questionnaire (click to view). Alternatively, you can provide your vendor with the same URL that you use to log into your KCM GRC account. The vendor's login credentials will direct them to the vendor portal to complete the questionnaire.
If you'd like to share an instructional guide with your vendors, please see our Guide for Vendor Users article.
Question: Will the vendor receive an email once I've created issues in a questionnaire?
Answer: Yes. Once you've reviewed the questionnaire and created one or more issues, the vendor user will receive an email notification with a link to log in to the console.
Question: Why can't I send questionnaires from my vendor's profile?
Answer: If the Send Questionnaire button is disabled under the Available Questionnaires tab, you will need to change the Vendor Status to Active before they're able to receive questionnaires. See step 3, here for more information.