Introduction to the KCM GRC Vendor Risk Management Module

The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform lets you centralize your third-party risk management processes. You can prequalify risk, assess your vendors, and conduct remediation efforts all in one platform. You can even set a frequency for how often your vendors are assessed to continually monitor the associated risk. The VRM module is available to Platinum subscriptions.

This article provides an overview of the workflows and areas of the console you'll become familiar with when working in the VRM module.

The jump links below are listed in the recommended order of steps you will take to implement your Vendor Risk Management module, see each section to learn more.

Jump to:

Before You Begin

Creating Questionnaires

• Configuring and Finalizing Questionnaires

Adding Vendor Profiles to your Vendor List

• Adding Vendor User Accounts

Sending Questionnaires

Vendor Experience

Reviewing Questionnaires and Creating Issues (KCM User)

Responding to Issues (Vendor)

Closing Issues (KCM Administrator)

Frequently Asked Questions

Before You Begin

Before you begin using your VRM module, below are a few things you might consider to better implement this platform into your third-party risk management program.

1. What types of KCM GRC user roles will I create for users working in the VRM module?
   • As an account administrator, you can assign the following user role so they can work in all areas of the Vendor Risk Management module:
     
     • Vendor Administrator 
   • As a vendor (or account) administrator, you will create user accounts for your questionnaire assessees–or the individuals completing questionnaires on behalf of the third-party organization (see: Adding Vendor User Accounts).
     These user accounts will have the following role:
     • Vendor User 
2. What kinds of questionnaires will I need for the different types of third-party affiliates working with my organization? 
   • KCM GRC offers industry-standard templates to build questionnaires, and you can also create custom questions for your vendor assessments. Learn more in our Creating and Configuring Questionnaires article.
3. What is the best workflow, or order of tasks for onboarding with my VRM module?
   • The jump links at the top of this article are listed in order of our best practice workflow recommendation for implementing the VRM module into your risk management program.

Back to top

Creating Questionnaires

You will create your vendor questionnaires from the Questionnaires section of your console. You'll use the questionnaire builder to create fully-custom questionnaires, add questions from the industry-standard templates provided, or create questionnaires with custom questions and questions from the templates.

For details, please see our Creating and Configuring Questionnaires article.

Configuring and Finalizing Questionnaires

Once you've added questions to your questionnaire, you will configure points for each answer in order to "score" your vendor on their assessment responses. After you assign points to each question, you will mark the questionnaire as "configured", then it must be reviewed once more before it can be sent.

For details, please see our Creating and Configuring Questionnaires article.

Back to top

Adding Vendor Profiles to your Vendor List

Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendor List area of the VRM module. Creating Vendor profiles helps you prequalify the level of risk associated with the third-party. You'll then use vendor profiles to send questionnaire assessments and to work through any issues that may arise from assessment responses. 

For details, please see the Adding New Vendor Profiles section of our Working with the Vendor List article.

Adding Vendor User Accounts

Once you're ready to send your questionnaire to a vendor, you'll add a user account in KCM for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal associated with your account–a portal specifically for answering questionnaires and addressing issues resulting from the questionnaire responses.

For details, please see the Adding User Accounts for Vendor Contacts section of our Working with the Vendor List article.

Back to top

Sending Questionnaires

Once you've finalized your questionnaire and added a user account for the questionnaire assessee, you can send the questionnaire directly from the vendor's profile in your VRM module.

For details, please see our Sending Vendor Questionnaires article. 

Back to top

Vendor Experience

This section provides an overview of the vendor's experience when completing your questionnaire. If you'd like to share an instructional guide with your vendors, see our Guide for Vendor Users article.

Once you've sent the questionnaire, the questionnaire assessee will receive an email (click to view example) requesting them to complete the questionnaire. Once they've activated their Vendor User account (see: Adding Vendor User Accounts, above), they'll log in and see the Vendor Portal Dashboard, as shown below.

×

Questionnaire Email

Close

From the Questionnaires portion of the screen, the assessee will click the link under the Name or Template columns (shown above) to begin the questionnaire(s) you've assigned.

The questionnaire assessee will answer the questions by selecting one or more checkboxes, a multiple choice answer, or by typing a response in the Answer field–depending on which answer type(s), or template(s) you used for your questionnaire. Then, they must use the Save button to finalize each answer.

The assessee is also able to add comments or upload supporting files for each question by using the Add Comment or Attach File buttons, shown above.

The file attachment limitations for individual questions are as follows:

• File Size: Maximum of 5 MB (for each question)
• File Name: Maximum of 250 characters (including the file extension)
• File Types: Please see this question in our Frequently Asked Questions article for details

Once the user has finished the questionnaire, they'll click the Finalize Questionnaire button at the bottom of the page. You'll receive an email notification and the questionnaire will be available for review in your account.

Back to top

Reviewing Questionnaires and Creating Issues (KCM Administrator)

Once your vendor contact has completed the questionnaire assessment, the KCM GRC Vendor Owner (click to view example) will receive an email notification. You will review questionnaires from the applicable vendor profile, under the Vendor List area of your console.

If the vendor provided an undesirable answer to one or more questions, you'll create an "issue" to request additional information or to further discuss your concern with the vendor.

For more information about reviewing questionnaires and creating or responding to issues, please see this article. Alternatively, you can watch the following videos on our knowledge base: 

• Video: Reviewing Vendor Questionnaires
• Video: Working with Questionnaire Issues 

Back to top

Responding to Issues (Vendor)

This section provides an overview of the vendor's experience when responding to the issues you've created as a result of their questionnaire responses. If you'd like to share an instructional guide with your vendors, see our Guide for Vendor Users article.

When you create an issue in response to the vendor's answer to a question, the vendor receives an email informing them of the issue. See the steps below for an explanation of how the vendor will address the issues you've created.

1. They'll log in to their vendor portal to respond to the questionnaire issues. The vendor can see the open issues from both their Vendor Dashboard or by clicking Issues from the navigation panel on the left-hand side of their account, as shown below.
   
2. The vendor will click on an Issue Description to open the issue, as shown below.
   
3. The vendor can then type a response to your issue in the Response field, and click the Save Response button to send the response to your account.

Back to top

Closing Issues (KCM Administrator)

Once you're satisfied with the vendor's response, you will close the questionnaire issue. Please see this article for instructions.

Back to top

Frequently Asked Questions

1. Question: How do I know when my vendor has completed their Questionnaire?

   Answer: The owner of the vendor profile will receive an email when the questionnaire is complete. The KCM user who created the vendor profile is the vendor owner. You can view and modify the Vendor Owner from the Vendor Details page.

   You can also see the status of the questionnaire at any time by looking under the vendor's profile in your KCM GRC account. Navigate to the vendor profile by selecting Vendor Management, then Vendor List from the navigation panel. Click on the vendor's name from the vendor list, then click the Assigned Questionnaires tab in the center of the page. The Status and Progress columns will show the questionnaire's current status. 

   If you're waiting on the vendor to complete the questionnaire, you can use the Nudge User button from this tab to automatically send them another email.

2. Question: When adding a new vendor to my Vendor List, will my vendor receive an email when I add the Contact Email from the Create New Vendor Page?

   Answer: No. After you've saved the vendor profile to your Vendor List, you'll go back into the vendor profile and create a KCM GRC user account for your vendor from the Contacts tab. See the Add Vendor User Accounts section above for more information.

3. Question: Where do I instruct my vendor to log in to complete the questionnaire?

   Answer: Your vendor can use the link in the email they receive when you send a questionnaire (click to view). Alternatively, you can provide your vendor with the same URL that you use to log into your KCM GRC account. The vendor's login credentials will direct them to the vendor portal to complete the questionnaire.
   If you'd like to share an instructional guide with your vendors, please see our Guide for Vendor Users article.

4. Question: Will the vendor receive an email once I've created issues in a questionnaire?

   Answer: Yes. Once you've reviewed the questionnaire and created one or more issues, the vendor user will receive one email notification with a link to log in to the console.

5. Question: Why can't I send questionnaires from my vendor's profile?

   Answer: If the Send Questionnaire button is disabled under the Available Questionnaires tab, you will need to change the Vendor Status to Active before they're able to receive questionnaires. See step 3, here for more information.

Back to top