The Vendor Risk Management (VRM) module in KnowBe4's KCM GRC platform lets you centralize your third-party risk management processes. You can prequalify risk, assess your vendors, and conduct remediation efforts all in one platform. The VRM module is available to Platinum subscriptions.
As part of working in the VRM module, you can create a "vendor profile" for each of the internal or external third parties that you will be working with. Then, you can use vendor profiles to send questionnaire assessments and to work through any issues that may arise from assessment responses. From vendor profiles, you can also modify vendor scores and create risks for vendors.
See the sections below to learn about creating new vendor profiles, adding vendor contacts, and working with vendor profiles in your KCM GRC account.
Vendors Page
You will create vendor profiles from the Vendors area of your VRM module. The Vendors page serves as a repository of the vendor profiles you have added to your account. To navigate to this page, from the navigation panel, click Vendor Management > Vendors.
Much of your VRM workflow will be carried out through vendor profiles, for example:
- Adding user accounts for vendor contacts
- Sending questionnaires
- Reviewing questionnaires
- Creating issues for questionnaire responses
- Communicating with vendors about questionnaire issues
- Closing questionnaire issues
Once you've added vendor profiles to your account, your Vendors page will look similar to the image below.
- The Name column displays the third-party organization's name. Click on the name of the organization to open their vendor profile.
- The Contact Name will be the name of your primary contact at the third-party company
- The Status of the vendor profile can be any of the following: Active, Inactive, Pending Approval, Rejected, Incomplete.
- You'll select the vendor Type when creating the vendor profile. The vendor type will be Internal or External.
- The vendor Score is calculated after the vendor has completed one or more questionnaire assessments. For more information about vendor scores, see the Working With Vendor Profiles section below.
- The Data Categories represent the types of data that the vendor will store, process, or transmit in order to carry out operations for your organization. You'll add these data types when creating a vendor profile. For details, see the Organization Contact Details section below.
Adding New Vendor Profiles
Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendors area of the VRM module. By adding contact information and other details relevant to business operations, the vendor profile helps you prequalify the level of risk associated with each third party.
To create a vendor profile, you'll start by adding the Organization Contact Details, then you'll answer Qualifying Questions to prequalify the level of risk associated with each third-party or vendor. Before you can send questionnaires to your vendors, you'll create user accounts for the individuals who are responsible for completing your questionnaire assessments. Follow the next subsections below to complete the vendor onboarding process in your VRM module:
Organization Contact Details
From the navigation panel, navigate to the Vendors tab. Then, either import a CSV file containing the contact details for one or more vendors, or add vendors individually to your platform.
To upload the contact details by importing a CSV file, see our How Do I Import Vendors into My Account with a CSV File? article.
To add the contact details for vendors individually, click the Create New Vendor button from the Vendors page. Then, add information to the fields outlined below.
- Name: (Required) The name of the vendor or third party that you are working with or sending assessments to.
- Contact Name: (Required) The name of the primary person/contact you will be working with for questionnaire assessments.
-
Contact Email: (Required) The email address of the person you've listed for the Contact Name, above.
Important: The email address you enter for the Contact Email is where the automatic email notifications will be sent when you assign a questionnaire to your vendor. Before you can assign a questionnaire, you will need to create a user account for your vendor contact. See the Adding User Accounts for Vendor Contacts section below for details.
- Telephone: The telephone number for either the organization or for the primary vendor contact at the organization.
- Website: The web address for the vendor or third party.
- Vendor Type: Select Internal or External. For example, an internal vendor may be a contracted business unit that provides services to your organization, while an external vendor is one outside of your organization.
- Industry: Select the vendor's industry from the drop-down menu.
- Street Address: Use this and the remaining fields to add the vendor or third party's address.
- State/Province/Region: Enter the state, province, or region for the vendor or third party. If you select United States for the country, this field will change to a drop-down menu that you can use to select the state. If you select Canada for the country, this field will change to a drop-down menu that you can use to select the province.
- Zip/Postal Code: Enter the zip code or postal code for the vendor or third party.
-
Data Types: Select all applicable categories of data that your vendor will store, process, or transmit in order to carry out operations for your organization. If the listed data types are not applicable, select Other. Click the drop-down below for details about the data types.
Vendor Details: Data Types
Acronym Data Type Description CHD Cardholder Data Information related to a cardholder, including the cardholder's name and their card's expiration date, primary account number, and service code. CPI Client Privileged Information Any information that is considered confidential communication between an attorney and their client. CUI Controlled Unclassified Information Federal, non-classified information that must be safeguarded by adhering to security requirements and controls designed to secure sensitive information. ECR Export Controlled Research Includes any information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. This includes ITAR and EAR data types. FERPA Family Educational Rights and Privacy Act This act governs access to and the release of student education records. FISMA Federal Information Security Management Act This act requires federal agencies and any contracted parties to develop, document, and implement an information security and protection program for federal data. GLBA Gramm Leach Bliley Act This act requires financial institutions to explain how they share and protect their customers' sensitive data. PHI Protected Health Information Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. IT Information Technology (Security Information) Information pertaining to safeguarding organizational IT resources. PCI Payment Card Industry Information pertaining to storing, processing, or transmitting credit card, debit card, or any other type of payment card data. PII Personally Identifiable Information Sensitive data that could potentially identify a specific individual. - Details of Services/Goods: You can optionally add details about the vendor in this field.
Next, you can answer qualifying questions about the vendor. For more information, see the Qualifying Questions section below.
Qualifying Questions
Under the Organization Contact Details section, you can answer qualifying questions to help you assess the level of risk that is associated with working with the vendor.
You can either answer the qualifying questions as you're creating your new vendor or answer the questions at a later time by navigating to the vendor's Vendor Details page. You can navigate to the Vendor Details page by selecting the Vendor tab (Vendor Management > Vendors) and clicking the vendor name under the Name column.
After you finish filling out the information for a vendor, click the Create button to create the vendor's profile.
Adding User Accounts for Vendor Contacts
Once you're ready to send a questionnaire to a vendor, you'll add a user account in KCM GRC for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal that is associated with your account. This vendor portal is specifically for the vendor contact to answer their assigned questionnaires and to address issues that may arise from questionnaire responses.
Follow the steps below to add a vendor user account to your console:
- Navigate to the vendor profile by clicking Vendor Management > Vendors from the navigation panel, then click the third-party organization's name from the Name column.
- From the Vendor Details page, click the Contacts tab (shown below), then click the Create Vendor Contact button on the right-hand side.
- Fill out the user information, then click the Create button.
Note: The email address that you use to create the vendor contact should also be listed in the Contact Email field on the Organization Details area of the page. The email address in the Contact Email field is where the automatic email notifications are sent when you assign a questionnaire to your vendor.Tip: You can add multiple contacts to one vendor profile. All contacts that are listed under the Contacts tab are able to log in to the vendor's portal and they can access the questionnaires and issues that you've assigned to this vendor.
See our How to Create and Manage KCM GRC User Accounts article for more information about creating users. For more information on sending questionnaire assessments, see our How to Create and Configure Questionnaires article.
Working With Vendor Profiles (Vendor Details)
This section and the following subsections provide information about the Vendor Details page and the workflows that you can carry out from your vendor profiles.
To learn about working with vendor profiles from the Vendors Details page, see the list below.
- Update: Click this button to edit any of the information shown on the Vendor Details page.
- Archive: Click this button to archive the vendor profile. Archiving the vendor will automatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This option may be helpful if you will be working with the vendor at a later time. Note, if a vendor profile is archived you will not be able to create a new vendor profile with the same name.
- Delete: Click this button to fully delete the vendor profile and all associated data. Only Account Administrators have access to this button. All iterations of questionnaires that were sent to or completed by this vendor will be deleted. Deleting the vendor will also automatically disable any Vendor Users listed under the Contacts tab of the vendor profile. This action cannot be undone.
- Vendor Score: This percentage is calculated once the vendor contact has completed and finalized one or more questionnaire assessments. Vendor scores range from 0 percent to 100 percent. The vendor score is the average score for all questionnaires that the vendor has completed. Generally, higher vendor scores indicate that the vendor has a lower risk level, and lower vendor scores indicate that the vendor has a higher risk level. If you'd like, you can manually change a vendor score from a vendor's vendor profile. To learn how to modify a vendor score, see the Modifying Vendor Scores section below.
- Create Risk for Vendor: To learn about creating a risk for a vendor, see the Creating Risks for Vendors section below.
- Notes: Use this widget to communicate information about the vendor to other KCM GRC users. For example, if you create a risk for a vendor, you can enter a note about the risk into the Notes widget.
Modifying Vendor Scores
Follow the steps below to offset the vendor score for a vendor profile.
- Click the Update button at the top of the Vendor Details page.
- Then, use the Vendor Score Offset field (shown above) to enter any integer between -100 and 100. For example, if the original vendor score is 89.4% and you enter "-3" in the Vendor Score Offset field, the adjusted vendor score will be 86.4%.
- You can optionally leave a note explaining why you are offsetting the vendor score in the Vendor Score Adjustment Note field.
- Click the Save button to save the offset percentage.
The adjusted vendor score will be displayed in the vendor profile along with the original vendor score that was calculated by KCM.
Creating Risks for Vendors
As you assess a vendor or third party with questionnaires, you can monitor the vendor's vendor score to determine the amount of risk that working with the vendor poses for your organization. Then, you can create a risk for the vendor so that you can work towards mitigating the risk from your Risk Management module.
To create a risk for a vendor, follow the instructions below.
- From your navigation panel, navigate to the Vendors tab (Vendor Management > Vendors).
- Select a vendor under the Name column
- In the Organization Details section of the page, click the Create Risk for Vendor button.
- Fill out the field on the Create Risk for Vendor page. To learn more about these fields, see the Create Individual Risks section of our How to Use Your Risk Register article.
- Click the Save button.
After you create the risk for a vendor, the risk will appear in your Risk Register.
Vendor Workflows
Click on the tabs below to learn about the workflows you'll carry out from the tabs found on Vendor Details pages (vendor profiles), under your VRM module.
Use the Available Questionnaires tab to send questionnaire assessments to your vendors, or other third-party organizations. All finalized questionnaires are listed under this tab. In order for a questionnaire to be finalized, it must be marked as "Configured" and "Reviewed".
Click the appropriate Send Questionnaire button to send the questionnaire to your vendor user's (vendor contact's) KCM account.
To learn more about sending questionnaires, see our How to Send Questionnaires to Vendors article.
The Schedules tab allows you to see all of the questionnaires you've scheduled to send to this vendor on a reoccurring frequency. You'll find the questionnaires that were sent only one time under the Assigned Questionnaires tab.
- The table will show the Start Date and the End Date that was set when scheduling the questionnaire.
- The Frequency column represents how often the questionnaire is scheduled to be sent.
- If applicable, the Due After column represents the number of days you've requested the assessment to be completed in.
- Click the cancel icon to cancel all future iterations of this questionnaire schedule.
- Click the eyeball icon (or the expand/collapse arrow on the left-hand side) to expand the table and view all iterations of this questionnaire schedule.
For more information about questionnaire schedules, see our How to Send Questionnaires to Vendors article.
The Assigned Questionnaires tab shows you the questionnaires that have already been sent to the vendor user's account.
- When the questionnaire is complete, click the questionnaire name link listed under the Name column to open and review the questionnaire.
- The questionnaire Status can be one of the following:
- Sent: The questionnaire has been sent to the vendor. If the vendor has begun working on the questionnaire, their progress will be represented by blue in the progress bar, under the Progress column.
- Pending Review: The questionnaire has been finalized by the vendor user, but the KCM administrator has not begun the review process.
- In Review: The KCM administrator has begun, but not finished the review process for this questionnaire.
- Reviewed: The KCM administrator has completed reviewing this questionnaire.
- Use the Nudge Vendor button to send a reminder email from KCM GRC.
- Use the Send Link button to open your native mail client program and draft an email to send to your vendor user.
- Click the Cancel button to cancel the questionnaire and remove it from the vendor user's account. Note, if the questionnaire is canceled all progress will be lost.
- Use the Export button to download a CSV file containing the questionnaire details.
For more information about reviewing questionnaires in your VRM module, see our How to Review Questionnaires and Create Issues article.
If your vendor provided an undesirable answer to one or more questions in your assessment, an "issue" can be created to request additional information or to discuss the concern with your vendor.
All of the issues you've created with this vendor will show under the Issues tab. To open an existing issue, click the description from the Issue Description column.
For more information about working with issues in your VRM module, see our How to Review Questionnaires and Create Issues article.
If you have files to share with your vendor, use the Attachments tab to add the files to the vendor user's (vendor contact's) vendor portal.
Use the Upload New Attachment interface to drag and drop or click browse to navigate to the desired file on your computer. Once the file has been uploaded, it will be immediately available in the vendor user's KCM account.
Click the trash can button under the Actions column to remove the file from the vendor portal and your KCM account.
Before you can send a questionnaire to your vendor you'll navigate to the Contacts tab to add a user account for the individual who will be taking the assessment. Use the Create Vendor Contact button to add a new Vendor User account. For more information, see the Adding User Accounts for Vendor Contacts section above.