The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform lets you centralize your third-party risk management processes. You can prequalify risk, assess your vendors, and conduct remediation efforts all in one platform. The VRM module is available to Platinum subscriptions.
As part of working in the VRM module, you will create a "vendor profile" for each of the internal or external third-parties that you will be working with. The vendor profile helps you prequalify the level of risk associated with the third-party. You'll then use vendor profiles to send questionnaire assessments and to work through any issues that may arise from assessment responses.
Note:As a best practice for onboarding with the VRM module, we suggest creating questionnaire assessments before creating vendor profiles. See our Vendor Risk Management Module: Introduction Guide for the full suggested order of workflow for onboarding with your VRM module.
See the sections below to learn about creating new vendor profiles, adding vendor contacts (vendor users), and working in vendor profiles in your KCM GRC account.
The Vendor List
Vendor profiles are found in the Vendor List area of your VRM module, which serves as a central repository of internal and external vendor profiles.
Much of your VRM workflow will be carried out through vendor profiles, for example:
- Adding user accounts for vendor contacts
- Sending questionnaires
- Reviewing questionnaires
- Creating issues for questionnaire responses
- Communicating with vendors about questionnaire issues
- Closing questionnaire issues
Once you've added vendor profiles to your account, your Vendor List will look similar to the image below.
- The Name column displays the third-party organization's name. Click on the name of the organization to open their vendor profile.
- The Contact Name will be the name of your primary contact at the third-party company
- The Status of the vendor profile can be any of the following: Active, Inactive, Pending Approval, Rejected, Incomplete. Vendor profiles must be in Active status before you can send questionnaire assessments to this vendor.
- You'll select the vendor Type when creating the vendor profile. The vendor type will be Internal or External.
- The vendor Score is calculated after the vendor has completed one or more questionnaire assessments. For more information about vendor score, see the Working With Vendor Profiles section, below.
- The Data Categories represent the types of data that the third-party will store, process, or transmit in order to carry out operations for your organization. You'll add the data types when creating the vendor profile. For details, see the Organization Contact Details section, below.
See the next section to learn more about adding new vendors to your vendor list.
Adding New Vendor Profiles
Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendor List area of the VRM module. By adding contact information and other details relevant to business operations, the vendor profile helps you prequalify the level of risk associated with each third-party.
To create a vendor profile, you'll start by adding the Organization Contact Details, then you'll answer Qualifying Questions to prequalify the level of risk associated with each third-party or vendor. Before you can send questionnaires to your vendors, you'll create user accounts for the individuals who are responsible for completing your questionnaire assessments.
Follow the next three sections to complete the vendor onboarding process in your VRM module:
Organization Contact Details
- Navigate to the Vendor List area by selecting Vendor Management from the navigation panel, then click Vendor List.
- You have two options for adding the organization's contact details. You can either import a CSV file or add the information directly to your console:
- To upload the contact details, click the Import Vendor CSV button from the Vendor List page. The CSV file should have the following header line:
- All fields except postal_code are mandatory. The separator should be a comma (,) and the file should be a valid CSV.
- To add the contact details manually, click the Create New Vendor button from the Vendor List page, then add information to the fields outlined below.
- Name: The name of the internal or third-party organization that you are working with and/or sending assessments to.
- Contact Name: The name of the primary person/contact you will be working with for questionnaire assessments.
- Contact Email: The email address of the person you've listed for the Contact Name, above.
Important:The email address you enter for the Contact Email is where automatic email notifications are sent when requesting your vendor to complete a questionnaire. Though, in order for them to complete the questionnaire, you'll need to create a user account for your vendor contact. See the Adding User Accounts for Vendor Contacts section below for details.
- Telephone: The telephone number for either the organization or for the primary vendor contact at the organization.
- Website: (Optional) The web address for the third-party organization.
- Vendor Type: Select Internal or External. For example, an internal vendor may be a contracted business unit that provides services to your organization, while an external vendor is one outside of your organization.
- Street Address: Use this and the remaining fields to add the third-party organization's address. If the United States is selected for the Country field, the Region field name will change to State.
- To upload the contact details, click the Import Vendor CSV button from the Vendor List page. The CSV file should have the following header line:
- After you've added the contact details, continue adding the Organization Overview details, as outlined below.
- Organization Industry: Select the vendor's industry from the drop-down menu.
- Data Types: Select all applicable categories of data that your vendor will store, process, or transmit in order to carry out operations for your organization. If the listed data types are not applicable, select Other.
Click the drop-down below for details about the data types.Vendor Details: Data Types
Acronym Data Type Description CPI Client Privileged Information Any information that is considered confidential communication between an attorney and their client. CUI Controlled Unclassified Information Federal, non-classified information that must be safeguarded by adhering to security requirements and controls designed to secure sensitive information. ECR Export Controlled Research Includes any information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. This includes ITAR and EAR data types. FERPA Family Educational Rights and Privacy Act This act governs access to and the release of student education records. FISMA Federal Information Security Management Act This Aat requires federal agencies and any contracted parties to develop, document, and implement an information security and protection program for federal data. GLBA Gramm Leach Bliley Act This act requires financial institutions to explain how they share and protect their customers' sensitive data. PHI Protected Health Information Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. IT Information Technology (Security Information) Information pertaining to safeguarding organizational IT resources. PCI Payment Card Industry Information pertaining to storing, processing, or transmitting credit card, debit card, or any other type of payment card data. PII Personally Identifiable Information Sensitive data that could potentially identify a specific individual.
- Details of Services/Goods: You can optionally add details about the vendor in this field.
- Once you've added all vendor details, answer the Qualifying Questions at the bottom of the page.
- Click the Save Vendor button to add the vendor details to the vendor profile.
The qualifying questions found under each vendor's profile in your Vendor List will help you assess the level of risk associated with using the third-party.
Answer the qualifying questions as you're creating your new vendor in KCM GRC, or answer the questions at a later time by navigating to the Vendor List (Vendor Management > Vendor List) and clicking the vendor's name under the Name column.
Adding User Accounts for Vendor Contacts
Once you're ready to send a questionnaire to a vendor, you'll add a user account in KCM for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal associated with your account–a portal specifically for answering questionnaires and addressing issues resulting from the questionnaire responses. The Vendor User user role does not count against your licensed seat count for KCM, nor will this user have access to any of the information in your organization's account.
Once created, the vendor user will immediately receive an email to activate their new KCM GRC account (click to view). You may want to inform your existing vendor contacts that you will be implementing this process before adding these users to KCM GRC.
Follow the steps below to add a vendor user account to your console:
- Navigate to the vendor profile by clicking Vendor Management > Vendor List from the navigation panel, then click the third-party organization's name from the Name column.
- From the Vendor Details page, click the Contacts tab (shown below), then click the Create Vendor Contact button on the right-hand side.
- Fill out the user information, then click the Create button.
See our Working with Users article for more information about creating users. For more information on sending questionnaire assessments, see this article: Creating, Configuring, and Sending Questionnaires.
Working With Vendor Profiles (Vendor Details)
This section provides an overview of the vendor risk management workflows you will carry out from the vendor profiles (Vendor Details pages) found in your Vendor List.
Vendor Details: Organization Details
- Use the Update button to edit any of the information shown on the Vendor Details page.
- Use the ARCHIVE button to archive the vendor profile. Archiving the vendor will automatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This may be helpful if you will be working with the vendor at a later time. Note, if a vendor profile is archived you will not be able to create a new vendor profile with the same name.
- Account Administrators can use the DELETE button to fully delete the vendor profile and all associated data. All iterations of questionnaires that were sent to, or completed by this vendor will be deleted. Deleting the vendor will automatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This action cannot be undone.
- The Vendor Score is calculated once the Vendor User (vendor contact) has completed and finalized one or more questionnaire assessments. Vendor scores range from 0 to 100%. This number is the average of the scores for all questionnaires completed by this vendor. Therefore, typically, the higher the vendor score, the lower the level of risk involved in working with this entity. If you'd like, you can manually offset the Vendor Score in the vendor profile, see more information below.
- The Vendor Score Offset represents the percentage by which you are offsetting the Original Vendor Score, which was calculated by the KCM platform. See the instructions below for more information.
Modifying Vendor Scores
Follow the steps below to offset the vendor score for a vendor profile.
- Click the Update button at the top of the Vendor Details page.
- Then, use the Vendor Score Offset field (shown above) to enter any integer between -100 and 100.
For example, if the original vendor score is 89.4% and you enter "-3" in the Vendor Score Offset field, the adjusted vendor score will be 86.4%.
- You can optionally leave a note explaining why you are offsetting the vendor score in the Vendor Score Adjustment Note field.
- Click the Save button to save the offset percentage.
The adjusted vendor score will be automatically shown in the vendor profile along with the original vendor score that was calculated by KCM.
Click on the tabs below to learn about the workflows you'll carry out from the tabs found on Vendor Details pages (vendor profiles), under your VRM module.
Use the Available Questionnaires tab to send questionnaire assessments to your vendors, or other third-party organizations. All finalized questionnaires are listed under this tab. In order for a questionnaire to be finalized, it must be marked as "Configured" and "Reviewed".
Click the appropriate Send Questionnaire button to send the questionnaire to your vendor user's (vendor contact's) KCM account.
To learn more about creating, finalizing, and sending questionnaires, please see our Creating, Configuring, and Sending Questionnaires article.
The Schedules tab allows you to see all of the questionnaires you've scheduled to send to this vendor on a reoccurring frequency. You'll find the questionnaires that were sent only one time under the Assigned Questionnaires tab.
- The table will show the Start Date and the End Date that was set when scheduling the questionnaire.
- The Frequency column represents how often the questionnaire is scheduled to be sent.
- If applicable, the Due After column represents the number of days you've requested the assessment to be completed in.
- Click the cancel icon to cancel all future iterations of this questionnaire schedule.
- Click the eyeball icon (or the expand/collapse arrow on the left-hand side) to expand the table and view all iterations of this questionnaire schedule.
For more information about questionnaire schedules, please see our Creating, Configuring, and Sending Questionnaires article.
The Assigned Questionnaires tab shows you the questionnaires that have already been sent to the vendor user's account.
- When the questionnaire is complete, click the questionnaire name link listed under the Name column to open and review the questionnaire.
- The questionnaire Status can be one of the following:
- Sent: The questionnaire has been sent to the vendor. If the vendor has begun working on the questionnaire, their progress will be represented by blue in the progress bar, under the Progress column.
- Pending Review: The questionnaire has been finalized by the vendor user, but the KCM administrator has not begun the review process.
- In Review: The KCM administrator has begun, but not finished the review process for this questionnaire.
- Reviewed: The KCM administrator has completed reviewing this questionnaire.
- Use the Nudge Vendor button to send a reminder email from KCM GRC.
- Use the Send Link button to open your native mail client program and draft an email to send to your vendor user.
- Click the Cancel button to cancel the questionnaire and remove it from the vendor user's account. Note, if the questionnaire is canceled all progress will be lost.
For more information about reviewing questionnaires in your VRM module, please see our Reviewing Questionnaires and Creating Issues article.
If your vendor provided an undesirable answer to one or more questions in your assessment, an "issue" can be created to request additional information or to discuss the concern with your vendor.
All of the issues you've created with this vendor will show under the Issues tab. To open an existing issue, click the description from the Issue Description column.
For more information about working with issues in your VRM module, see this article: Reviewing Questionnaires and Creating Issues.
If you have files to share with your vendor, use the Attachments tab to add the files to the vendor user's (vendor contact's) vendor portal.
Use the Upload New Attachment interface to drag and drop or click browse to navigate to the desired file on your computer. Once the file has been uploaded, it will be immediately available in the vendor user's KCM account.
Click the trash can button under the Actions column to remove the file from the vendor portal and your KCM account.
Before you can send a questionnaire to your vendor you'll add a user account for the individual who will be taking the assessment. Use the Create Vendor Contact button to add a new "Vendor User" account. For more information and further instruction, see the above section: Adding User Accounts for Vendor Contacts.