The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform lets you centralize your third-party risk management processes. You can prequalify risk, assess your vendors, and conduct remediation efforts all in one platform. The VRM module is available to Platinum subscriptions.
As part of working in the VRM module, you will create a "vendor profile" for each of the internal or external third parties that you will be working with. You will use vendor profiles to send questionnaire assessments and to work through any issues that may arise from assessment responses.
Note:As a best practice for onboarding with the VRM module, we suggest creating questionnaire assessments before creating vendor profiles. For the full suggested order of workflow for onboarding with your VRM module, see: Vendor Risk Management: Introduction Guide.
See the sections below to learn about creating new vendor profiles, adding vendor contacts (vendor users), and working in vendor profiles in your KCM GRC account.
The Vendors Page
You will create vendor profiles from the Vendors area of your VRM module. The Vendors page serves as a repository of the vendor profiles you have added to your account. To navigate to this page, from the navigation panel, click Vendor Management > Vendors.
Much of your VRM workflow will be carried out through vendor profiles, for example:
- Adding user accounts for vendor contacts
- Sending questionnaires
- Reviewing questionnaires
- Creating issues for questionnaire responses
- Communicating with vendors about questionnaire issues
- Closing questionnaire issues
Once you've added vendor profiles to your account, your Vendors page will look similar to the image below.
- The Name column displays the third-party organization's name. Click on the name of the organization to open their vendor profile.
- The Contact Name will be the name of your primary contact at the third-party company
- The Status of the vendor profile can be any of the following: Active, Inactive, Pending Approval, Rejected, Incomplete.
- You'll select the vendor Type when creating the vendor profile. The vendor type will be Internal or External.
- The vendor Score is calculated after the vendor has completed one or more questionnaire assessments. For more information about vendor scores, see the Working With Vendor Profiles section, below.
- The Data Categories represent the types of data that the vendor will store, process, or transmit in order to carry out operations for your organization. You'll add these data types when creating a vendor profile. For details, see the Organization Contact Details section, below.
See the next section to learn more about adding new vendors to your account.
Adding New Vendor Profiles
Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendors area of the VRM module. By adding contact information and other details relevant to business operations, the vendor profile helps you prequalify the level of risk associated with each third party.
To create a vendor profile, you'll start by adding the Organization Contact Details, then you'll answer Qualifying Questions to prequalify the level of risk associated with each third-party or vendor. Before you can send questionnaires to your vendors, you'll create user accounts for the individuals who are responsible for completing your questionnaire assessments.
Follow the next three sections to complete the vendor onboarding process in your VRM module:
Organization Contact Details
- Navigate to the Vendors page. From the navigation panel, click Vendor Management, then click Vendors.
- You have two options for adding an organization's contact details. You can either import a CSV file containing the contact details for one or more organizations, or you add the information directly to your platform:
- To upload the contact details by importing a CSV file, see Importing Vendors to Create Vendor Profiles.
- To add the contact details, click the Create New Vendor button from the Vendors page, then add information to the fields outlined below.
- Name: The name of the internal or third-party organization that you are working with and/or sending assessments to.
- Contact Name: The name of the primary person/contact you will be working with for questionnaire assessments.
- Contact Email: The email address of the person you've listed for the Contact Name, above.
Important:The email address you enter for the Contact Email is where the automatic email notifications will be sent when you assign a questionnaire to your vendor. Before you can assign a questionnaire, you will need to create a user account for your vendor contact. See the Adding User Accounts for Vendor Contacts section below for details.
- Telephone: (Optional) The telephone number for either the organization or for the primary vendor contact at the organization.
- Website: (Optional) The web address for the third-party organization.
- Vendor Type: (Optional) Select Internal or External. For example, an internal vendor may be a contracted business unit that provides services to your organization, while an external vendor is one outside of your organization.
- Street Address: (Optional) Use this and the remaining fields to add the third-party organization's address. If the United States is selected for the Country field, the Region field name will change to State.
- After you've added the contact details, continue adding the Organization Overview details, as outlined below.
- Organization Industry: (Optional) Select the vendor's industry from the drop-down menu.
- Data Types: (Optional) Select all applicable categories of data that your vendor will store, process, or transmit in order to carry out operations for your organization. If the listed data types are not applicable, select Other.
Click the drop-down below for details about the data types.Vendor Details: Data Types
Acronym Data Type Description CPI Client Privileged Information Any information that is considered confidential communication between an attorney and their client. CUI Controlled Unclassified Information Federal, non-classified information that must be safeguarded by adhering to security requirements and controls designed to secure sensitive information. ECR Export Controlled Research Includes any information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. This includes ITAR and EAR data types. FERPA Family Educational Rights and Privacy Act This act governs access to and the release of student education records. FISMA Federal Information Security Management Act This act requires federal agencies and any contracted parties to develop, document, and implement an information security and protection program for federal data. GLBA Gramm Leach Bliley Act This act requires financial institutions to explain how they share and protect their customers' sensitive data. PHI Protected Health Information Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations. IT Information Technology (Security Information) Information pertaining to safeguarding organizational IT resources. PCI Payment Card Industry Information pertaining to storing, processing, or transmitting credit card, debit card, or any other type of payment card data. PII Personally Identifiable Information Sensitive data that could potentially identify a specific individual.
- Details of Services/Goods: You can optionally add details about the vendor in this field.
- Once you've added all vendor details, answer the Qualifying Questions at the bottom of the page.
- Click the Save Vendor button to save the vendor details and create the vendor profile.
The qualifying questions found under each vendor's profile will help you assess the level of risk associated with using the vendor.
Answer the qualifying questions as you're creating your new vendor in KCM GRC, or answer the questions at a later time by navigating to the Vendors page (Vendor Management > Vendors) and clicking the vendor name under the Name column.
Adding User Accounts for Vendor Contacts
Once you're ready to send a questionnaire to a vendor, you'll add a user account in KCM GRC for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal that is associated with your account. This vendor portal is specifically for the vendor contact to answer their assigned questionnaires and to address issues that may arise from questionnaire responses.
Note:The Vendor User user role does not count against your licensed seat count for KCM. Vendor Users do not have access to the information in your organization's account, with the exception of any files you add to the Attachments tab on the Vendor Details page. See the Vendor Workflows section below to learn about the Attachments tab.
Important:Once created, the vendor user will immediately receive an email to activate their new KCM GRC account (click to view). You may want to inform your vendor contacts that you will be implementing this process before adding these users to KCM GRC.
Follow the steps below to add a vendor user account to your console:
- Navigate to the vendor profile by clicking Vendor Management > Vendors from the navigation panel, then click the third-party organization's name from the Name column.
- From the Vendor Details page, click the Contacts tab (shown below), then click the Create Vendor Contact button on the right-hand side.
- Fill out the user information, then click the Create button.
Note:The email address that you use to create the vendor contact should also be listed in the Contact Email field on the Organization Details area of the page. The email address in the Contact Email field is where the automatic email notifications are sent when you assign a questionnaire to your vendor.
Tip:You can add multiple contacts to one vendor profile. All contacts that are listed under the Contacts tab are able to log in to the vendor's portal and they can access the questionnaires and issues that you've assigned to this vendor.
See our Working with Users article for more information about creating users. For more information on sending questionnaire assessments, see this article: Creating, Configuring, and Sending Questionnaires.
Working With Vendor Profiles (Vendor Details)
This section and the following two subsections provide an overview of the Vendor Details page and the workflows that you can carry out from your vendor profiles (Vendor Details pages).
Vendor Details: Organization Details
- Use the Update button to edit any of the information shown on the Vendor Details page.
- Use the ARCHIVE button to archive the vendor profile. Archiving the vendor will automatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This may be helpful if you will be working with the vendor at a later time. Note, if a vendor profile is archived you will not be able to create a new vendor profile with the same name.
- Account Administrators can use the DELETE button to fully delete the vendor profile and all associated data. All iterations of questionnaires that were sent to, or completed by this vendor will be deleted. Deleting the vendor will automatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This action cannot be undone.
- The Vendor Score is calculated once the Vendor User (vendor contact) has completed and finalized one or more questionnaire assessments. Vendor scores range from 0 to 100%. This number is the average of the scores for all questionnaires completed by this vendor. Therefore, typically, the higher the vendor score, the lower the level of risk involved in working with this entity. If you'd like, you can manually offset the Vendor Score in the vendor profile, for details see: Modifying Vendor Scores, below.
- The Vendor Score Offset represents the percentage by which you are offsetting the Original Vendor Score, which was calculated by the KCM platform. See the instructions in the following section for more information.
Modifying Vendor Scores
Follow the steps below to offset the vendor score for a vendor profile.
- Click the Update button at the top of the Vendor Details page.
- Then, use the Vendor Score Offset field (shown above) to enter any integer between -100 and 100.
For example, if the original vendor score is 89.4% and you enter "-3" in the Vendor Score Offset field, the adjusted vendor score will be 86.4%.
- You can optionally leave a note explaining why you are offsetting the vendor score in the Vendor Score Adjustment Note field.
- Click the Save button to save the offset percentage.
Click on the tabs below to learn about the workflows you'll carry out from the tabs found on Vendor Details pages (vendor profiles), under your VRM module.
Use the Available Questionnaires tab to send questionnaire assessments to your vendors, or other third-party organizations. All finalized questionnaires are listed under this tab. In order for a questionnaire to be finalized, it must be marked as "Configured" and "Reviewed".
Click the appropriate Send Questionnaire button to send the questionnaire to your vendor user's (vendor contact's) KCM account.
To learn more about sending questionnaires, please see: Sending Vendor Questionnaires.
The Schedules tab allows you to see all of the questionnaires you've scheduled to send to this vendor on a reoccurring frequency. You'll find the questionnaires that were sent only one time under the Assigned Questionnaires tab.
- The table will show the Start Date and the End Date that was set when scheduling the questionnaire.
- The Frequency column represents how often the questionnaire is scheduled to be sent.
- If applicable, the Due After column represents the number of days you've requested the assessment to be completed in.
- Click the cancel icon to cancel all future iterations of this questionnaire schedule.
- Click the eyeball icon (or the expand/collapse arrow on the left-hand side) to expand the table and view all iterations of this questionnaire schedule.
For more information about questionnaire schedules, please see: Sending Vendor Questionnaires.
The Assigned Questionnaires tab shows you the questionnaires that have already been sent to the vendor user's account.
- When the questionnaire is complete, click the questionnaire name link listed under the Name column to open and review the questionnaire.
- The questionnaire Status can be one of the following:
- Sent: The questionnaire has been sent to the vendor. If the vendor has begun working on the questionnaire, their progress will be represented by blue in the progress bar, under the Progress column.
- Pending Review: The questionnaire has been finalized by the vendor user, but the KCM administrator has not begun the review process.
- In Review: The KCM administrator has begun, but not finished the review process for this questionnaire.
- Reviewed: The KCM administrator has completed reviewing this questionnaire.
- Use the Nudge Vendor button to send a reminder email from KCM GRC.
- Use the Send Link button to open your native mail client program and draft an email to send to your vendor user.
- Click the Cancel button to cancel the questionnaire and remove it from the vendor user's account. Note, if the questionnaire is canceled all progress will be lost.
- Use the Export button to download a CSV file containing the questionnaire details.
For more information about reviewing questionnaires in your VRM module, please see our Reviewing Questionnaires and Creating Issues article.
If your vendor provided an undesirable answer to one or more questions in your assessment, an "issue" can be created to request additional information or to discuss the concern with your vendor.
All of the issues you've created with this vendor will show under the Issues tab. To open an existing issue, click the description from the Issue Description column.
For more information about working with issues in your VRM module, see this article: Reviewing Questionnaires and Creating Issues.
If you have files to share with your vendor, use the Attachments tab to add the files to the vendor user's (vendor contact's) vendor portal.
Use the Upload New Attachment interface to drag and drop or click browse to navigate to the desired file on your computer. Once the file has been uploaded, it will be immediately available in the vendor user's KCM account.
Click the trash can button under the Actions column to remove the file from the vendor portal and your KCM account.
Before you can send a questionnaire to your vendor you'll navigate to the Contacts tab to add a user account for the individual who will be taking the assessment. Use the Create Vendor Contact button to add a new "Vendor User" account. For more information, see the above section: Adding User Accounts for Vendor Contacts.