Thank you for choosing S2Vendor for your VRM program. S2Vendor is a nuanced program, but this document will help to navigate through the workflow and provide context as to how things are set up.  

The workflow goes through Inventory, Classification, Assessment, Treatment, and then a Final Outcome is determined. During the Inventory portion all vendors are added to the program. Once all of the vendors are in the program they're classified during the Classification stage as either having a low, medium, or high impact. This will determine how the vendors are assessed during the Assessment stage, and vendors will be given a FISASCORE. Once the FISASCORE is given, it will influence the Treatment of the vendor during the Treatment stage. After the Treatment stage is complete the risk manager will come to the Final Outcome and either accept or suspend the vendor.
​

Organizing your Team

One of the hardest parts of the process is to stress the importance of vendor management across your team and gathering information from people who seem reluctant to provide it. As a risk manager, you have probably trained your staff to not open or provide information to "spammy" emails that come from organizations that they are not familiar with. This is one of the reasons why we suggest sending out an email directly from the risk manager before sending an invitation to team members, relationship owners, and vendors.  We have verbiage that can help with this in the communication portal of this help section. We have found that sending an email beforehand avoids people deleting the invitation, and it confirms beforehand who the correct contacts are.
​
​Finding Vendors

Before adding vendors, let's first determine what a vendor is relative to the program. In short, a vendor is an organization that provides goods or services from the free software installed on an employee's computer, to the health insurance provider, to the HVAC technician, to the cleaning service that cleans the office each night. These are all considered vendors, and to some varying degree has access to either administrative controls, physical access, internal technical controls, and/or external technical controls. Not all vendors have the same access, but it's vital to have a consistent guideline to measure these controls.  

The best place to start looking for a comprehensive list of vendors would be in the accounts payable department. The accounts payable specialist will be able to provide a list of vendors that are billed on a regular basis and contact information. While the accounts payable specialist will have a comprehensive list, it may not be complete.  It's good practice to contact department heads to determine if there are any vendors that are billed differently or are free.

How to Determine the Relationship Owner

It's also important to note that during the inventory process the relationship owner is determined. While it may be tempting to add the accounts payable specialist as the relationship owner, and in certain situations they may be the best candidate, but the accounts payable specialist may not know the full scope of the business relationship with each of the vendors. The person that has direct contact with the vendor, in most cases, is the best candidate for the relationship owner role.
​
​Adding Vendors into the Program

Vendors can be added into the program either one at a time or importing them through a template. It's suggested that vendors be imported through the template feature for large numbers. Instructions for adding vendors into S2Vendor can be found here.

It's suggested when using a template to email it to the accounts payable department and also to each department head. Once each department head returns the template, it's suggested that the risk manager check the template for possible duplicates. S2Vendor does check for duplicates when importing a template, but it will not catch slight variances of spelling. For example, the program will not catch Globex Corporation and Globex Corp.  

​

Classification Questionnaire
After the vendor is imported into S2Vendor, the risk manager will be prompted to complete the classification questionnaire that ranges from ten to fifteen questions. This will determine what type of questionnaire to send to the vendor. The classification questionnaire is completed by the relationship owner, and the impact level is determined.
​
​High, Medium, and Low Impact Vendors
​
​Once the questionnaire has been submitted by the relationship owner, the risk manager will confirm the results.  There's an option to edit the responses, and each time a response is edited, the program provides a time stamp and tag of who made the changes to the question.  The risk manager also has the option to override the results.  Overriding the results of the classification is generally not recommended.  Changing the results of the questionnaire to a higher impact (i.e. changing a medium classification to a high classification) won't corrode the results, but it's not completely necessary.  However, changing the results to a lower impact will undermine the integrity of the program (i.e. changing a medium classification to a low classification).  
​
​Interpretation of Classification

Once the classification questionnaire is complete it's common to wonder what these results actually mean. These results will determine how the vendor is assessed, and directly correlates as to what type of assessment, if any, is sent. Vendors that have a low classification won't be given an assessment. Vendors that have a medium impact classification will be given an assessment that corresponds with the classification level, and vendors that have a high impact classification will be given a more comprehensive assessment.
​

Length of the Assessment

After the classification is complete, the assessment will automatically be sent to the vendor. The length of the assessment will be determined by the impact classification level. Medium impact assessments are generally around a hundred questions, and a high impact assessment is generally about four hundred questions. The assessments are extensive, and they're designed to ask important questions to make you defensible.  It's not uncommon to receive pushback from vendors, but as time goes on, these sort of assessments are becoming more common. It also forces your vendors to take a close look at their own VRM program.  
​
​Time Frame of the Assessment

Generally, the assessment should be completed within twenty eight days, and the program will automatically default to this timeline. The vendor may take more time to complete the assessment, but they will receive email notifications alerting them at that time.  
​
​NDA and Information Packet

Since S2Vendor  would be considered a third party for most vendors, they will often request an NDA form and information packet. We respect that they are taking control of their security posture, and this information is available upon request.  
​

Choosing Remediation as an Outcome

Once the assessment is complete the vendor will be given a FISASCORE, and this score can be used to determine the best course of action. If the FISASCORE is high, then the risk manager may just accept the vendor right away. Conversely, if the FISASCORE is outlandishly low, the risk manager may suspend the vendor.

Remediation has a lot of communication tools within the program. There's a chat feature along with an option to add attachments and a feature to set individual due dates to each question.  This is ideal because it allows the risk manager to record all information right within the program. This way there's not any lost emails, and everything is traceable and time stamped. This is ideal in the event that there's an adverse event, and it toughens the legal defense of the client.
​
​What Questions Should I Choose for Remediation

S2Vendor allows the freedom for the risk manager to pick and choose which false questions he/she wishes the vendor to answer. This is where the risk manager's expertise comes into play. The risk manager can choose as many remediation items as they want the vendor to complete, and they have the option of ending the evaluation at any time.  

As vendors complete the remediation items, it's important to note that the FISASCORE won't improve until the risk manager approves the changes.  
​

Accepting or suspending a vendor

The risk manager has the option of accepting or suspending a vendor any time after the classification questionnaire is completed. We generally recommend that the vendor complete the assessment before either accepting or suspending, but in certain circumstances it makes sense.  

Some risk managers establish a FISASCORE threshold in which a vendor must attain before agreeing to accept them.  We provide the data for you to make this decision, but it's up to your discretion as to your course of action.