In 2018, if you were a third-party vendor looking to provide products
or services to the city and county of Denver, officials there had a
few questions—more than 300, in fact.
To assess vendor risk exposure, the city had long required
applicants to fill out a 60-page questionnaire, which was then
reviewed by the agency soliciting services, the information security
team, and the purchasing department. The process could take six to
eight weeks to complete.
Team members tracked their
evaluations on simple spreadsheets that lacked clear or consistent
risk scoring. Vendors were often confused by the process, leading to
protracted email exchanges. And regardless of the scale of services
proposed, the process was one-size-fits all. “We said, ‘this is a
mess,’” recalled Julie Sutton, Denver’s information security manager,
at a breakout session at Knowledge 2019. “We have to have a new process.”
For Sutton, the new process had four requirements: It needed to be
clear, easy to review, flexible, and customizable. ServiceNow’s Vendor
Risk Management, as it turned out, met those needs. Using the Now
platform, Sutton and her 12-person security team were able to
transform the city’s risk-assessment process within four months.
In the fall of 2018, Sutton and her team
started putting the massive vendor questionnaire under the microscope.
They eliminated 173 security questions that were too hard to score
consistently. Next they ditched spreadsheets and PDFs and replaced
them with a single, easy-to-navigate portal for the entire process.
The portal went live to vendors in January 2019—without a beta test.
Sutton wasn’t sure it was user-ready, but the old process was so
broken that she rolled the dice. “I don’t always know the answers
before I start, but I’m not going to wait until I know,” Sutton
explained. “I just decided to push the button and see what happened.”
Here’s what happened: Vendors no longer rely on email. All
communication, both externally with vendors and internally with city
and county officials, makes use of the portal. All security reviews
are automatically scored and graded. For decision makers,
documentation is clear and traceable. And vendors are easily set up
for future review, which is required annually. Best of all for the
internal groups that work with Julie’s team, their experience didn’t
change. They don’t even know they’re using Vendor Risk Management;
they just know it works better.
Lessons from the launch
That said, the rapid rollout was
not without hiccups. But even those left Sutton with some valuable
takeaways. First, make sure vendors can only see what you want them to
see, not internal scoring or communications. (As Sutton recalled, they
learned that one the hard way. ) Second, build a process into the
portal for vendors to report errors. And finally, not all
out-of-the-box notifications are necessary.
The results have been dramatic.
Vendor screening processes that once took six to eight weeks are now
completed in one to three weeks. The visibility provided by Vendor
Risk Management means there is no single point of failure. And the
number of emails from vendors also declined, which Sutton says had a
big impact on her team’s productivity.