We have some news…

whyaye has been acquired by EY. You can read more about the acquisition here.

A big thank you to all our customers, partners, suppliers and mob members (past and present) for being part of the whyaye journey.

Top Tips for Implementing Vendor Risk Management (VRM)

We’ve brought you our Top Tips for  Implementing IRM (shameless plug in case you missed it), and now continuing the series, we’ve been asking our mob members ‘What advice would you give to anyone looking to implement the Vendor Risk Management application on the ServiceNow platform?’

We’ve collated the key themes and messages that came from the teams who’ve successfully deployed VRM below. 

1. Define your master source for vendor data

Ensure you have a defined single source of truth for vendor information such as key contacts, vendor type and business owners for each vendor. This will ensure you have an accurate view of vendors across your organisation and typically involves an integration to a 3rd party Customer Relationship Management (CRM) platform. Doing this upfront will significantly reduce the risk of vendors falling through the cracks and ensure the risk those vendors pose to you is assessed appropriately.

2. Review your current state

Ensuring the current processes and procedures are well documented will significantly reduce the time in workshops defining the new process for onboarding a vendor, consider the following when gathering this information:

  1. How are vendors currently tiered?
  2. How do you currently perform Vendor Risk Assessments?
  3. What are the current pain points in the process?
  4. What does the current team structure look like?
  5. How do you currently record observation and issues?
  6. Identify the SMEs within your organisation
  7. A description of what “good looks like” that can be translated into business outcomes


Sharing this information upfront will ensure we have a clear set of goals defined for the implementation and no misconceptions on the project timeline.

3. Align your data model

As previously mentioned, ensuring your data model is aligned with the latest version of the Common Services Data Model will ensure that VRM can access key foundational data from the CMDB, and ensures consistent and reliable information about your vendors is available for reporting.

4. Set up vendor hierarchy & engagements

When working with vendors who have subsidiaries (or sub-subsidiaries) that could pose a risk to your business, you can create a hierarchy for that vendor by setting up the parent-child relationships between vendors and all their children. This allows you to then perform assessments at each of the individual vendors and roll up the results to an overall risk score for the parent vendor.

In addition to this you can define engagements with each vendor which highlights any products or services that are offered by a vendor that you may also want to be assessed as part of the vendor risk assessment process.

And that’s our top tips for implementing VRM, which will ultimately reduce the overall risk that vendors pose to your business.

By James Morrisey

‘The Adviser’

For more information on how customers are implementing the GRC applications the whyaye way get in touch below:

    We work with