Overcoming the Challenges of Performing VRAs

Vendor Risk Assessments present unique challenges to small businesses due to the resources needed to perform them.

Like most things we small business owners and executives deal with, those challenges can be distilled down to the following:

• Financial Resources
• Lack of Knowledge
• Lack of Time
  

Every small business struggles with these three particular challenges, and usually all at the same time.

For some perspective on the resources required to perform VRAs, consider the following studies on SaaS app usage by SMBs:

• BetterCloud's State of SaaSOps Report showed companies using an average of 130 SaaS apps, with those with less than 500 employees using from 21 - 61 apps based on the SMB's size (from 1 - 499 employees)
• Data from CloudEagle shows that SMBs with 10-100 employees use 50 to 70 SaaS apps and those with 100-250 employees use 100 to 170 apps.

Another study, by two Third Party Risk Management Software developers, Venminder and Prevalent, showed that most companies use the equivalent of 1 full-time employee per 100 vendors to assess and manage those vendors. That's for ALL vendors, not just SaaS vendors.

When you deal with dozens if not hundreds of vendors, the first step, the VRAs, could keep 1 full-time employee busy. The second step, TPRM (third party risk management), would absolutely keep at least one full-time employee busy.

With Vendor Risk Management salaries averaging $103,700 with a range of $43,500 to $167,500, according to ZipRecruiter, that's a big investment. Large corporations can throw money at these challenges. Small businesses can't.

Here's how small businesses can tackle these three resource challenges.

Financial Limitations

Most SMBs wouldn't want to hire a full-time employee to handle the assessments. So how can most small businesses perform those necessary assessments without cutting corners to ensure you make the best decision on mission-critical SaaS providers?

Instead of the proven unsatisfactory results in comparing only Features / Prices / Ratings, consider the following solutions:

• Part-time staff augmented by outside expertise
• Use existing staff to cover the various parts of the VRA
• Out-source part or all of the VRA process 
• Compare the ROI of specialized VRA / TPRM software versus the sweat equity of manual spreadsheets
• Use the Standardized Information Gathering Questionnaire (SIG) templates to generate custom vendor questionnaires

Lack of Knowledge

You may not have staff with the knowledge and training required to perform VRAs or on the subject matter within VRAs. If not, consider the following:

• Use existing staff to manage the parts of the VRA process they have expertise in
• Use subject matter experts to perform those sections requiring their expertise
• Use templates such as SIG or TPRM vendor freebies to guide the process

Lack of Time

This could also involve hiring part-time staff or outside experts or outsourcing, but there is one other thing you can do to reduce the time spent on VRAs:

• Determine how critical the apps will be to your operations
• Determine how much risk you can tolerate with your SaaS vendors based on how critical they are to your operations
• Determine which of the VRA modules you must perform based on how critical the apps are to your company
  

Once done, you'll know which SaaS providers you need to perform full assessments on, and which are low-risk enough that you can get by with Features / Price / Ratings / Basic Info comparisons.

Like everything small organizations do, creativity is key to success in assessing and managing SaaS providers on a SMB budget.

You can download a copy of my e-Book on performing due diligence on SaaS providers or request an online meeting.