The City and County of Denver, Colorado improved vendor risk assessments using a digital workflow, with evaluations now taking a third of the time. Julie Sutton, Denver’s Information Security Manager, shared their success and insights at ServiceNow’s Knowledge 2019 conference.
Denver’s Technology Services team serves more than 50 agencies across the City and County. Each agency works with external vendors who are trying to get business. Sutton explained her team was having a hard time keeping track of the vendor risk assessment process, which relied on a single person. The one team member used spreadsheets to track progress and metrics.
Before the implementation, the review process took six to eight weeks. “We would send out a 60-page document that included 300 questions to a vendor and they would have to fill it out. It takes time and back-and-forth,” Sutton explained, “… lots of emails.”
“It was confusing,” she said. Vendors would often ask for clarity on the questions. And, vendor acceptance decisions were not based on clear factors.
Denver determined their new process would need to be timely, and easy for internal and external teams to review and customize. Sutton’s team began implementing ServiceNow in late 2018.
First, Sutton’s team investigated alternative vendor risk survey options. “The ones we use [now] are a little more user-friendly and we can translate that into security speak,” she said. They developed several versions of surveys that could be customized to the vendors based on a set of pre-screening questions.
For example, Sutton explained if a vendor was going to use payment, then the appropriate survey questions could be included. “This is what helps us pick what survey to use,” Sutton said. Depending on the type of data provided by the pre-screen, Sutton’s team could map vendors to the right assessment.
Sutton shared their goal, “to modularize more surveys, so that you can customize it, without really customizing it for a person or vendor.” The Denver team used ServiceNow’s Risk Assessment Designer to help with this process. “And then we immediately started using it,” Sutton said.
Next, Sutton’s team began to update the general process and forms. “I’m a big advocate of pushing the button and seeing what happens so that you can evaluate where you need to go,” Sutton said. The team was able to see where the gaps were and what they needed to fix.
From there, Sutton and team started on catalog items and other related integrations to improve the vendor risk process. Using the ServiceNow Demand module and the Vendor Risk Assessment module, Sutton’s team made major changes.
Now, when the intake team identifies a vendor, Sutton’s team sends the vendor an invite. “As soon as they [the intake team] know the vendor, we get into the Vendor Risk and send the invite out. That vendor goes in and they register as a user in our platform,” Sutton explained.
Within the platform, vendors can complete customized surveys. “We’ve seen this [take] less than a week now,” Sutton said. The platform shows the status of the vendor’s progress through the assessment. It is helpful for the intake team to see the percentage of completion, Sutton explained. The transparency reduces back-and-forth communication, therefore saving time.
When the data comes back from vendors, “it’s actually getting scored,” Sutton said. Her team set up the assessments so all ‘yes’ answers are right, and all ‘no’ answers are wrong. This cuts down the vetting process, she explained. The system can then provide automatic scoring. “When [the survey] comes back, it tells you, it’s ‘low’ [risk],” Sutton said.
Through the implementation, the City decreased their customized vendor assessment by 173 questions. That’s more than half, Sutton explained.
The process also helped the City decrease the number of emails to vendors by an average of 15 emails. “Now, 15 emails doesn’t seem like a lot, but for the City and County, we’re doing about seven of these [vendor assessments] a week and have one person doing it,” Sutton said.
Because of these changes, the overall evaluation process was also decreased – from six to eight weeks to under three. Sutton explained, “our evaluation from start to finish has decreased more than three times. It’s so fast. We can get stuff through and we know exactly what we’re doing.”
This progress is tracked in ServiceNow’s Performance Analytics dashboard in real-time. For Sutton’s team, this is huge. Technology Security is a metrics-oriented team making a lot of decisions around data.
Sutton explained her team can now see, “Is this really working for us?”
The ServiceNow implementation did not require significant process changes for internal staff. “They didn’t know we changed the system,” Sutton shared. Of course, they noticed the speed of the new process.
When setting up vendor risk assessments, Sutton recommends reviewing out-of-the-box notifications. “It may not be how you communicate externally,” she said. Personalizing the voice provides consistency, she added.
Sutton advises teams to have a clear purpose for each assessment. Ask questions one time in the right place, without conflict, she explained. Lastly, Sutton says, “make sure you have a process for vendors to report errors.” This helps eliminate any ‘bugs’ in the system quickly, she added. These changes made a positive difference for Denver’s vendors.
Moving forward, Sutton’s team plans to set up more dashboards across the City and County. This will help gather metrics based on specific questions. And, will provide trends on risks associated with vendors.
Denver will continue their integration with ServiceNow Demand. And, Sutton says they are setting up an agency portal to further streamline the prescreening process.