In order to implement an effective vendor risk assessment program, you must maintain an comprehensive list of your vendors.

What is the first mistake most organizations make in healthcare vendor risk management? Not maintaining a comprehensive list of active vendors.

This may strike you as so obvious that it seems silly to bring it up as a number one problem. But did you know that “nearly two-thirds of IT security professionals surveyed stated that their organizations do not maintain a comprehensive list of third-party vendors and dependencies”?

There are plenty of other mistakes an organization can make when it comes to vendor risk management, but few are as fundamental as this one. The reasons you need a synchronized vendor system of record are simple. You must be able to:

  • Readily identify vendors who handle sensitive data,
  • Produce an accurate and current list of contacts for each vendor,
  • Know which internal stakeholders interact with each vendor,
  • Periodically assess each vendor’s practices in handling sensitive data; and
  • Be able to deactivate vendors in a timely way.

It’s hard to correct any other mistakes your organization makes until you establish and maintain a master list.

If you estimate that your organization only depends on a few vendors, you may not think it is too difficult to establish and maintain an accurate and comprehensive list. Until you do a thorough inventory, however, you may be setting yourself up for an unwelcome surprise. For instance, the average healthcare organization depends on approximately 1300 vendors. If you assume a moderate churn rate—meaning new vendors are being added and others are dropping off weekly, if not daily—it can be daunting to contemplate.

The Problem of Synchronizing Lists

For 2020, we decided to get serious about organizing our vendor list

Why don’t organizations automatically maintain a comprehensive list of vendors? Simply possessing a list is not the issue. In fact, the typical organization possesses several independent lists. Different departments in the organization maintain their own lists because they have different responsibilities and interests that diverge. Gaps develop, expand, and remain unresolved over time between the lists. There is no consistent, effective synchronization process performed which can produce a single, comprehensive, and accurate list.

Different departments also have different business software solutions and they often don’t integrate well, if at all. As organizations grow, they tend to develop departmental silos. Because of this silo effect, the importance of vendor list integration may not be felt strongly enough to be shared across the departments for materials and supply chain, finance, information technology, privacy, and so on.

Focus on Processes First

Current business processes are driving the lack of centralized, comprehensive vendor lists. While this is probably unintentional, it is important to acknowledge and address. Too often, your first impulse will be to acquire a new technology or tool to solve a problem. However, until you thoroughly understand all the business processes which produce the current state, implementing a new technology, tool, or project will probably fail. The good news is, you can take these three steps to ensure success.

Step 1: Discover, Document, and Analyze the Current Process

Discover Document Analyze Current Process

It’s important to account for and analyze all your official—and unofficial—vendor list management processes. Vendor list management will consist essentially of three current business processes:

  • Adding and onboarding,
  • Updating and communication; and
  • Removal and exit.

Interview key people involved in each of the current processes to discover and document what the steps are, what dependencies there are for each step, and what systems and existing resources can make your job easier. It may be that you can enlist some help from others interested in improving the system, so be sure to take advantage of that.

Your current processes, no matter how imperfect or broken they are, will probably be described in existing electronic documents in word processing files, PDF files, or flow-chart diagrams. After discovering and reviewing these, you may determine that the current process doesn’t follow its originally conceived design. You need to investigate that until you uncover why. Whatever the answer is, it needs to be accounted for in any new process.

Here is where we manage the hospital's vendor list

If your organization is like most and you identify several lists, each list will have versions of those three processes. There will likely be a process for how a vendor gets on the list, how vendors on the list are updated, and how they are removed. It’s important to discover each list and thoroughly document each process. What information is gathered? How is it gathered? What steps happen, and when? Who does what? These questions and their answers are the start of your documentation.

Of course, there will be exceptions to each official process. Vendors get added, updated, or removed in an impromptu way that doesn’t follow the stated process. This is another area to investigate thoroughly. Even though these are exceptions and not part of the official process, it should also be documented and accounted for as thoroughly as the official process.

This year we outsourced our vendor list to some real professionals

During your interviews, be sure to document estimates of both the duration of each process and each step in it. Further, be sure to estimate the time each person spends on each step. Point out in interviews that this is probably significantly different. You may find that the total time spent on all the steps in a process is 40 hours, but that the process itself takes on average 90 days. This means there are times when the person who needs to complete the next step either cannot find the time to perform it or is unaware he is slowing the process.

Armed with this information, but before working on a design, share your documentation with the stakeholders and resources you interviewed and make sure you encourage and capture any feedback. This part is pure gold—don’t shortchange it. You almost always capture important clarifications or miss processes that people either forgot to share initially or you neglected to document properly. You will also establish or increase both trust and buy-in. Don’t merely send an email with an attached document; set an appointment to review it with them in-person if possible, or over the phone.

Step 2: Design, Document, then Propose a Future Process

Design Document Propose Future Process

As you begin the design phase, start a new document so you will be able to easily juxtapose the current process against the new design. Remember to take care to preserve what’s working from the current process. You may eliminate a task or step; however, note in your design document where you’ve preserved the desired results. This displays competence and attention to detail, which increases the buy-in of stakeholders.

Look carefully for and identify all the “easy gets.” These are often simple, low-cost adjustments that fix aggravating problems and wring out inefficiencies. For example, you may see that if at the end of a step that you send an email to two or more people in the target department instead of just one, the process won’t bottleneck if the primary person is unavailable for an extended time. Or, you may see that you can kick off two or more steps in a process to progress simultaneously instead of sequentially, saving time. These tweaks may seem too mundane to make much difference, but string enough of these “easy gets” together and you may be able to fix things well enough at little cost and without a major overhaul.

As you modify the design to eliminate problems and reduce inefficiencies, pay close attention to your integration points. These are the hand-offs between people and systems that are critical for each stakeholder to improve workflow and receive what she needs to complete the next step in the process, or to receive a critical piece of data her department needs for its responsibilities.

At this point, the need for a vendor management tool to help eliminate steps, automate a process, or bridge some gaps will become more apparent to you. It will also be clear which systems a tool will need to integrate with and how. A tool that enables you to easily integrate multiple lists, eliminate duplicates, and establish a master vendor list of record will be key. Look for a tool that will automatically collect and report on many of the metrics your will want to track, including overall duration. This enables you to concretely determine how well your new process hits the mark.

After an initial design, review a rough draft with your stakeholders. Don’t skip this step, as it usually saves you from missing something critical. Throughout the design process, the clearer and more thoroughly you document and describe the proposed new model, the more confidence you will inspire not only from decision-makers, but also from the people you will rely on to implement the new process.

Step 3: Implement, Measure, and Adjust the Better Process

Implement Measure Adjust Better Process

Communication is key to keep a new process implementation smooth, or at the very least, on track. Even if they don’t mention it, people appreciate communication and rarely get too annoyed with too much of it—but they will certainly get aggravated if there is too little of it. It’s also worthwhile to implement change incrementally if you can. Start with a sub-process or section and get the workflow and integration points right for just one department or person. That way, you won’t have to put out too many fires at once. Then, move to the next section and repeat.

Test your integration points to make sure people, processes, and systems are operating as you expected, and your measurement data is collecting and available for reports according to your design. Once you complete your implementation, you can then be prepared to adjust as you compare your new measurements against your goals.


Maintaining a comprehensive list of your active vendors is challenging. The problem is compounded by broken, incomplete, or unofficial processes which sabotage the effectiveness of your existing tools and systems. Concentrate on getting the processes right first, and then look for tools or technology to increase efficiency and reduce risk and cost. Of course, merely having a comprehensive list of vendors is not the end goal. Getting a comprehensive list is just the first step on a path that will increase compliance, reduce risk, and reduce cost.

What to Do Now

  • Don’t get buried by administrative tasks. Request a demo or Contact us to learn how to reduce by 75% the resources required to lower your vendor security risk, increase compliance, and achieve and maintain vendor HIPAA OCR audit readiness.
  • Did you like the article? Please like, edit, or share with your network!
  • Read related articles: Mistake #2 and Mistake #3 in Third Party Risk Management
  • Read related articles on blog
  • Stuck on a problem with a project? Need help resolving an issue? Schedule a 20 minute “Let’s Hear It” eval where we discuss ideas and approaches for a creative solution to problems you’re trying to solve.
  • Please follow the ConfidentVMS company page for information and conversation about Vendor Risk Management.

Curtis Jones

Written by: Curtis Jones (LinkedIn)
With over 25 years of experience leading healthcare information technology companies, Curtis helps leaders at healthcare organizations and their vendors manage their shared risk effectively, efficiently, and cooperatively.

About us: ConfidentVMS helps healthcare organizations reduce the resources required to lower vendor security risk, increase compliance, and achieve and maintain vendor HIPAA OCR audit readiness. Contact us for more information or to request a demo.

Please like or share. Thanks!

Leave a comment

Your email address will not be published.