Improving Vendor Management Policy with NASA's Risk Matrix

At Order.co, we think it’s particularly useful for businesses to implement a vendor management policy. A vendor management policy evaluates and controls business risk. It requires businesses to determine approximately how much risk they are willing to assume when working with a vendor.

But risk in an organization is a broad concept. How can companies think about risk in tangible terms? As it turns out, the solution comes from an unlikely source.

According to Ness Labs, NASA has an ideal way for businesses to evaluate risk. In a recent article, “Managing risk with the NASA Risk Matrix,” Ness Labs outlined the approach that NASA scientists use to assess and mitigate risk in their business.

For an organization that deals with literal rocket science, NASA’s Risk Matrix is surprisingly simple and relatable. Once you understand the general principle, the Risk Matrix can help your business quantify the risk of working with a vendor and make smarter decisions about who (or who not) to work with.

Download the free tool: Vendor Scorecard Template

What is NASA’s risk matrix?

A large part of science and space research hinges on the ability to conceptualize, navigate, and mitigate risk. Therefore, the scientists and researchers at NASA developed the Risk Matrix as a straightforward graphic to help their teams simplify and conceptualize risk.

The graph measures risk on two scales: likelihood and consequence.

*Source: Managing risk with the NASA Risk Matrix, Ness Labs,

Once you have identified a potential risk, ask two questions: How likely is it that the risk will occur, and how impactful are the consequences?

The Risk Matrix’s logic isn’t specific to NASA as an organization. It can be used by anyone evaluating risk.

What’s at risk when working with vendors?

Working with vendors exposes your business to many risks, which is why implementing a vendor management policy is so important. Business continuity, reputation, and data security are the most significant risks.

As we go through these three major forms of risk, we’ll also discuss vendor risk assessments.

When developing a risk management plan for third-party vendors, it’s helpful to have a clear view of the specific risks that may come into play.

A third-party risk assessment questionnaire can help organizations evaluate the risks inherent in outsourcing to a third party. While individual questionnaires should tailor themselves to the organization, the questions below can help you start building a security or supplier risk questionnaire.

Business Continuity

Eighty-seven percent of firms “have experienced an incident with a third party that disrupted their operations,” according to research from Deloitte. Vendor issues such as late deliveries and incorrect orders put your business operations at risk, resulting in unexpected fees or revenue loss.

For example, if you operate a hair salon and your shampoo delivery is delayed, you may have to purchase a replacement product. That product may come at a higher price, resulting in additional, unexpected fees. If you also miss out on retail sales of the delayed shampoo, you’ll incur a revenue loss while the product remains unavailable for sale.

Loss of business continuity can significantly affect your business and its revenue streams. Evaluating the likelihood and consequences of such a continuity gap is important when considering new or untested vendors.

Business continuity risk assessment questionnaire:

Does your organization carry all required insurance binders? What are the coverage amounts for claims?
In the event of a critical shipping delay or supply chain issue, what contingency plans does your organization have in place to mitigate business impacts?
Has a client of yours suffered a business continuity incident or serious delay in receipt of goods?
In the event of a supply chain issue or delay, what is your communication policy for clients?

Reputation

Reputation is an increasingly important metric for consumers considering a purchase. In fact, 60% of consumers reported that bad reviews have dissuaded them from purchasing from a particular business. Businesses must carefully evaluate the risks of partnering with any outside organization when the stakes are so high.

If your business partners with a vendor that does not share your values or engages in illicit business practices, the media—and consumers—may hold your business accountable.

For example, let’s say one of your vendors is caught importing products illegally. Whether or not your business had anything to do with it, you risk getting tied up in a public-relations nightmare. If the media reports your business as receiving the illegally imported product, you could face permanent damage to your reputation.

Due diligence with new vendors is a vital component of third-party risk management. Take the time to understand a potential partner’s business practices and values to reduce the chance of issues in the future.

Reputational risk assessment questionnaire:

Do you clearly state policies regarding acceptable corporate practices, materials and product quality standards, vendor selection, and legal/regulatory compliance?
In the last 12 months, have you had any incidents investigated by a local, state, or federal body?
- If so, what were the outcomes of such investigations?
Do you have a documented environmental, social, and governance (ESG) policy regarding environmental and social impacts?
Do you document your ESG data and any environmental issues connected to your product or service?
Has there been any past or current litigation concerning company practices?

Data Security

Data security may be one of the most significant risks a business faces today. Working with a vendor amplifies this risk, especially in the IT space. In fact, 83% of organizations surveyed by Deloitte in 2020 “experienced an incident at one of their third-party suppliers/partners in 2019.”

According to a new report from IBM Security, the expense of these breaches is immense, costing an average of $4.43 million in 2022. What’s more, 19% of these data breaches resulted from the compromise of a business partner among third parties.

Keep in mind, though, that a breach is a worst-case scenario. Failure to comply with laws that prevent breaches is a risk in itself. Depending on location, businesses must adhere to data-security laws from governing bodies such as the Federal Trade Commission and the European Union. Noncompliance can result in hefty fines.

These laws are often complex, covering both data privacy and security. According to Auth0, a company that provides authentication services for applications, “Even if your data collection policies are strictly in accordance with the law, if you’re not protecting that data with adequate security measures such as authentication and access management, you still may not be in legal compliance.”

With risks and the cost of risks running so high, businesses need to pay close attention to the security policies of their vendors.

Data security risk assessment questionnaire:

Does your organization have a documented data and cybersecurity policy?
What policies do you have in place to eliminate compliance risk?
Do you have documented acceptable-use policies regarding company assets and customer data?
What security protocols (if any) does your organization use for ensuring data security?
In the last [X] months, has your organization experienced security breaches, data breaches, or other security risks?
- If so, what remediation steps have you taken?
- If so, what was the breach's cause, outcome, and recovery process?
What service level agreements (SLAs) are in place for information security?
Has your organization identified any vulnerabilities with its or a sub-vendor’s systems?
- If so, how were these identified and handled?

How can NASA’s Risk Matrix help?

NASA’s framework allows you to define, score, and mitigate risk. These are the three essential components of a vendor management process.

Define risk

NASA uses the following formula to define a risk before applying the matrix, according to Ness Labs:

Given that [CONDITION], there is a possibility of [DEPARTURE] adversely impacting [ASSET], thereby leading to [CONSEQUENCE].

What does that look like in practice?

Let’s say you work for a specialty bakery that produces only gluten-free pastries. You need specific ingredients, such as almond flour, to make your pastries. Your business relies on a vendor to deliver these goods every three days.

A delay of even one or two days can jeopardize your ability to produce enough gluten-free goods to meet your customers’ demands. A week's delay could completely shut down several days’ worth of operations.

During a vendor audit, you discover another vendor offers similar gluten-free baking products at a lower price. Although the new vendor comes highly recommended, there’s a catch: The vendor ships its products from California, and your bakery and current vendor are both located on the East Coast. That means your orders will have to travel an additional 2,000 miles, increasing the likelihood of delays.

Following NASA’s framework, we can define the risk of ordering from the California vendor as follows:

Given that the vendor is located 2,000 miles across the country, there is a possibility of shipping delays adversely impacting our stock of almond flour, thereby leading to our inability to produce gluten-free pastries, meet customer demand, and turn a profit for up to three days.

Score risk

Now, you need to score a vendor’s riskiness according to NASA’s Risk Matrix. We’ll use it to identify, on a scale of 1 to 5, how likely an event will be and how consequential it might be.

Using the example above, the likelihood of a delay in our shipment of almond flour is high, given that the vendor is 2,000 miles away. We’ll rate it 5.

And the consequence that we could lose up to three days of profit isn’t great, but it probably won’t sink the business. Let’s give it a 3.

Mapped out on NASA’s Risk Matrix, they intersect on a point that indicates a level of “highest risk.” Therefore, we should reconsider working with them.

*Source: Managing risk with the NASA Risk Matrix, Ness Labs

Mitigate risk

After using the Risk Matrix to create a risk score, use that score to decide how to mitigate risk. Your business must establish controls for each level of risk across business continuity, reputation, data security, and other potential issues.

For business-continuity issues, controls could include the following:

Keep an extra day’s worth of supplies in stock at all times.
Establish a backup plan to acquire supplies if there is a delay.
Limit reliance on any one vendor by ordering half of your supplies from another vendor.
Limit orders from your vendor to nonessential items.
Prohibit use of the vendor.

In our bakery example, a level 5 risk means that we should prohibit use of the California vendor, even though their products are less expensive. The risk of disrupting business continuity is too high.

Vendor risk assessment best practices

It’s impossible to eliminate every aspect of vendor risk, but adhering to a few best practices can greatly reduce the likelihood of risk within your organization.

Consider the following best practices when developing a risk management policy for your company:

Consolidate your vendor list: Prioritize your active vendors to a short, well-managed list of service providers. Consolidating your vendor list allows you to conduct a more robust vendor assessment of potential vendors. It also creates closer working relationships with the vendors you frequently use. This mitigates financial and operational risk.

Use a vendor risk questionnaire: Part of vendor due diligence is obtaining self-reported data from potential vendors. When possible, propose a vendor risk questionnaire to understand the company’s risk and mitigation policies. Additionally, look for any security gaps that could introduce high-risk vendor practices.

Commit to vendor performance reviews: The task of evaluating your chosen vendor doesn’t end once the ink is dry. By conducting regular vendor performance assessments as part of the vendor lifecycle, you can ensure vendors maintain a high level of security and compliance in their internal and external activities.

Track vendor performance metrics: Understanding the performance of your vendor risk management policy becomes easier when you outline and implement vendor performance KPIs. Monitoring these metrics keeps compliance and vendor performance levels strong. Ultimately, it improves vendor relationships.

Insist on strong SLAs in contracts: Service level agreements (SLAs) outline the steps a vendor will take to maintain a certain level of performance. They spell out the consequences and procedures that come into play when a compliance issue arises. SLAs should ensure strict uptime, disaster recovery, and data handling or deletion requirements are outlined and followed during and after the contract term (depending on the SLA in question).

Develop a vendor management policy that eradicates risk

If your business takes a scientific approach to evaluating risk, developing and articulating a vendor management policy should be a straightforward process. A vendor risk management program should consider any areas identified as potentially elevated risks for your company.

Even so, conducting this process for every vendor you work with takes time.
Order.co can save you the hassle. Order.co’s product catalog gives you control over the vendors your team can purchase from to reduce risk, and Order.co’s network includes 15,000+ vetted, reliable vendors that you can trust. Request a demo today to learn more.

Get started

Schedule a demo to see how Order.co can simplifying buying for your business.

"*" indicates required fields