Hi, I’m Jeffrey Wheatman. Let’s talk about Vendor Risk Management (VRM) vs. Supply Chain Risk Management vs. Third-Party Risk Management (TPRM).

After more than half a year working at Black Kite (which has been amazeballs by the way), I have noticed an interesting phenomenon – people I talk to both inside and outside our company often use all three of these terms. Sometimes they use them interchangeably, sometimes they use them to define each other, and sometimes they try so hard to differentiate them that they admire the problem more than addressing it.

Here’s the thing, I am not sure it actually matters. Yes, words and phrases have power and using the right one (or the wrong one) can make or break a talk track. But, and it’s a big but, the actual words, phrases and definitions we use are often less important than the consistency with which we use them.

What my career has shown me is that if we define the terms, provide appropriate context for how the term is used, and make sure we use the terms consistently, that is the best we can do.

The thing is, no matter which term you use (and sometimes you need to pick your battles) the risk of your extended ecosystem is growing by the day. Whether you call it third-party risk, vendor risk or supply chain risk, from the perspective of risk management, there isn’t that much of a difference.

Essentially, you are accruing incremental risk from EVERY SINGLE ONE of those parties. And for most people involved in managing risk, whether technical or not, they don’t know how much risk they are accruing.

If you insist on an answer, I am happy to be pedantic <pardon me while I jump up on this here soap box>

  • VRM is about understanding risks to your organization due to risk in companies or organizations that sell you things or services. 
  • TPRM is bigger and broader. Third-parties include entities that are peers; or you may provide services or products to them. Maybe your customers, or a tax or revenue agency, etc.
  • Supply chain risk management is bigger still. It addresses a wider range of constraints and historically has been relevant in verticals that create, produce, manufacture or ship physical things. However, we are starting to hear more about digital or information supply chains.

Feel free to disagree with these definitions as long as this starts the conversation.
Assess it and manage the risk – don’t focus on defining it!

Stay safe, stay healthy, stay secure.

Wheatman, OUT!