Tools and Frameworks for Vendor Risk Management – Part 1

Featured post image
Published: 2023/09/27 Last updated: 2023/10/31 By: Tom Lazenby

This is a three-part blog series, “Tools and Frameworks for Vendor Risk Management,” where you will learn or be reacquainted with various risk management methodologies that can be employed to manage and mitigate risks associated with vendors in clinical trials.

The series is designed to help you understand What, Why, When, and How these methodologies enable you to enhance vendor risk management strategies and improve the success of your clinical trials.

Throughout this series, you will get insights, examples, and practical applications of these methodologies, highlighting their importance in addressing challenges related to vendor risk management.

By understanding and implementing these tools and frameworks, you can effectively manage vendor-related risks, safeguarding the quality, safety, and integrity of your clinical trials.

In Part 1 we will dive into basic risk management methods, including flowcharts, check sheets, process mapping, and cause and effect diagrams. You will also learn Failure Mode Effects Analysis (FMEA), a proactive approach to identifying and prioritising potential failure modes in a process.



Flowcharts serve as a visual representation of the entire process, from vendor selection and onboarding to oversight and evaluation. The flowchart can depict the sequence of actions and decisions required in these processes, such as vendor qualification criteria, key performance indicators (KPIs) for oversight, and vendor performance evaluation metrics.


Flowcharts provide an overview of the vendor management process. Making it easier to identify bottlenecks, redundancies, and areas of risk that may need closer attention or risk mitigation strategies.

By visualising the process, you understand how each part of the process works and how it interacts with other parts, enabling more effective and efficient management of vendors.


During the planning and analysis stages of vendor management, teams can use a flowchart to design a vendor management process to align with study objectives and regulatory requirements.

During the analysis stage, teams can use a flowchart to review and streamline the process, identify and address issues, and ensure that the process is as efficient and effective as possible.


To create, use dedicated software tools that offer flowcharting capabilities or even simple drawing tools. Identify all the steps in your vendor management process, including decision points and interactions. Steps are represented as shapes with arrows showing the direction.

Decision points and other interactions are typically represented by a different shape. The flowchart should be reviewed and updated regularly to reflect any changes in the vendor management process.

A clinical trial team is dealing with delays and inefficiencies in vendor onboarding. They use a flowchart to map out the process, this includes vendor identification, qualification, selection, contract negotiation, and training. Using the flowchart, the team identifies a bottleneck at the contract negotiation stage, which gets delayed due to internal approvals.
They identify redundancy in the training step, where training is repeated for vendors that have already been onboarded for other trials.
The team implement improvements including streamlining the approval process for contract negotiation and creating a central database to track vendor training, eliminating unnecessary repetition.
The time required for vendor onboarding is reduced, leading to efficiency, cost savings, and ultimately, faster initiation of the clinical trial. This practical use of a flowchart demonstrates its value as a tool for process optimisation in vendor risk management.

Check Sheets


Check sheets serve as a straightforward tool for recording and tracking vendor performance data. This can include a wide range of metrics, including timeliness of deliverables, quality of output, and adherence to regulatory requirements.


Check sheets facilitate consistent, systematic data collection. This data is invaluable for making evidence-based decisions about vendor performance. Patterns and trends may emerge from this data, identifying potential issues, areas for improvement, and the effectiveness of mitigations or corrective actions.


Check sheets can be used throughout the vendor oversight process. As vendors deliver services or complete tasks, their performance is documented in real-time. This data collection allows for ongoing monitoring and trend analysis.


To implement check sheets, the clinical trial team identify the key performance metrics relevant to the vendor. This includes the quality of deliverables to responsiveness to queries.

Each time a vendor delivers a service or completes a task, the team records the results on the check sheet.

The team are working with a data management vendor and create a check sheet to record data such as timeliness of data delivery, accuracy of data, responsiveness to data queries, and adherence to data privacy regulations.
The check sheet is used to collect data each time the vendor delivers a service. The check sheet provides valuable insights into the vendor’s performance e.g. they consistently deliver data late, or there are recurring errors in their data.
Identifying trends early means the team can proactively address the issues with the vendor, implementing corrective and preventative actions. The intervention helps to maintain the quality and integrity of the clinical trial data and mitigates the direct costs associated with remedial actions.

Process Mapping


Process mapping unlike flowcharts, offer a more detailed depiction, including the sequence of tasks, decision points, roles, and responsibilities, as well as how these tasks interact and depend on each other.


Process mapping provides a detailed view a process, allowing stakeholders to understand every step and interaction. This supports teams to identify inefficiencies, redundancies, and risks. It clarifies roles and responsibilities, so each team member knows what they need to do and when.


Process mapping is useful at the start of the clinical trial, when determining the vendor oversight requirements. By visualising the process, teams can plan and structure their approach. Process maps should be periodically reviewed for continuous improvement.


To create use dedicated process mapping software or simple drawing tools. Identify all tasks, interactions, and decision points in the vendor oversight process. Tasks are represented as a box, with arrows showing the sequence and interactions.

Roles and responsibilities for each task are also included, providing clarity on who is accountable for each step.

The trial team is struggling with vendor oversight, leading to missed deadlines, quality issues, and confusion about roles and responsibilities.
They decide to map out each step in the vendor oversight process, from initial vendor qualification to periodic performance evaluation. They also define the roles and responsibilities for each step, making it clear who oversees what.
When reviewing the completed process map, the team identifies inefficiencies – some tasks are being duplicated by different team members, while some oversight tasks are being overlooked.
They use the process map to reassign tasks, eliminate duplication, and ensure all crucial oversight activities are covered.
The team can streamline their vendor oversight process, reducing confusion and inefficiencies. This leads to more effective vendor management, improved quality control, and significant savings in staff resource expenditure.
The process map also serves as a valuable training resource for new team members, ensuring they quickly understand their roles and responsibilities within the process.

Cause and Effect Diagrams


In the context of vendor risk management, cause and effect diagrams, also known as Fishbone or Ishikawa diagrams, serve to identify and visually represent potential root causes of vendor-related risks.


They provide a structured approach to brainstorming and categorising potential causes of risks which can become quality issues. They facilitate identification of factors contributing to a specific issue, develop understanding of root causes rather than focusing on symptoms.


These diagrams are useful when evaluating vendor related risks, in a proactive risk assessment processes aimed at identifying potential problems before they happen.


Creating a cause and effect diagram starts with a clearly defined problem or characteristic at the ‘head’ of the fish. The team then brainstorms potential causes can categorises them. These categories form the ‘bones’ of the fish, branching out from the central ‘spine’. The typical “bones” of the diagram include:

  • Procedure
  • Equipment
  • Materials
  • Measurements (data)
  • Human Resource
  • Environment (conditions)

The team identifies the risk of delayed data delivery from a vendor, they use a cause-and-effect diagram to analyse the risk. Delayed data delivery is the ‘head’ of the fish. The team brainstorms possible causes, categorising them into the 6 standardised headings.
By visually mapping the causes, the team identifies the areas to address, such as improving data processing protocols, updating data management systems, and training on source data quality.
The team decide upon appropriate mitigation strategies, reducing risk of direct costs of remedial actions and the indirect costs associated with missed opportunities due to delayed data delivery.

Failure Mode Effects Analysis (FMEA)


Failure Mode Effects Analysis (FMEA) is a proactive method used to identify, assess, and prioritise risks associated with a vendor or process.


FMEA can aid discovery of high-risk areas within the vendor risk management process. In identifying these risks early, your team can focus risk mitigation efforts where they will have the most impact.


FMEA is beneficial during the vendor selection process, where it aids in assessing potential vendors’ risk profiles. However, its value extends to ongoing risk management activities throughout the vendor’s engagement.


FMEA begins by identifying potential failure modes, their causes, and their potential effects. Each failure mode is scored based on its impact (severity), probability (likelihood) and detectability (likelihood of identifying the failure).

These scores are multiplied together to calculate a Risk Score, which is used to prioritise risks for mitigation actions and other activities.

When selecting a vendor for clinical trial monitoring services, the team use FMEA during the selection process to assess the risk profile of each potential vendor. A potential failure mode could be “unusable site data due to inadequate monitoring processes.”
The team assesses the impact (e.g., high, due to potential impact on trial data integrity), probability (e.g., medium, based on the vendor’s history and industry standards), and detection (e.g., low, given proper audit procedures).
After calculating the risk score, the team compares and prioritises risks across different vendors, aiding in the selection of a vendor with a manageable risk profile.
Once the vendor is onboarded, the FMEA continues to guide the oversight process. Regular updates to the FMEA can capture changes in the vendor’s processes or in the trial requirements, ensuring that risk management activities remain focused and effective.


Understanding and implementing these basic risk management facilitation methods can significantly enhance your vendor risk management activities. While each method has its unique strengths, they collectively provide a robust, holistic approach to identifying, assessing, and managing risks in your clinical trial vendor processes.

The impact of their implementation can be profound – leading to improved process efficiency, quality, and patient safety, and ultimately the successful conduct of clinical trials.

Stay tuned for Part 2, where we will introduce more advanced techniques, such as Failure Mode, Effects, and Criticality Analysis (FMECA), Fault Tree Analysis (FTA), and Hazard Analysis and Critical Control Points (HACCP).

Tom Lazenby

Tom is the Founder and CEO of Mayet. Using his experience in streamlining operations and driving innovation in clinical research, Tom is dedicated to enhancing the efficiency, cost-effectiveness, and risk mitigation strategies for vendor management and oversight.

See other posts »