Are you lost?

The page you were looking for couldn't be found

You can navigate through our menu or use this search bar:

Search

In the ever-evolving landscape of vendor management, technological advancements have ushered in a variety of software solutions, providing organizations with unprecedented tools to streamline and enhance the oversight and management of vendor relationships.

With over 400 software products in the marketplace, the competition is fierce, and vendors are innovating to stay ahead.

In this blog, I share an overview of the top trends shaping the vendor management software arena and key steps you can follow to evaluate new vendor management software for your organization.

Seven Top Trends in Vendor Management Software

Trend #1: Rise of Best-of-Breed Solutions

Traditionally, organizations adopted comprehensive enterprise resource planning (ERP) systems to manage various aspects of their operations, including vendor management. However, the trend has shifted towards best-of-breed solutions – specialized software that excels in a particular aspect of vendor management, such as procurement, purchase-to-pay, third-party risk management, or contract management.

These focused solutions allow businesses to hone in on the tools that best suit their needs, creating a more agile and tailored approach to vendor management.

Trend #2: Easier Integration

While best-of-breed solutions offer targeted functionality, they can also pose integration challenges. Many organizations manage a patchwork of stand-alone solutions that don’t seamlessly communicate with each other. This has led to an increased focus on interoperability and integration capabilities within vendor management software.

Software vendors are investing in open APIs (Application Programming Interfaces) and pre-built connectors to facilitate smoother data flow between disparate systems, ensuring a cohesive and efficient vendor management ecosystem.

Trend #3: Holistic Vendor Management Platforms

Conversely, some vendors aim to provide a one-stop shop for all vendor management needs. These comprehensive platforms have established a long-term product roadmap to integrate procurement, purchase-to-pay, third-party risk management, and contract management into a unified solution.

While these platforms offer the convenience of centralized management, organizations must carefully evaluate their specific requirements to ensure that an all-encompassing solution meets their unique needs without sacrificing depth and specialization.

Trend #4: Advanced Analytics and AI

Integrating advanced analytics and artificial intelligence (AI) will be a game-changer in vendor management. These technologies enable organizations to derive actionable insights from vast amounts of data, empowering them to make informed decisions, predict potential risks, and optimize vendor relationships.

AI-powered tools have the potential to automate routine tasks, enhance accuracy, and identify patterns that might go unnoticed through traditional methods, leading to more proactive and strategic vendor management. While vendor management platforms are still in the early stages of AI integration, their potential is significant.

Trend #5: Emphasis on Cybersecurity

The increasing frequency and sophistication of cyber threats have elevated the importance of cybersecurity in managing vendors and other third parties. Organizations are now prioritizing solutions that incorporate robust cybersecurity features to safeguard sensitive data and mitigate the risk of data breaches. This includes secure data storage, encrypted communications, and continuous monitoring for potential security vulnerabilities in the vendor ecosystem.

One specific area of increased integration is third-party risk intelligence data, which provides more real-time visibility into threats and enables continuous risk monitoring.  While a heavy emphasis is on cybersecurity risk data, other risk domains, such as financial, operational, and ESG, are being integrated as well.

Trend #6: Enhanced User Experience

Usability and accessibility are becoming paramount in the design of vendor management software. Vendors are focusing on creating intuitive interfaces that simplify complex processes, reducing the learning curve for users. A positive user experience increases adoption rates within organizations, and contributes to the overall efficiency of vendor management processes.

Trend #7: Regulatory Compliance and Transparency

Lastly, vendor management software is evolving to include features that ensure organizations adhere to legal and regulatory requirements. Many are aligning their solutions to common regulatory standards or frameworks such as NIST and ISO, making the mapping of processes to specific compliance requirements easier.

Transparency in vendor relationships is also gaining prominence, with tools that enable organizations to track and report on various compliance metrics, fostering trust and accountability in vendor partnerships. These tools are especially important for managing relationships with critical vendors and other third parties.

40 Vendor Management Tasks to Automate with Software

Here’s a list of tasks vendor management software can help you automate and leverage modern solutions to streamline your processes.

Evaluating Vendor Management Software in 2024

Selecting the right software is a critical decision that will significantly impact your organization’s vendor management process efficiency and overall performance. To navigate the diverse landscape of solutions, it’s critical that you clearly define your strategy and system requirements and follow a comprehensive evaluation process. 

Here are some essential steps and considerations for selecting your organization’s vendor management software.

  1. Features: Ensure the software aligns with your organization’s core requirements. Conduct a comprehensive feature analysis to confirm that the software meets current needs and supports anticipated future demands.
  2. Configurability vs. Customization: Configurable software allows organizations to adjust settings, workflows, and features to match their processes without extensive customization and development efforts. This agility enables quick adaptations to changing business needs and minimizes reliance on external support. 
  3. Scalability: Consider your organization’s future growth and scalability. The chosen vendor management software should scale alongside your business, accommodating an increasing number of vendors, transactions, and data without compromising performance. 
  4. User-Friendly Interface: Evaluate the software’s user interface and overall user experience. A user-friendly system will facilitate quicker adoption by your team, reducing training time and increasing overall efficiency. Conduct user trials or demonstrations to assess ease of use. 
  5. Integration Capabilities: Check the integration capabilities of the software. It should seamlessly integrate with your existing systems, such as ERP, accounting, or other relevant software. Look for solutions with open APIs and pre-built connectors to ensure smooth data flow across your organization. 
  6. Data Security and Compliance: Given the increasing emphasis on cybersecurity and regulatory compliance, prioritize solutions that offer robust security features. Ensure the software complies with relevant industry standards and regulations, providing secure data storage, encrypted communications, and audit trails. 
  7. Advanced Analytics and AI:  Assess the software’s analytical capabilities and roadmap for leveraging artificial intelligence. Look for features that provide actionable insights, predictive analytics, and automation of routine tasks. These capabilities will enhance your ability to make informed decisions and optimize vendor relationships. 
  8. Vendor Support and Training: Investigate the level of support and training the vendor offers. A responsive support team and comprehensive training resources are crucial for a successful implementation. Consider the availability of documentation, tutorials, and customer support channels.
  9. Viability: Consider the long-term viability of the vendor. Evaluate the vendor’s financial stability, commitment to ongoing product development, and the frequency of software updates. Choosing a vendor with a solid track record and a clear product roadmap ensures continued support and innovation.

Are you exploring vendor management software? Vendor Centric works with many of the leading software providers. We can help you define requirements, identify solutions in the marketplace, and find the one that best fits your organization’s needs and budgets. Schedule a free consultation to learn how we can advise.

Final Thoughts

The technology landscape for vendor management software in 2024 is exciting, but it can also be overwhelming. As organizations navigate the myriad trends shaping this dynamic field, selecting and optimizing the right solutions requires careful consideration. 

As you look to optimize vendor management technology for your organization, follow a thoughtful strategy and thorough game plan so you can confidently embrace the power of vendor management software to unlock real value from your vendor management operations now and into the future.

More than ever before, organizations are adopting holistic, process-driven vendor management. They are evolving vendor management from a mere compliance function to a strategic driver of measurable value.

We expect this trend toward value creation to grow as companies seek practical ways to optimize performance, mitigate risk, and control costs with their growing ecosystems of vendors and third parties.

The beauty of this growing trend lies in the many ways vendor management can unlock value for the business.  Here are four value-creation initiatives any organization can undertake, along with practical examples for each.

Cost Savings Initiatives: Reducing and Optimizing Spend

Cost savings initiatives help you reduce and optimize spend with third-party vendors.  These initiatives are a highly visible way to create value within the business, as you can readily measure and report the savings you create.

One example of a cost savings initiative is a vendor rationalization project.   It’s done by taking a systematic and structured approach to reviewing your current supply base and identifying opportunities to reduce and streamline your vendor relationships.

Streamlining your supply base can help you achieve cost savings by eliminating redundant services and forcing out unnecessary spending that doesn’t add value to the business. The benefits, though, extend beyond just cost savings.  They include improved efficiencies and reduced risk – both created by working with fewer vendors.

Vendor Risk Reduction Initiatives: Identifying and Mitigating Threats

From resilience to reputation, vendors and other third parties present myriad risks to your organization.  Vendor risk reduction initiatives are vital for identifying, mitigating, and eliminating potential threats within your vendor ecosystem.

A critical vendor review is an example of a risk reduction initiative that can make a big impact.

Critical vendors provide goods and services so essential that any operational failure on their part will likely result in a corresponding failure within your own operations. A critical vendor review involves a comprehensive assessment of these high-risk relationships to identify gaps in how contracts and risks are being managed and implement strategies to close those gaps to minimize the likelihood of potential disruptions and fortify operational resilience when disruptions do occur.

Vendor risk reduction initiatives create value by proactively reducing risk and building a robust, adaptable supply chain.

Vendor Performance Improvement Initiatives: Enhancing Quality and Reliability

Vendor management can also create value by enhancing the quality and reliability of vendor performance. One effective method is implementing vendor performance scorecards. These scorecards act as objective measures of key performance indicators (KPIs) relevant to your business goals, enabling you to evaluate vendor performance transparently.

Implementing a vendor performance scorecard involves defining relevant KPIs, establishing measurement and reporting mechanisms, and fostering transparent communication with vendors. However, the benefits of implementing vendor performance scorecards extend beyond mere metrics. They improve service quality, enhance collaboration and innovation, and provide opportunities to drive continuous improvement in vendor relationships. 

Vendor performance improvement initiatives ensure that vendors meet current standards and anticipate future demands. This proactive approach facilitates long-term partnerships that drive mutual growth and success.

Process Efficiency Initiatives: Improving Operational Effectiveness

A fourth way vendor management can create value is through process efficiency initiatives.  These initiatives are geared towards streamlining and optimizing processes to improve operational effectiveness. 

A prime example of an efficiency initiative is a vendor management system assessment. This assessment evaluates how your organization uses technology to initiate, manage, and oversee relationships with vendors and other third-parties. 

This assessment aims to ensure the technology you have in place enables efficient, effective, and transparent vendor management processes.  Key areas that are typically evaluated in a vendor management system assessment include:

  • System strategy and functionality
  • Integration
  • User interface
  • Data security
  • Scalability
  • Data governance
  • Reporting
  • Compliance
  • Software provider roadmap, support, and training

A comprehensive vendor management technology assessment helps you identify areas for improvement, optimize processes, and leverage modern technology to support scalable, efficient operations.

Why Wait When You Can Start Creating Value Today

The potential for vendor management to create value is vast and multifaceted.  The highlighted initiatives – cost savings, risk reduction, performance improvement, and process efficiency – are not isolated endeavors but interconnected facets of what can be achieved when an organization takes a strategic approach to vendor management.  

Determining where and how to get started is always the most challenging part of any new initiative. Vendor Centric has simplified your journey; take your first step today. Our brief Value Creation Opportunities Survey will help you unlock the full potential of your vendor management operations and highlight opportunities for improvement.

Vendor management continues to evolve at an unprecedented pace.  Customers, boards, auditors, and regulators are demanding more robust policies, procedures, and oversight of vendors and other third-party relationships.

From an operational perspective, senior management is under pressure to maintain an effective infrastructure while identifying ways to extract value through vendor risk reduction, performance improvement, and cost control.

From a market perspective, new regulations are being introduced, and new technologies are emerging on what feels like a monthly basis.

While the challenges are many, these 10 trends have the greatest potential to unlock the power of vendor management in 2024.

1. Creating Value

As an uncertain economic climate continues to cast its shadow into the new year, organizations will look to vendor management to identify new, creative ways to drive value throughout the supply base.

Expect to see a focus on targeted initiatives to control costs, minimize risk, and amplify vendor performance.  Vendor management will be under increased pressure to run the day-to-day while bringing tangible value to the business.

2. Strengthening Operational Resilience

Persisting supply chain disruptions continue to shine a spotlight on the need to mitigate third-party risk to strengthen operational resilience.  This is especially true with vendors providing critical services to the business.

There will be an increased focus on identifying and managing critical vendors and to enhance due diligence and continuous monitoring.  Organizations will also look to ways to improve resilience through stronger contingency planning and supplier diversification.

3. Testing Artificial Intelligence

As the hype (and the potential) for Artificial Intelligence (AI) continues to grow, vendor management software providers are rapidly integrating AI into their platforms – making it ubiquitous in day-to-day operations.  

In 2024, vendor management will test various ways to leverage AI to find what works best within their organizations. Process automation, data analysis, and data governance will be critical focus areas.

4. Digitizing & Automating Processes

With over 400 vendor management systems in the marketplace, the opportunity has never been greater to leverage technology to provide speed, efficiency, and real-time information.  2024 will see an increased adoption of vendor management systems designed specifically to support procurement, contracts, third-party risk and compliance. 

An emerging technology to keep an eye on is data intelligence solutions, which are integrating more frequently into vendor management systems. These data solutions provide real-time screening and risk monitoring, fostering faster, more informed decision-making.

5. Upskilling

As organizations embrace a more holistic, lifecycle approach to vendor management, professionals need to expand their skill sets beyond their traditionally siloed roles.  

Organizations seek individuals with broader capabilities across procurement, contracts, risk, compliance, and finance.  Skills in communication, process automation, data analysis, and change management will all be in demand.

Infographic: Top 10 Vendor Management Trends to Watch in 2024

View the informative graphic detailing the trends shaping vendor management in 2024 and impacting your business initiatives.

6. Integrating ESG and Diversity

The global call for ethical and inclusive practices has extended its reach into vendor management. Companies are striving to build an ecosystem of vendors with shared values, while also complying with a growing list of regulations requiring transparent, sustainable business practices. 

Vendor management will build on the work started in 2023, with a focus on aligning policies and procedures with broader corporate values and regulatory requirements related to Environmental, Social, and Governance (ESG) and Diversity, Equity, and Inclusion (DEI).  

7. Fortifying Governance

To enable more effective vendor management across departments, organizations need to bring siloed stakeholders together to foster cohesion and collaboration. Stronger governance will be needed to align stakeholders from various business units, including procurement, legal, risk, finance, compliance, and information security.

Expect to see initiatives to improve the alignment of policies and procedures, systems, and reporting across departments to enable more efficient vendor management operations and more effective oversight.

8. Adapting to New Regulations

Recent years have introduced a number of new laws impacting third-party management, including cybersecurity, data privacy, human rights, and environmental stewardship.  This trend will continue into 2024.

While monitoring the changing regulatory landscape, organizations will refresh vendor management policies and procedures to ensure they stay compliant.

9. Doubling Down on Data Protection

Recent years have also introduced us to hundreds of data breaches, many of which can be traced to failures by third parties.  With more than 300 million terabytes of data created each day, third-party breaches will continue into 2024.  

Organizations will look to strengthen third-party diligence around data security and privacy, with an enhanced focus on augmenting point-in-time diligence with continuous threat monitoring.  As importantly, limiting data exchange with third parties will be an area of focus to mitigate risk when breaches occur.

10. Transferring Risk Downstream

The modern supply chain has gotten incredibly complex.  It includes myriad downstream (i.e., ‘Nth Party’) suppliers, service providers, and independent contractors that all play a role in service delivery and all present risks to the organization.

Driven by new regulatory guidance on managing fourth-party risk, organizations will emphasize that their vendors maintain effective, compliant vendor management programs.  They will also look for better ways to transfer risk directly to their third-party vendors when downstream problems occur.. 

What’s Your Plan to Unlock the Power of Vendor Management in 2024?

2024 promises to be a dynamic year for vendor management, marked by a confluence of challenges and unprecedented opportunities. 

The emphasis on creating value, strengthening operational resilience, testing artificial intelligence, and digitizing processes underscores the imperative for adaptability and innovation. 

The integration of ESG and diversity considerations, upskilling of professionals, fortifying governance, and adapting to new regulations showcase the comprehensive nature of modern vendor management. 

Moreover, the focus on data protection and the strategic shift of transferring risk downstream reflect a commitment to robust risk management practices. 

By embracing these trends, organizations have a unique opportunity to harness the power of vendor management, aligning it with broader corporate values, fostering collaboration across departments, and ensuring compliance in an ever-changing regulatory landscape. 

While the challenges remain, the potential for unlocking value and enhancing resilience has never been greater.

Vendor Centric can assist your organization in staying ahead of the curve and streamlining your vendor management program at all stages. 

Contact us to schedule a free, no-hassle consultation to assess all your organization’s needs and how we can help.

As a third-party risk practitioner and consultant, I’ve worked with hundreds of stakeholders across multiple industries. One of the fundamental questions I always hear is, “Who qualifies as a third party?”

It’s a great question because an organization’s third-party ecosystem encompasses much more than suppliers.

Who is a Third-Party When It Comes to Risk Management?

A third-party is any company or individual outside of your organization with whom you have entered into a business relationship – regardless of whether or not you have a formal contract.

Most organizations work with a wide range of external entities and individuals that can pose potential risks. In third-party risk management, those entities and individuals can vary depending on the nature of your business, industry, and specific operational requirements.

Here are just a handful of common categories of third parties that organizations typically need to consider when it comes to third-party risk management:

1. Outsourced Service Providers
  • Employee benefits administration
  • Recruitment and staffing agencies
  • Human resources
  • Accounting
  • Payroll Processing
2. Technology Partners
  • IT service providers
  • Cloud service providers
  • Software providers
  • Software hosting companies
  • Hardware manufacturers
  • Data processing companies
3. Financial Partners
  • Banks and financial institutions
  • Credit card processors
  • Investment firms
  • Credit Reporting Agencies
4. Legal and Professional Services
  • Consulting firms
  • Law firms
  • Accounting firms
  • Advertising and marketing agencies
5. Material Suppliers and Logistics
  • Raw material suppliers
  • Component suppliers
  • Finished goods suppliers
  • Shipping and logistics companies
  • Transportation providers

The sheer diversity and prevalence of third parties within most organizations can often take one by surprise. Many organizations don’t realize the extent of their engagement with third parties. 

This is why it’s so important to take a comprehensive approach to third-party risk management. It’s the only way to ensure third-party risk is identified, assessed, and mitigated so that your organization is protected from the potential challenges arising from third party relationships.

Case Study: Legal & General America

Read how Vendor Centric helped Legal & General America establish a comprehensive and compliant third-party risk management program.

What is Third-Party Risk Management?

Third-party risk management is an organization’s systematic process to monitor and mitigate potential exposure to problems, harm, or loss that may arise from interactions with third parties. The primary goal of third-party risk management is to fortify the organization against various threats, including financial instability, regulatory non-compliance, data breaches, and other vulnerabilities that might come from interactions with external partners.

The process of third-party risk management involves a series of strategic steps aimed at fostering a proactive and vigilant approach to potential challenges. Here’s an overview of a standard, six-step process.

What About Fourth Parties?

There is a component of third-party risk management that is often overlooked, and that’s the concept of fourth-party risk.     

Fourth parties are the ‘vendors of your vendors.’  You don’t have a direct relationship with them, but they can pose significant risks to you.

For best practices on fourth-party risk management, check out this related post on Practical Guidelines for Managing Fourth-Party Risk.

Don’t Let Risks with Third-Parties Catch You Off Guard

Managing risk with third parties involves recognizing the expansive array of external entities that can impact your organization’s operations. From service providers and technology partners to financial institutions, the diversity of third parties is extensive and often catches organizations off guard.

To effectively manage these risks, it’s essential to take a process-driven, comprehensive approach to third-party risk management. Be proactive and vigilant to safeguard the business and build resilience against potential threats.

Want to learn more on this topic? Be sure to check out 5 Best Practices for Successful Vendor Risk Assessments and Incorporating KRIs Into Your Third-Party Risk Management Reporting.

Vendor Centric can help your organization identify and mitigate risk with your third parties, and establish solid risk management policies, procedures, and systems.

Contact us to schedule a free, no-hassle consultation to explore your needs and how we can help.

In the dynamic world of procurement and vendor management, purchase orders (PO) are critical in achieving efficiency, cost control, and compliance.

A purchase order is a document that ensures goods and services are acquired, tracked, and paid for effectively. But how does it fit into an efficient purchase-to-pay workflow? And is a PO necessary for every type of purchase?

In this comprehensive guide, I’ll answer these questions and more as I help you navigate the intricacies of using POs to support an effective P2P process within your organization.

What is a Purchase Order?

A purchase order is a legally binding document issued from a buyer (your organization) to a seller (third-party supplier/vendor) when making a purchase. It serves as a reference point for both parties, ensuring that goods, services, pricing, and other commercial terms are communicated and agreed upon.

Once the seller receives the purchase order and accepts its terms, the PO becomes a legally binding contract between your organization and the seller.

Benefits of Using Purchase Orders

Purchase orders offer several benefits to both buyers and sellers. These benefits contribute to smoother and more efficient procurement processes, improved financial management, and enhanced communication between parties.

Here are some of the advantages of using purchase orders:

Formal Documentation: Purchase orders provide a written record of the details of the purchase transaction. The use of formal documentation ensures expectations are clearly communicated, which reduces misunderstandings and disputes between your organization and the seller.

Budget Control: When a purchase order is created and approved, it effectively reserves a portion of the budget for that purchase. Budget control helps ensure that funds are set aside and earmarked for the intended procurement, preventing overspending and ensuring funds are available when needed.

Order Tracking: Purchase orders provide a reference number that facilitates easy tracking of orders, shipments, and deliveries so you can readily stay informed about the transaction’s progress.

Inventory Management: Purchase orders provide accurate information about the quantity and timing of expected deliveries, allowing for better planning and stock control.

Streamlined Receiving and Invoicing: Goods or services received can be matched with the details on the purchase order, streamlining the process of receiving and processing invoices.

Vendor Accountability: Sellers are bound by the terms and conditions outlined in the purchase order, which holds them accountable for delivering goods or services as agreed.

Audit Trail: Purchase Orders create a clear audit trail for financial and compliance purposes, making it easier to demonstrate adherence to procurement policies and regulations.

Vendor Centric helped us design and operationalize our end-to-end vendor management program. We now have policies, procedures and a system to support all of our activities, and a program that complies with regulations.

Justin Holden
VMO, Legal & General America

Key Elements of a Purchase Order

Purchase orders are relatively straightforward documents. Key components commonly found in a purchase order include:

  • Buyer and Seller Information: Names, addresses, and contact information of your organization (the buyer) and the vendor (the seller).
    Purchase Order Date: The date on which the purchase order is issued.
  • Delivery Date: The expected delivery date or a timeline for the delivery of the goods or completion of the services.
  • Purchase Order Number: A unique identification number assigned by your organization that helps to track and reference the order in the future.
  • Description of Goods or Services: A detailed description of the products or services being ordered, including quantities, specifications, and other relevant details.
  • Price: The agreed-upon fee for each item or service, as well as the total amount for the entire order, plus tax, freight, and other applicable charges.
  • Payment Terms: The terms for paying the seller, including discounts, due dates, or payment methods.
  • Shipping and Handling Instructions: Instructions regarding the shipping method, carrier, and any special handling requirements for the goods.
  • Terms and Conditions: Details of all standard terms and conditions of the purchase, such as warranties, return policies, or penalties for late delivery. These can be part of the PO document or provided as a referenced attachment.
  • Reference to Associated Contracts: If a separate Master Services Agreement (MSA) or Statement of Work (SOW) was negotiated with the vendor, the PO should reference those agreements. This agreement communicates that the terms and conditions of those agreements govern the PO.
  • Signature and Authorization: Some organizations require that an authorized representative of the buying organization sign the PO. The need for authorization will depend on your organization’s policies and practices.

Where Do Purchase Orders Fit Into the Purchase-to-Pay Process?

Purchase orders are a critical component within the broader purchase-to-pay (P2P) process, as they provide control once a purchase has been approved.

(Click on the image and zoom in.)

An effective purchase-to-pay process helps to streamline and optimize procurement, ensuring that purchases align with budgetary constraints, organizational policies, and compliance requirements while fostering efficient communication between your organization and your vendors.

Here’s a step-by-step overview of the purchase-to-pay process, including where purchase  orders fit in.

Step 1: Purchase Requisition
The P2P process typically begins when someone in the business (the Purchaser) identifies a need for a good or service and submits a purchase requisition (PR) to initiate the process.  The PR is an internal document outlining the requested items’ requirements, specifications, and estimated costs.  In cases where the Purchaser has already selected a vendor, the PR will collect information on the vendor, along with documentation of any bids or quotes the vendor has already provided.

Step 2: Purchase Requisition Approval
The purchase requisition is then routed for approval based on predefined approval authority.  The approver will review the request and any supporting documentation, such as formal bids or quotes, to ensure the goods or services are needed and within budget.

Step 3: Purchase Order Creation
The purchasing department (or relevant personnel) create the purchase order based on the approved purchase requisition. The PO is an external document sent to the vendor to authorize the provision of the requested goods or services.

Step 4: Purchase Order Approval
The purchase order typically requires approval from authorized personnel, such as department heads or procurement managers, to ensure it aligns with budgetary constraints and organizational policies.  Once approved, the PO is sent to the vendor to initiate the transaction formally.

Step 5: Goods or Services Delivery
Upon accepting the purchase order, the vendor prepares and delivers the specified goods or services within the agreed-upon time frame.

Step 6: Receipt and Inspection
The purchaser (or receiving department) checks the delivered items against the details in the purchase order to verify the quantity, quality, and condition. Any discrepancies are documented and remediated.

Step 7: Invoice Processing
Once the goods or services are received and accepted, the vendor sends an invoice, typically referencing the purchase order number. The invoice matches the purchase order (and the receiving report, when applicable), ensuring all details align.

Step 8: Payment 
After the invoice is verified and matched, payment is authorized and sent to the vendor using the agreed-upon payment method, such as check, ACH, wire, or virtual card.

Does Every Purchase Need a Purchase Order?

The short answer is No. 

The decision to use a purchase order depends on your goals for controlling costs and reducing risk.  Many organizations find there is a diminishing return when requiring POs for every type of purchase. Here are some key considerations:

Low-Value Purchases: Some organizations establish a threshold for purchase orders where transactions below a specific dollar amount don’t require a PO. They’ve determined that the benefits gained from controlling these low-cost transactions through a PO aren’t worth the effort.

Emergency Purchases: Most organizations do not require purchase orders in urgent situations when immediate action is needed to address critical issues or safety concerns. However, they also limit these situations by establishing clear policies and guidelines for what constitutes an emergency.

Preferred Vendor Agreements: Lastly, some organizations do not require purchase orders when formal contracts are already in place. This agreement is because the control has already been established with the contract, so they don’t see the need for additional controls through a purchase order.

Ultimately, deciding when to use purchase orders should align with your organization’s specific policies and procedures and legal and regulatory requirements.

Case Study: American Councils

Read how the American Councils for International Education boosted compliance and transformed procurement operations with a comprehensive program and centralized system.

Using Purchase-to-Pay Software to Enforce Purchase Order Controls and Streamline Processes

Depending on the size of your organization, you may issue hundreds to thousands of purchase orders annually.  It isn’t practical to manually process purchase orders. You must utilize purchase-to-pay software to enable an efficient, cohesive PO process.

P2P software helps you manage and streamline purchasing and accounts payable processes and is part of the broader suite of vendor management software applications

P2P software provides a wide range of functions and features, including:

  • Vendor Management – Maintaining a central database of your vendors and tools for vendor onboarding, evaluation, and performance monitoring. 
  • Purchase Requisition – Creating purchase requisitions and enabling automatic routing for approval based on pre-established workflows.
  • Purchase Orders – Automatically generating purchase orders from approved purchase requisitions.
  • Receipt and Inspection – Managing the receipt and approval of goods to ensure they meet quality and quantity requirements. 
  • Invoice Processing – Receiving and processing invoices electronically, including data entry automation and three-way matching to ensure compliance with contractual terms.
  • Payment Processing – Paying invoices checks or electronic payment. 
  • Spend Analytics & Reporting – Analyzing spend data to gain insights into spending patterns, identify cost-saving opportunities, and make more informed procurement decisions.
  • Compliance Monitoring – Monitoring compliance with procurement policies to ensure internal and external (regulatory) compliance requirements.
  • Integration – Connecting with other enterprise applications, such as ERP (Enterprise Resource Planning) and financial systems, to provide a seamless data flow across the organization.

Are you interested in Learning More About P2P software?  Vendor Centric works with many of the leading P2P software providers.  We can help you define requirements, identify solutions in the marketplace, and find the one that best fits your organization’s needs and budgets.  Schedule a free consultation to learn how we can help.

P2P software is essential for managing purchase orders and the entire purchase-to-pay process, saving your organization time and money while helping to enforce controls.

There are dozens of P2P software products on the market.  It’s important to clearly document your requirements and thoroughly research the marketplace before buying P2P software.

Conclusion

Using purchase orders is a fundamental component of a well-structured purchase-to-pay process, offering many benefits to procurement and vendor management organizations. These benefits include formal documentation, budget control, order tracking, inventory management, streamlined receiving and invoicing, vendor accountability, and providing a clear audit trail.

While not every purchase requires a purchase order, their use should align with your organization’s specific policies and procedures, considering factors such as transaction value, preferred supplier agreements, and the nature of the purchase. 

Your ultimate goal when using purchase orders should be to balance efficiency and compliance in your procurement process!!

Want to learn more on this topic?  Be sure to check out Procurement Risks and How to Manage Them and How to Perform a Procurement Excellence Assessment.

Vendor Centric can help your organization streamline your procure-to-pay process, including finding and implementing the right procure-to-pay software.

Contact us to schedule a free, no-hassle consultation to explore your needs and how we can help.

To thrive in any economy, strong vendor relationships are paramount to success. That’s why understanding and implementing effective procurement policies and procedures is nothing short of essential.

In this comprehensive guide, we share the core principles and best practices for procurement policies and procedures that will empower you to confidently design, document, and implement them within your organization.

Whether you’re just starting your journey to implement procurement best practices, or looking for new ideas to improve procurement policies and procedures that you already have, this guide is for you.

What are procurement policies?

Procurement policy templates guide your organization’s procurement strategy, fostering responsible and efficient procurement procedures.  They define the overarching standards and guidelines of ‘‘what’ is expected of employees to conduct an efficient, ethical, and compliant procurement procedure framework.

Procurement policies should provide guidelines for the entire lifecycle of activities employees will undertake when they acquire goods and services, including:

  • Planning and sourcing
  • Solicitation management, including competitive and noncompetitive bidding
  • Vendor evaluation and selection
  • Risk assessments and due diligence
  • Purchasing, including purchasing authority and approval
  • Delivery & acceptance of goods and services
  • Invoice approval & payment

Here’s an example of an effective procedure: a simple procurement policy for competitive bidding.

Illustrative Policy for Competitive Bidding:

“Any procurement over $25,000 must be competitively bid through either a price quote or a request for proposal.  At least three prospective vendors must be solicited, and at least two quotes/proposals received.”

As a best practice, procurement policies should also reflect and align with your organization’s broader strategic objectives, corporate goals, and values, including sustainability, diversity and inclusion, and data protection. While these broader corporate objectives (and related policies) are oftentimes defined elsewhere, applicable components must be considered and aligned into your procurement policies.

For example, your organization’s procurement information security policy will define standards and guidelines for protecting information. Your procurement policy should align with those guidelines to ensure information shared with vendors and other third parties is protected, and procurement activities are compliant. However, policies should not be prescriptive about how to do things. That’s where your procedures come into play.

What are procurement procedures?

Key elements of effective procurement procedures are the practical, step-by-step procedure processes employees must follow to execute the principles outlined in your documentation of procurement policies. They define ‘how’ things get done, including specific actions and workflows necessary to carry out procurement activities efficiently and consistently.

In this example, an employee procures consulting services over $25,000 (the threshold that requires competitive bidding).

Example Procedure for Competitive Bidding

  • Define requirements for the goods or services and develop a cost estimate
  • Obtain approval to go to market and solicit quotes
  • Research the market to identify at least three prospective vendors to participate in the competitive solicitation
  • Solicit quotes from prospective vendors
  • Receive and evaluate quotes, ensuring that at least two quotes are received
  • Conduct interviews/demos, as appropriate, to identify the finalist
  • Perform a pre-contract risk assessment and due diligence on the finalist
  • Negotiate and award the contract

Given the complexity of Virgin Galactic’s supply chain operation, and competing demands on our own time, we needed a partner to help us establish scalable policies, procedures, and infrastructure to support our rapidly expanding supplier management operations. We were fortunate to find Vendor Centric. In addition to guiding us through the strategic thinking, they rolled-up their sleeves to help us create documentation and operationalize all of our supplier activities.

Lisa Morris
Vice President, Supply Chain, Virgin Galactic

Seven big benefits of having written procurement policies & procedures.

As you can see, developing procurement policies sets the overall direction and principles for procurement, while procedures provide detailed instructions for executing specific tasks or processes in alignment with those policies. Together, they bring several significant benefits to your organization:

Consistency and Standardization

Documenting guidelines for policies and procedures establishes consistent and standardized processes for procurement across the organization. This consistency helps eliminate confusion and ensures that everyone involved in procurement understands their roles and responsibilities.  Optimization of procurement procedures also enables better control over the quality, quantity, and pricing of goods and services purchased, leading to cost savings and improved efficiency.

Risk Mitigation and Management

Effective procurement policies and procedures include risk management protocols to identify, assess, and mitigate potential risks associated with purchasing activities. This proactive approach helps minimize the likelihood of issues such as supplier disruptions, contract disputes, or fraud. Having clear risk management guidelines will better protect your organization’s interests and assets.

Cost Control

Documented budgetary limits, competitive bidding requirements, and cost-saving measures all help your organization control costs and ensure purchases are made in a cost-effective manner. Clear procurement procedures help prevent unauthorized or unnecessary spending by defining approval processes and purchase authorization levels.

Legal and Regulatory Compliance

Compliance with local, national, and international laws and regulations is critical for your organization. Compliance with procurement policies and procedures helps ensure purchasing activities follow requirements such as anti-corruption laws, environmental regulations, and data protection laws. Non-compliance can lead to legal penalties, fines, and damage to your organization’s reputation.

Transparency and Accountability

Documented procurement procedures create transparency in the procurement process, ensuring employees, boards, regulators, auditors, and funders understand procurement policy management and how decisions are made.

Audit and Reporting

Accountability is enhanced when documentation is in place, as tracing and auditing procurement transactions becomes easier. Auditors can review activities against established guidelines to assess compliance and identify any irregularities. Your organization can also generate accurate reports reviewing procurement activities, helping management make informed decisions.

Case Study: Atlantic Council

Learn how Vendor Centric helped Atlantic Council refresh and modernize their existing procurement program to meet the needs of a growing organization.

A step-by-step guide to developing your procurement policies & procedures.

As you can see, the benefits of procurement policies are of tremendous value to your organization. However, crafting them can be daunting, especially starting from scratch.

This step-by-step procurement policy guide will walk you through the process of planning and developing your procurement policies and procedures. It provides a roadmap you can follow to create a robust (yet right-sized) set of strategies for policies and procedures that will enhance transparency, efficiency, and compliance in your procurement operations.

Step 1: Establish a Baseline for Your Organization’s Needs

Before diving into creating or revising procurement policies and procedures, it’s crucial to understand your organization’s specific needs and constraints. Start by conducting a thorough assessment.

  • Define your operating model: Will your organization employ a centralized, decentralized, or hybrid procurement operating model? Your operating model will inform where activities should be performed and who should perform them.
  • Determine the procurement volume: Evaluate the scale of your organization’s purchasing activities. Consider the number of transactions, the value of purchases, and the frequency of procurement.
  • Identify the types of goods and services you buy: Categorize the products and services your organization procures. Different categories may require different procurement approaches.
  • Analyze regulatory requirements: Understand the legal and regulatory framework that governs your industry and geographic location.
  • Assess internal resources: Evaluate the human and financial resources available for procurement. Consider the size and expertise of your procurement team.

Step 2: Define Clear Objectives

Once you have a solid baseline of your needs and constraints, define guidelines for your procurement policies with clear goals and objectives for what you want to achieve.  Common procurement objectives include:

  • Cost savings: Procure goods and services at the best possible price without compromising quality.
  • Supplier diversity: Promote inclusivity by engaging with various suppliers.
  • Risk management: Minimize vendor-related risks stemming from operational disruptions, data breaches, or compliance issues, for example.
  • Efficiency and transparency: Streamline the procurement process and ensure transparency in decision-making.
  • Sustainability: Incorporate environmentally friendly and socially responsible practices into procurement.

Clearly defined objectives serve as a guideline for a procurement policy framework for developing procurement policies and procedures that meet your organization’s unique needs.

Step 3: Create an Implementation Team and Begin Getting Buy-In

Form a dedicated team responsible for overseeing the development and deployment of the new (or improved) policies & procedures. This team should include procurement, risk, legal, IT, information security, compliance, and change management experts. Assign clear roles and responsibilities to team members, including identifying a team lead.

An important role for this team will be facilitating change management, starting with obtaining buy-in from key executives, department heads, and staff. The team should communicate the advantages of compliant policies and procedures, how they will benefit the organization as a whole, address any concerns, and encourage feedback to ensure everyone is on board.

Step 4: Define Your Procurement Policies and Standards

Now that the planning is done, you can begin developing your procurement policies.  You always want to start with policies first as they define the overarching standards and guidelines of ‘‘what’ is expected of employees.

A few of the important components of policies and procedures that you’ll need to define include:

  • Applicability: Identify specific types of vendors that are out-of-scope and/or excluded from the policy, if any.
  • Purchasing authority: Define who can initiate, approve, and execute procurement and purchasing activities.
  • Sourcing: Specify the different sourcing methods employees should use and when they are required. Examples include competitive solicitations like RFQs and RFPs and non-competitive solicitations like sole sourcing and emergency purchases.
  • Risk management: Address how your organization will identify, assess, and mitigate procurement-related risks before onboarding a new vendor.
  • Related policies: Cross reference to policies that must be complied with in the procurement process. Examples include standards of conduct, conflicts of interest, handling of confidential information, and document retention and storage.
  • Policy governance: Identify the governing body that provides independent oversight of the policies (generally a board or board-designated committee) and the executive who is ultimately accountable for policy compliance.

Sample Competitive Solicitations Policy Document

Get standardized and systematic for cost-effectively soliciting quality goods and services.

Step 5: Document Your Procurement Processes, Roles, and Responsibilities.

Once your policies are defined, it’s time to create detailed procedures that provide step-by-step guidance for procurement activities. The level of detail in your procedures should align with your organization’s size and complexity.

Key activities you should document in the procurement procedures include

  • Procurement planning: Describe how procurement needs are identified, budgets are set, and procurement plans are developed.
  • Bidding and negotiation: Provide guidance on the procurement methods (e.g., small purchases, competitive quotes and proposals, sole sourcing, etc.) your organization will use.
  • Supplier selection: Outline the process for identifying potential suppliers, conducting evaluations, and making selection decisions.
  • Purchase requisition and approval: Specify how purchase requests are initiated, approved, and processed.
  • Risk assessments: Define processes for assessing and mitigating risks before signing a contract.
  • Contract management: Detail how contracts are executed, monitored, renewed, or terminated.
  • Record-keeping and documentation: Explain the documentation requirements for each procurement transaction, including purchase orders, contracts, and receipts.

It’s important to note that some of these activities may be defined in separate policies.  For example, some organizations maintain stand-alone contracts or third-party risk management policies. In these cases, you want to ensure your procedures specify the ‘handoff’ between the procurement-related processes.

Also, be specific about defining roles and responsibilities in the procurement procedures.

Many organizations write their policies in the third person, making it difficult to understand who is ultimately responsible. Here’s an example:

“Prior to initiating a Request for Quote, business requirements for the goods or services must be defined and documented.”

Here is a better version that clearly defines who’s responsible.

“Before initiating a Request for Quote, the business owner is responsible for defining and documenting the business requirements for the goods or services.”

This second version clarifies that the business owner is responsible for this process, which helps avoid confusion or misinterpretation.

Step 6: Create Supporting Tools and Templates

An important component of your procurement procedure framework will be the forms, templates, checklists, and other tools you will need to support the efficient, compliant implementation of these procedures.  Create these last after your procedures have been defined.

Some of the common tools and templates you’ll want to create include RFx templates (RFQ, RFP, RFI), a proposal evaluation checklist, purchase requisition templates, and purchase order templates.

Step 7: Review and Right-Size to Your Goals and Resource Capabilities

Lastly, after you have developed and documented your policies and procedures, it’s important to step back and ask yourself, ‘Can we really do all of this?’

Key questions you’ll want to ask when reviewing your draft policies and procedures include:

  • Resources: Do we have enough resources to handle the workload?
  • Skills: Do we have the necessary knowledge (or can we add it to our team)?
  • Technology: Do we have the right technology to enable efficient workflow? If not, do we have the budget and appetite to purchase it?
  • Governance: Do we have the ability to oversee the breadth of procurement policies, procedures, and activities to ensure they are executed consistently and compliantly?

Don’t try to boil the ocean, especially if you’re establishing procurement policies and procedures for the first time. Instead, focus on doing what’s most important and executing with consistency and quality.

One way to stress test things before full-scale implementation is to conduct pilot tests.  These help you identify and address any potential issues or challenges, gather feedback, and make necessary adjustments.

[testimonial_view id="2" post_ids="9875"]

Write your policies & procedures for clarity and effectiveness.

The challenge of creating procedure implementation policies is a heavy lift and requires a blend of art and science.  You want to cover everything necessary, but you also want them to be user-friendly for your employees.

We’ve learned several procurement policy and procedure insights over the years, having written hundreds of policies and procedures for our clients:

(Click on the image and zoom in.)
By following these best practices, you can create policies and procedures that are easy to understand, leading to better compliance and improved organizational efficiency.

Strategies to drive rollout and adoption:

Developing procurement policies and procedures is just the first step. Procurement policy benefits for organizations come from effectively rolling them out and ensuring organizational adoption.

Here are six essential tips to drive the successful rollout and enthusiastic adoption of policies and procedures.

Tip 1: Communicate the Change

Providing clear and consistent communication before and during the procurement policy rollout process is essential. Develop a communication strategy that includes regular updates and opportunities for employees to ask questions and provide feedback.  Use the best channels within your organization, such as emails, meetings, and intranet announcements, to reach all stakeholders.

Tip 2: Train on New Processes, Roles, and Responsibilities

Ensure that employees understand the new policies and procedures by providing concise procurement policy training during the implementation. Tailor training to different employee groups based on their roles and responsibilities within the procurement process.

Tip 3: Provide Resources to Support Performance

Arm employees with resources they can access to help answer questions ‘in the moment’ as they begin implementing the new policies and procedures. Some of the performance support tools that work best with our clients include:

  • Decision trees
  • Frequently asked questions
  • How to guides
  • Microlearning videos
  • Dedicated procurement ‘hub’ (intranet site)
  • Lunch and learns

Tip 4: Monitor, Adapt, and Evolve

Establish key performance indicators (KPIs) to track the progress and impact of the new policies and procedures. Regularly evaluate how well they are being followed and their impact on procurement activities.  Review and refine procurement policy trends regularly to adapt to changing business needs, industry standards, and regulatory requirements.  We recommend no less than annual comprehensive reviews.

Tip 6: Celebrate Success and Recognize Achievements

Finally, acknowledge and celebrate procurement policy success stories. Share wins across the organization, especially those aligned with the goals you identified initially.  Advantages of streamlined procedures include improved efficiencies, compliance, and cost savings, which can go a long way to show the initiative’s value.

Conclusion

Sound procurement policies and procedures are critical to good governance, risk management, and operational efficiency. Documentation of procurement procedures with a comprehensive procurement guide for employees allows your organization to navigate complex legal and regulatory landscapes, maintain consistency and accountability, control costs, and foster productive, low-risk relationships with all of your vendors.

Procurement policies and procedures also require regular care and feeding to ensure they remain effective and compliant in an ever-changing business environment. Be sure to invest the time and effort to continually review and refresh them, and your organization will reap the benefits of efficient, cost-effective, and transparent procurement processes.

Want to learn more from Tom Rogers on this topic?  We encourage you to read Procurement Risks (and How to Manage Them and How Procurement Team Can Help Their Organization Get the Best Deal.

Vendor Centric’s team of professionals has in-depth experience assisting organizations of all sizes in developing their procurement policies and procedures process and getting it right. Contact Us to schedule a free, no-hassle consultation to explore your needs and how we can help.

Audited financial statements are one of the most important documents you can use to support effective third-party due diligence. As the old adage says, “the numbers don’t lie.”

However, analyzing a vendor’s financial statements isn’t as simple as looking at a few key ratios and calling it a day. It’s part art and part science.  

While audited financial statements do follow a common framework (the science), every company has a different financial story, so you have to know how to spot the problem areas when reading them (the art).

To help you effectively analyze financial statements of your third-party vendors, in this blog I break down:

  • The three main sections in a set of audited financial statements
  • Red flags to look for when reviewing them
  • Determining which vendors should be providing you financial statements
  • What to do when your vendor doesn’t have an audit
Main Sections in Audited Financial Statements

Audited financial statements are financial reports that have been evaluated by an independent auditor. They are important as they provide credibility and assurance to stakeholders, such as customers, investors, lenders, and regulators, regarding the accuracy and reliability of the financial information.  

While financial statement nomenclature is oftentimes different across industries, there are three main sections to every set of audited financial statements.

Auditor’s Report – The auditor’s report is a written statement from the auditor that provides their independent opinion on the completeness, accuracy and reliability of a company’s financial statements.  It is the only section of the audited financial statements that is actually ‘owned’ by the auditor.

Financial Statements – The financial statements paint the quantitative picture of how the company is doing financially. There are three, core financial statements: a balance sheet, an income statement and a statement of cash flows.

Notes to the Financial Statement – The footnotes to the financial statements provide more of a qualitative picture about the company through supplemental disclosures and details. These can include disclosures related to long-term commitments, pending litigation, concentrations of risk and affiliated entities. There is a lot of information you can glean from the notes section.

Red Flags to Look for When Reviewing Financial Statements of a Third-Party Vendor

Every set of financial statements tells a different story. A ‘bad’ number on one company’s balance sheet may actually be ‘normal’ for a different company in a different industry.  However, there are some common red flags I always look for when reviewing financial statements – regardless of the industry.

Red Flag #1: Modifications to the Auditor’s Report

I always start with the auditor’s report (i.e. the auditor’s opinion.). What I look for is whether the company has a ‘clean’ audit opinion. A clean opinion means the independent auditor has concluded the company’s financial statements are presented fairly in all material respects. 

Sometimes, auditors will ‘modify’ their opinion. An example might be when the auditor disagrees with management about certain aspects of the financial statements. Another example includes cases where the auditor was not able to carry out enough work, or gather all of the evidence they needed, to give an opinion on the financial statements.

A modification to the auditor’s opinion is a red flag that you should always investigate further.

Red Flag #2: Problems with Profitability

Vendors need to be profitable to stay in business for the long term. When analyzing a vendor’s profitability, I like to focus on net profit trends. Specifically, profitability trends over the most recently completed three years. Consistent losses or declining profitability are generally a signal of a problem. 

In addition to analyzing trends in net profit, it’s helpful to analyze profitability ratios such as profit margin and return on assets. A declining profitability ratio can be a red flag signaling that a company’s costs are rising faster than their revenues, or that a company is losing market share.

Red Flag #3: Problems with Cash

Being profitable is important, but cash is always king! When analyzing a vendor’s cash liquidity, it’s important to analyze their ability to pay liabilities in the near term as well as remain solvent for the long term.

A good way to evaluate a vendor’s ability to cover its near term liabilities is through liquidity ratios. The three key ratios to help with analysis are the current ratio, quick ratio and cash ratio. What you’re assessing here is the vendor’s ability to pay what it owes and keep the lights on in the near-term. A liquidity ratio that trends lower over time is a red flag the company may be running out of cash.

When evaluating the ability to stay in business for the long-term, solvency ratios are some of the best tools to use. They help you understand how a company uses debt to fund its operations and whether their debt is growing to a point where it will strain the company’s ability to pay it back. A solvency ratio that is trending higher over time may be a red flag that the company is adding too much debt.

Red Flag #4: Over Reliance on One or Two Key Customers

Lastly, when a company relies on one or two customers for a significant portion of its revenue it presents a major business continuity risk. I’ve seen companies close the door within days of losing a key customer, so you should understand whether this is an issue with your key vendors.

This information is best found in the notes to the audited financial statements. The auditor will disclose when a business has concentration risks, including those associated with over reliance on certain customers. Be sure to read the notes to determine if this is a red flag to investigate further.

Do you need audited financial statements from all of your vendors?

The short answer is, no.

In fact, you shouldn’t be spending time reviewing financials for most of your vendors. What you really need to be concerned with is the financial health of your critical vendors. That is, those who provide key services, infrastructure and technologies, including outsourced services, that you rely on for the execution of your own critical business functions.

You may, of course, have other high risk vendors whose financial statements you want to review. That’s always ok. But many organizations don’t have the resources or capacity to review financials from every third party – so focus first on those key relationships that really matter then add others as time permits.

What if your third-party vendor doesn’t have an audit?

While audited financial statements are the gold standard, many small, privately held companies don’t have audits. So what do you do?

Ask the vendor to provide unaudited financial statements instead. These can come in one of three formats, listed from least to most preferred.

Internally Prepared Financial Statements – These financial statements have been prepared by the vendor, with no involvement by an independent CPA. 

Compiled Financial Statements – These financial statements are prepared in coordination with a CPA; however, the CPA did not analyze any of the numbers and does not provide any assurance on the accuracy.  It’s implied, though, that the CPA assisted in some way with the creation of the financials.

Reviewed Financial Statements – These financial statements are prepared in coordination with a CPA and the CPA provides a limited amount of assurance on the statements. Unlike a compilation, the CPA does perform limited analysis and testing of information presented. However, it is significantly less analysis and testing than performed in an audit.

Just know that the further away you get from audited financial statements, the less reliable the numbers become. That’s why it’s crucial to have a subject matter expert on your team be responsible for reviewing the information.

Lastly, there are a variety of data intelligence solutions in the marketplace that can help with your review of a vendor’s financial statements. These solutions include risk intelligence on things like credit, timely payments, bankruptcies, lawsuits and general negative news. They are a good source to supplement a financial statement review or to use in lieu of a financial statement for lower risk vendor due diligence.

Don’t get caught by surprise. Make sure to incorporate financial statement reviews into your third-party due diligence process.

Procure-to-pay (P2P) is a business process that encompasses all activities involved in obtaining goods or services from a third-party supplier.  

It’s an important process as it enables the business to acquire goods and services efficiently and at fair prices, while also ensuring timely delivery, quality, and compliance with relevant laws and regulations.

An effective procure-to-pay process provides a number of benefits including:

Improved Compliance: Following standardized, documented processes ensures that procurement activities are in line with an organization’s policies and regulations.

Increased Efficiency: An efficient, automated P2P function speeds up the process to find suppliers and make purchases, enabling employees to quickly get the goods and services they need while also reducing time spent on procurement administration.

Cost Control: P2P provides a variety of controls to help manage costs with suppliers.  The process ensures requirements are properly scoped, prices are fair and invoices are reviewed against contracted terms to minimize the risk of overpayment.

Better Supplier Relationships:  Negotiating fair deals and paying suppliers on time helps you build trust and establish a good reputation with your suppliers and the broader supplier-community at large.

When creating P2P policies and procedures, the following steps in the process should be defined and documented.

Step 1: Needs Identification and Requirements Development

The first step in the procure-to-pay process is when a business owner identifies the need for a good or service, and documents the associated requirements.  The good or service could be something that the business does not currently have or one that needs to be replaced or replenished.  

Requirements development is one of the most critical steps in the P2P process.  Poorly defined requirements always lead to misaligned expectations with suppliers. This, in turn, results in inaccurate quotes, inadequate deliverables and cost overruns.  Despite the natural desire to move quickly, it’s important for business owners to get their requirements right.

Step 2: Sourcing Approach

Once requirements are determined, the business owner then determines the best approach for sourcing.  This involves evaluating purchasing options and selecting the one that best meets the needs of the business owner and the organization.  Options generally include, but are not limited to:

  • Buying from an existing contract/catalog with a current supplier
  • Making a simple purchase from a preferred supplier (typically for low cost, low risk purchases)
  • Conducting a competitive solicitation through a request for quotation (RFQ) or a request for proposal (RFP) process

In organizations with a decentralized procurement function, sourcing decisions are typically managed by the individual business owners.  In organizations with a centralized procurement function, decisions are made by (or in coordination with) the procurement department.

The end goal of sourcing should be to obtain the required goods or services as quickly as possible, at the fairest price, and with a vendor that presents a level of risk that is acceptable to the organization.

Step 3: Purchase Requisition

Once sourcing has been determined, the next step is to submit a purchase requisition.  The requisition provides details of the goods or services to be purchased, such as the quantity, specifications, and delivery dates.  It also provides a control, ensuring that the required approval(s) are obtained before a purchase can be made. 

When a request to purchase through a catalog is made, the requisition includes the actual items being requested for purchase.  This allows fast approval of the catalog items, and for the purchase to be placed automatically with the supplier once the requisition is approved.

When a non-catalog purchase request is made, the business owner includes either the quote or proposal from the supplier (if the business owner performs sourcing) or a detailed set of requirements and instructions to the procurement department (if procurement performs sourcing).  Regardless of who performs the sourcing, the purchase requisition must be approved to move forward in the P2P process.

Step 4: Negotiation

Depending on the size and complexity of the purchase, there may be a need for additional negotiation as well as the execution of a contractual agreement such as a Master Services Agreement (MSA) and/or Statement of Work (SOW).  

Depending on the organization’s structure, this is done by the business owner or in partnership with procurement and/or legal.

Step 5: Purchase Order

Once all terms have been negotiated and approved, a purchase order (PO) is typically issued.   The purchase order is a legally binding document that outlines terms, including the details of the goods or services, the price, the delivery timelines, and the payment terms.

Not all companies use purchase orders.  However, POs are an important control in the P2P process. A PO ensures that requirements and terms are clearly communicated to the supplier, and enables a more efficient reconciliation of invoices on the back end.

Step 6: Receiving

Once the supplier delivers the goods or services, an employee receives them and verifies that they meet the requirements specified in the PO.  This involves inspecting the goods or services for quality, quantity, and compliance with any applicable laws or regulations.  In the case of services, this would include a formal process to review and accept whatever ‘deliverables’ have been defined between the organization and the vendor.

Step 7: Invoice Approval and Payment

The final step in the P2P process is to approve the invoice and pay the vendor.  Depending on the type of goods and services that were purchased, the business owner or procurement department are typically responsible for verifying  the supplier’s invoice against the purchase order.  Once the invoice is approved, the supplier is then paid per the agreed-upon payment terms.

Overall, the procure-to-pay process is a vital process for businesses of all sizes. However, depending on an organization’s size and industry,  some steps may be more important than others.  For example, the receipt and examination of goods is more important for a manufacturer than it is typically for a professional services company.  

As with any process related to managing vendors and suppliers, just be sure to align your policies and procedures to the industry, needs and complexity of your own organization.

Vendor management policies are essential for establishing the overarching rules, guidelines and expectations for managing third-party vendors across your organization. However, getting employees to actually follow your policies can – well – be a challenge.
In this blog I share eight effective tips for getting your employees to follow your vendor management policies on a consistent basis. Whether you’re rolling out brand new policies, or looking for ways to get better compliance with existing ones, read on to find valuable insights and practical tips for success.
  1. Write Policies So Humans Can Understand Them

Most vendor management policies I’ve seen (and I’ve seen a lot) are poorly written and difficult to understand.  Vague statements, complex words and lots of jargon make many policies confusing and hard for employees to comprehend. 

When you write your policies, use clear and concise language – the fewer the syllables the better.  Remove unnecessary filler words.  And be specific so that all employees, regardless of level of expertise or experience, understand what’s really expected of them.

  1. Communicate Them Clearly

When you introduce a new policy, make sure it’s supported by a solid communication plan.  Your communication should cover things like why the policy is being adopted, when it will be enacted and where to go for questions.  

When feasible, the communication should also provide the ‘what’s in it for me’ (WIFM) to explain how the employee will benefit by adopting the policy.  While this isn’t applicable to every new policy, it does help with acceptance and adoption.

  1. Make it Easy to Find Your Policies

When policies are hard to find, employees don’t have important information they need when they need it. And honestly if policies are too hard to find, people might not even bother looking at all. It’s just human nature.

Make your vendor management policies easily accessible by creating a centralized location where they can be accessed quickly and easily.  This can be done through a central vendor management hub – like this one from Harvard University – or through a policy management software tool like this one from Trainual.  

Also, if your policies are in document form (i.e. Word, PDF), use a standard naming convention. It makes it a lot easier for an employee to know when they have the right document.

  1. Lead by Example

Employees are more likely to follow policies when they see their leaders modeling the behavior. If VPs and managers don’t follow the policies themselves, employees are less likely to take them seriously.

Leaders must be the first to follow the policies and set an example for the rest of the team. This helps create a culture of compliance and accountability.

  1. Provide Regular Training

Periodic training is crucial in keeping your vendor management policies front and center with employees.  Important topics to cover in your vendor management training include a breakdown of the policies themselves, an overview of key roles and responsibilities, and a lot of ‘how tos’ so that employees can apply what they learn in their day-to-day.

Best practice is to make training mandatory for all employees, including new hires, to ensure that everyone is up to date.

  1. Monitor Compliance

Monitoring compliance is critical in ensuring that employees follow policies. If you use a Governance, Risk and Compliance (GRC) system, it’s a great place to track compliance, identify non-compliance, and take appropriate action. 

There are a variety of ways to monitor compliance including audits, surveys, and analytics. Regular monitoring will also help you identify areas where there are gaps in skills or knowledge, which can point you to further training that may be needed to close those gaps.

  1. Hold Employees Accountable

Enforcing consequences is an essential part of getting employees to follow your policies. Consequences can range from verbal warnings to termination, depending on the severity of the non-compliance. Make sure the consequences are consistent and fair, and apply them equally to all employees.

  1. Keep Your Policies Fresh

Lastly, you need to ensure your vendor management policies stay current so they remain relevant and effective.  Policies need to be kept up to date with changing regulations, as well as your own evolving business requirements – including emerging areas like diversity, equity and inclusion (DEI) and ESG.

Best practice is to establish an annual process to review and revise your vendor management policies, incorporating feedback from stakeholders and incorporating new best practices and industry standards as needed. You should also consider conducting periodic risk assessments to identify emerging threats and vulnerabilities and adjust your policies accordingly. 

Getting employees to comply with your vendor management policies can be challenging, but it is essential for ensuring that your organization operates efficiently, effectively, and safely. 

Vendor Centric specializes in writing clear and effective vendor management policies.  If you need a hand writing or updating yours, schedule a call to learn how we can help.

Maintaining up-to-date, efficient and compliant vendor management processes isn’t easy – especially in organizations experiencing rapid growth or significant change.

That’s why continuous process improvement is so important and a MUST HAVE for effective governance of any vendor management program.

The good news is that process improvement doesn’t have to be a multi-month effort.  There are practical things you can do – starting tomorrow – to begin getting traction.  

In this blog I break down:

  • the definition of continuous process improvement,
  • why it’s critical for effective vendor management programs, and
  • 15 practical ways to improve your vendor management practices

Let’s get started.

What is continuous process improvement?

Continuous process improvement is an ongoing, systematic effort to analyze and improve processes within your organization.  It involves regularly reviewing and evaluating processes to identify areas for improvement, and then implementing changes and monitoring the results to ensure the improvements have been effective. 

It can take many forms, including the implementation of new technology, the adoption of new policies and procedures, and the reengineering of existing processes. 

Organizations that are committed to process improvement are better positioned to respond to changing market conditions, remain competitive, and drive growth and profitability.  

Why is process improvement critical for effective vendor management?

Process improvement is essential to the long-term success of your vendor management function for several reasons:

  • Increased Efficiency:  Most vendor management departments are strapped for resources, requiring employees to do more with less. Process improvement streamlines activities and reduces the level of effort required to complete tasks.
  • Improved Quality: By optimizing vendor management processes, you can reduce errors, eliminate waste, and enhance the quality of output. This leads to improvements in the types of vendors you work with and the quality of the goods and services you buy.
  • Competitive Advantage: When you can quickly find, contract and begin working with vendors, your organization is better positioned to scale, operate cost-effectively, respond to changing market conditions, and innovate on new products or services.
  • Regulatory Compliance: Continuous improvement ensures that your processes stay current with an ever-changing regulatory landscape.  This is especially important for complying with third-party management requirements in highly regulated industries like banking, insurance and healthcare.
15 Practical Ways to Improve Your Vendor Management Processes

There are dozens of ways to improve your vendor management processes.  Some can be done with little effort, while others may take longer due to the need for new technology, more complex process reengineering and cultural change management.

Here are 15 practical ways you can begin improving vendor management processes in your organization – some as soon as tomorrow!

  1. Document your end-to-end vendor management processes to standardize activities and provide consistency across your organization.
  2. Create a RACI Chart to clarify ‘who does what?’ when executing vendor management activities.
  3. Standardize common forms and templates like requests for quotations (RFQs), requests for proposals (RFPs) and purchase requests.
  4. Analyze and rationalize your supplier base to reduce time spent on supplier management.
  5. Evaluate competitive bidding policies to determine if you can increase procurement thresholds and reduce the need to competitively bid low cost, low value items.
  6. Leverage procurement software to automate common activities like sourcing, competitive bidding and purchase-to pay. 
  7. Create a contract clause library and contract templates for staff to use to provide speed and consistency in contracting.
  8. Use a Contract Lifecycle Management (CLM) system to centralize all third party contracts and make it easier to manage the contracting process.
  9. Develop a contracting policy to define which contracts require formal, legal review and which can be managed solely by the business owner.
  10. Create a contract review and approval authority matrix to clarify the number of reviews required for certain types of contracts, and eliminate unnecessary reviews for low risk agreements.
  11. Review your third-party risk assessment questionnaires to improve how questions are asked (which improves vendor response accuracy) and remove non-value add questions.
  12. Use Vendor Risk Management software to automate tasks related to risk assessments, due diligence and risk monitoring.
  13. Simplify approval processes to remove unnecessary approvals and sign-offs.
  14. Integrate your vendor management systems to establish a ‘source of truth’ for vendor management data and to eliminate manual workarounds between systems.
  15. Operationalize a process-driven, continuous improvement process to continually review and improve your processes – year after year!

Vendor Centric specializes in helping companies establish and implement efficient, scalable vendor management processes.  If you need help setting up new processes, or reengineering the ones you’ve got, contact us to learn how we can help.

The use of Contract Lifecycle Management (CLM) has become increasingly popular among organizations of all sizes, as it supports consistent, efficient management of the entire contract lifecycle – from contract creation through expiration/termination. 

It streamlines the contracting process, providing a centralized platform for contract creation, execution, and storage.  But as importantly, it supports more effective and transparent contract management, helping you manage contract compliance, performance and spend.

If you’re company is considering purchasing contract management software, you’ll want to read this blog as I break down:

  • what it is,
  • benefits of using contract lifecycle management software,
  • 7 key features to look for in any CLM solution, and
  • where artificial intelligence fits into CLM.

Let’s get started.

What is Contract Lifecycle Management Software?

At its core, Contract Lifecycle Management software provides a central repository for your organization’s contracts and related documents, which provides transparency to everyone responsible for managing contracts, and makes it quick and easy to access information.  

CLM software automates and streamlines various contract-related activities, such as authoring, negotiation, signature, and storage. The automation saves you time, reduces errors and improves the accuracy of contract data. 

CLM software also supports more effective contract management after the contract has been executed.   You can track contract renewal dates, service level agreements, vendor performance and other details that provide visibility into the contractual relationship and support better accountability throughout the contract management process.

What are the Benefits of Using Contract Lifecycle Management Software?

Contract Lifecycle Management software provides a variety of benefits such as:

Better Visibility and Control
CLM software provides a centralized platform for contract data and document storage, making it easy to find information about your contracts and retrieve documents such as master service agreements, statements of work, change orders and addenda.   Users don’t have to sort through emails and shared folders trying to find the information they are looking for – it’s all in one, central place.

More Efficient Contract Management Processes
With the implementation of CLM software, a variety of tasks that are typically performed manually can be automated.  When tasks are automated, you improve efficiency, reduce errors, and increase compliance, saving time and reducing costs for everyone involved in contract management.

Improved Collaboration and Workflow Management
CLM software allows multiple users to access and work on contracts concurrently, making it easier for teams to collaborate and ensure that contracts are completed efficiently.  Workflow management can also help to ensure that contracts are reviewed and approved in a timely manner, and that the right people are notified when a contract is due for renewal.

Increased Compliance and Reduced Risk
Lastly, contract management software helps to support compliance with company policies and legal requirements.  You can establish contracting standards, require the use of certain templates and enforce review and approval controls.  The software also provides a secure platform for contract storage, reducing the risk of data breaches and unauthorized access to sensitive contract information. 

7 Key Features You Want in Contract Lifecycle Management Software

There are a wide-variety of CLM software solutions in the marketplace, each offering various features and functionality you can choose from. Finding the right solution for your company requires that you clearly define your functional and technical requirements before you venture out into the market to find a solution.

With that said, there are certain core features you want to look for in any contract management software you choose.  My team here at Vendor Centric has worked with a number of leading CLM solutions in the marketplace – here are seven key features we find really important.

  1. Contract Clauses and Templates
    One of the most important benefits of CLM software is the ability to create contracts quickly and efficiently.  The solution you choose should provide the ability to maintain a library of standard contractual clauses and templates, quickly select the right template to use and then begin the contract development process from within the software platform.  This will save you time and ensure that all contracts are standardized and compliant with your company’s policies.
  1. Contract Collaboration and Workflow Management
    Collaboration and workflow management is another important feature.  It allows multiple users to access and work on contracts concurrently, making it easier for teams to collaborate and ensure that contracts are completed efficiently.   Workflow management can also help to ensure that contracts are reviewed and approved in a timely manner, and that the right people are notified when a contract is due for renewal.
  1. Digital Contract Signing
    With remote and hybrid work now a part of daily life, getting a contract signed with pen and paper just isn’t practical.  Your CLM software should enable you to sign contracts electronically. This enforces controls regarding contract signing authority, and eliminates multiple steps from the process when a contract needs to be printed, signed, scanned and emailed to the next signer.

    Modern solutions typically approach this in one of two ways.  They either have electronic signature functionality native in their own solution, or integrate with a third-party solution like Docusign or Adobe.   Either approach can work well, though you will likely need to purchase additional licenses if you integrate with a third-party solution.
  1. Contract Storage and Retrieval
    A simple but important benefit of contract lifecycle management software is the ability to store all contracts in a centralized location. This makes it easy for contract managers to retrieve contracts when they need them. It also ensures that all contracts are securely stored and backed up.  Modern solutions have robust search and filtering capabilities so contract managers can quickly find the contracts they need regardless of whether you have 100 or 100,000 contracts.
  1. Contract Analytics and Reporting
    Another key feature of contract lifecycle management software is the ability to generate reports and analytics on your contracts. This information is invaluable in helping manage contracts more effectively. For example, contract managers may want to see how many contracts are due for renewal, how many contracts are overdue, and how many contracts are up for renewal in the next 30 days.

    The best solutions have a library of pre-built reports you can immediately begin using, along with the ability to create custom reports specific to your business or industry.  Most systems also provide ‘push reporting’, which allows you to have the reports automatically distributed to contract managers on a weekly, monthly or custom cadence.  This is a great feature to help proactively manage renewals. 
  1. Integrations
    Integrations are critical when it comes to contract lifecycle management software. The software should integrate seamlessly with other business tools such as CRM, procurement and accounting software, as well as the electronic signature software I mentioned previously. This will help to ensure that all information is up-to-date and accurate, and that contracts are executed efficiently.
  1. User-Friendly Interface
    Finally, it’s important to look for software that has a user-friendly interface. It should be intuitive and easy to use, so that your users can quickly get up and running. The software should also be easily configured, so that you can set role-based dashboards and reporting specific to each user’s needs.

What About Artificial Intelligence?

One of the newer features that’s been making its way into CLM software is the use of artificial intelligence (AI).  While AI technology is still evolving in its use in CLM software,  it can automate several manual and time-consuming tasks in the contract lifecycle process such as contract review, data extraction, contract analytics and risk analysis. This not only increases efficiency and accuracy but also frees up valuable time for your employees to focus on the actual management of the contract.

AI-powered contract management software can also analyze large amounts of data and identify patterns and trends that are difficult for your contract managers to detect. This information can be used to identify and mitigate potential risks, optimize contract terms, and improve negotiation strategies. 

Finding the Right CLM Solution for Your Organization

There is no one-size-fits-all when it comes to CLM software.  Ultimately the choice comes down to aligning your near-term functional requirements, and your long-term technology strategy, with a solution (and vendor) that’s the best fit for your organization.

Here are a few key questions to consider when evaluating options:

  • Are you even ready for a solution? Make sure you have well defined policies and procedures to guide the workflow you need in your software.
  • What functionality is required, desired and nice to have?  Being clear on what you really need will help you narrow down options.
  • What do your contract management policies say?  Your software must support workflow and controls that ensure your policies are enforced.
  • What’s your budget?  Solutions can run from a few thousand to hundreds of thousand.  Knowing your budget will allow you to narrow the market.

When selecting contract lifecycle management software, it’s important to know which features are most important to you.  But to also look for a solution that is modern and integrates new technologies such as threat intelligence and AI so you know that whichever solution you select will stay fresh and current with a changing software landscape.

My team at Vendor Centric has helped dozens of clients find the best software solutions for their organization.  Contact us to learn how we can help you too.

A Supplier Code of Conduct (SCC) is a powerful tool your organization can use to maintain productive, ethical, and compliant relationships with your suppliers.  From protecting your reputation to improving the quality and reliability of your supply chain, a supplier code of conduct provides clear guidelines and standards for your suppliers to follow.

If you’re considering rolling out a supplier code of conduct in your organization, this blog’s for you.  In it I break down:

  • What a supplier code of conduct is
  • The benefits of having one
  • 8 key sections you’ll want to include
  • How to communicate your SCC to your suppliers.

Let’s get started.

What is a Supplier Code of Conduct?

A supplier code of conduct is a set of guidelines and standards that your organization outlines for your suppliers regarding expectations for responsible and ethical business practices. The purpose of a supplier code of conduct is to ensure that your suppliers are operating in a manner that aligns with your own organization’s ethical principles and values. 

The SCC provides:

  • a framework for what your organization expects from your suppliers, 
  • a vehicle for you to communicate those expectations to your suppliers, and
  • standards you can use to monitor supplier compliance to your code of conduct.

Benefits of Having a Supplier Code of Conduct

Implementing an SCC is beneficial for both you and your suppliers. The benefits to your organization include:

  1. Trust. Your customers expect you to operate ethically. A supplier code of conduct helps to build trust with your customers, stakeholders, and the broader community, as it shows you are committed to working with partners who share your own ethical values and principles.
  2. Improved Supplier Relationships:  An SCC helps to build trust and transparency between you and your suppliers. By engaging with your suppliers on issues that are important to your organization, you can build relationships that are transparent, accountable and allow for continuous improvement.
  3. Supply Chain Integrity: An SCC helps to ensure that your suppliers are using appropriate materials and processes, and that the products they produce are of high quality. This helps to ensure the integrity of your supply chain and reduces the risk of product recalls or other costly problems.
  4. Compliance: Your organization is responsible for ensuring that your suppliers are in compliance with applicable laws and regulations. An SCC helps to ensure that suppliers are aware of their legal obligations as a result of their relationship with you.
  5. Social Responsibility: More and more companies are integrating social responsibility into their operations – and those responsibilities flow down to their suppliers. An SCC helps your organization promote and monitor supplier practices that are consistent with your own social responsibility goals. 

What to Include In Your Supplier Code of Conduct

The specific contents of a supplier code of conduct vary from one organization to the next.  In fact, it’s critical that you customize your SCC to align specifically to your organization’s own ethics standards and industry requirements. 

With that said, common areas that are typically covered in an SCC include:

  • Business integrity: Standards for ethical business practices, including anti-corruption, anti-bribery, and transparency.
  • Compliance: A commitment to compliance with applicable laws and regulations.
  • Environmental protection: Requirements for responsible environmental practices, including reducing waste and minimizing the impact of operations on the environment.
  • Health and safety: Standards for promoting and protecting worker health and safety, including requirements for safe working conditions and adequate training.
  • Labor and human rights: Requirements and standards for fair labor practices, non-discrimination, and respect for human rights, including freedom of association, child labor, and forced labor.
  • Implementation and communication: Expectations for how the supplier will communicate the code of conduct within their organization.
  • Monitoring and reporting: Mechanisms for monitoring compliance and reporting violations of the code of conduct.

    A well written SCC should also address what happens if the supplier doesn’t comply, which can include process changes, training or possible termination of the business relationship.

How to Communicate Your Code of Conduct to Suppliers

Best practice is to communicate your supplier code of conduct, in writing, during your risk assessment process (pre-contract).  This ensures that suppliers are aware of your expectations prior to signing a contract, and you can perform diligence on the supplier to ensure they have the necessary policies and controls in place to comply with the SCC.

It’s also important to communicate your SCC on a periodic basis, usually annually, to refresh suppliers on your expectations and to inform them of any changes in your SCC.  This can be done as part of a general communication, or as part of your periodic due diligence process.  Many organizations also post their supplier code of conduct publicly on their website, or through a secure supplier portal.

Overall, the key to effectively communicating the supplier code of conduct is to ensure that it is clear, concise, and accessible to all suppliers, and to reinforce the importance of compliance through training, monitoring, and enforcement.

If you’re interested in creating and implementing a Supplier Code of Conduct for your organization, contact us to learn how we can help.

Today’s best vendor risk management systems offer a growing list of features and functionality that help you manage risk with vendors and other third parties

Many have also expanded functionality to support other areas of vendor management including sourcing, onboarding, purchasing and contract management too.

But don’t get too excited about the sheer breadth of functionality that’s offered.

As I mentioned in my blog How to Choose the Best Vendor Management Software for Your Organization, it’s nearly impossible to find a single vendor management system that allows you to effectively manage every stage of the vendor relationship.

So, if vendor risk management is your primary focus, you want a solution that best aligns to your documented requirements for managing risks with your vendors each and every day.

Here are my Top 8 features you should care most about when choosing a vendor risk management system.

  1. Vendor Master Data Management. You want the ability to create and maintain a centralized repository of both your vendor metadata as well as the associated due diligence documents like cyber policies,  SOC reports, financial statements and insurance certificates.
  2. Secure Vendor Collaboration. It should be easy for your vendors to provide you with information and documentation in a secure way.  Look for solutions with secure portals that you and your vendors can use to respond to questions, share documents and collaborate.
  3. Automation of Risk-Based Classification. There should be a workflow-based process for assessing new vendors (or existing vendors when a change in scope occurs), and scoring logic to calculate an inherent risk level, therefore helping you determine what level of risk-based due diligence to perform on your vendors.
  4. Risk Assessment Template Library. Modern solutions will save you a lot of time by providing you a library of ready-to-use risk assessment and due diligence templates out of the gate.  Many software providers have templates that align to the most common regulatory requirements and cybersecurity frameworks.  They also include templates aligned to emerging diligence areas like supplier diversity, ESG and modern slavery.   
  5. Automation of Question Response and Residual Risk Scoring. A huge time saver, automated risk scoring means the system is doing all of the legwork to provide an initial response – and scoring – of vendor due diligence questionnaire responses. This is done by building your risk standards in the system, and aligning them to individual question responses so the system can take a first pass. This gets you out of the weeds and allows you to focus on the risks and how best to remediate them.
  6. Tracking of Residual Risks and Overall Risk Register. When risks remain with a vendor, you need a way to track, remediate and monitor them.  Look for the system’s ability to automate residual risk and remediation tracking at the vendor level, and also roll everything up into an overall risk register so you can see a snapshot of all of your vendors across the company at any point in time.
  7. Continuous Risk Monitoring. Your system must have the ability to monitor risks throughout your relationship with the vendor.  This includes the ability to re-perform due diligence on a standard cadence, as well as the ability to integrate with third-party risk and threat intelligence solutions that feed data on cyber threats, business health, sanctions, and other areas of risk.
  8. Standard and Customized Reporting. Lastly, your system should make it easy to report on vendor risk management KRIs and key activities, allowing for the easy collection of data used in reporting to senior management, committees or your board. It should also allow for ad hoc reporting in case staff need to obtain information specific to their needs (for example, a list of active vendors in their department). There should also be role-based dashboards that make it easy for each user to see only the most relevant information.

The leading vendor risk management software providers also offer a variety of ancillary services beyond just the technology to make your life a whole lot easier.  

These include everything from vendor exchanges (i.e. ready-made due diligence reports for you to purchase) to full-on managed services to risk assess your third-party vendors.  Depending on your resource constraints/needs, you’ll want to consider these ancillary services when choosing the best overall solution for your organization.

Vendor Centric’s team of vendor management technology specialists know the market. We can help you mitigate your risk of selecting the right overall solution, and even support you successfully implement the software across your organization.  Contact us today to learn how we can help.

If you’re looking for the best vendor management software for your organization, you have a challenge in front of you.

A simple search for ‘vendor management software’ on Capterra brings back 300+ results. With so many options, it’s overwhelming trying to choose the right solution.

The good news is this blog will remove some of that overwhelm and get you pointed in the right direction. In it I break down for you:

  • The benefits of using software to manage your vendors
  • Types of workflow you want your software to support
  • The four most common categories of software to choose from
  • 6 key factors to consider to ensure you select the best vendor management software for your organization

Let’s get started.

Benefits of Vendor Management Software

Vendor management software improves the efficiency and effectiveness of how your organization manages vendor relationships – from beginning to end.  

Some of the big benefits include:

  • Improved Visibility and Control: Vendor management software enables you to track and manage vendor relationships centrally, giving you greater visibility and control over vendor contracts, compliance, and performance.
  • Streamlined Processes: Through automation and standardization of vendor management processes, you can better enforce policies and the associated controls, reduce administrative burdens and improve the efficiency of day-to-day activities.
  • Better Risk Management: Vendor management software supports your ability to identify and monitor potential risks associated with your vendors and other third-parties, and to proactively take action to mitigate those risks.
  • Stronger Supplier Relationships: Vendor management software can improve the overall quality of your supplier relationships by providing tools for communication, collaboration and feedback, which leads to more efficient and effective partnerships.

Vendor Management Software Workflow Requirements

Vendor management software should support your ability to manage all stages of the vendor relationship. This starts with sourcing and ends with termination and offboarding.  

Finding the best vendor management software for your organization will require you to break down your workflow requirements across all six stages, and be clear on your priorities.  

Most Common Categories of Vendor Management Software

Finding a single solution to manage the entire vendor management lifecycle is going to be a challenge. 

At Vendor Centric, we’ve found that most software products are really good at supporting workflow around stages in the life cycle that are aligned to one of three operational areas: procurement, contract management and third-party risk.

As an example, procurement software solutions are designed to be really good at supporting the sourcing and purchasing stages.  While they may have ancillary features to support other stages related to contract and risk management, they are not nearly as robust in functionality.

So, as you evaluate vendor management software solutions, it’s going to be really important for you to know which operational areas (i.e. stages) matter most to you.

Let’s take a look at the four most common categories of vendor management software in the marketplace.

Contract Management Software. If managing vendor contracts is your primary goal, then a contract management system might be the best fit. The contract serves as the ‘hub’ in these systems, and workflow for developing, negotiating, signing and managing the contractual document are what they are good at. Managing contracts and contract performance are the strengths of these systems, though they are oftentimes limited in their ability to support workflow for procurement, purchasing and risk management.

Procurement Software. Procurement software developers have really stepped up their game when it comes to vendor management, as many now have add-on modules for more comprehensive contract and risk management. However, the strength of these systems continues to be focused on workflow related to sourcing, procurement and the purchase-to-pay process. While the add-on modules do provide some important functionality, they are generally not as robust as solutions designed specifically for contract management or third-party risk management.

Third-Party Risk Management Software. If risk (and compliance) management is your primary focus, then you should consider a solution dedicated primarily to third-party risk. These solutions are designed primarily to support inherent risk assessments, due diligence and residual risk monitoring and remediation. They provide complex workflow and automation for risk management, including auto-evaluations of responses and automated risk scoring. They also integrate third-party data intelligence solutions to provide you with a 360-degree view of your vendors, a key requirement for effective risk monitoring.

Data Intelligence Software. Lastly, if third-party risk monitoring is your primary area of focus, there is a growing list of data intelligence solutions in the marketplace. These solutions are designed primarily for monitoring risks with your third-party vendors, not so much for managing the type of workflow I noted above. There are a number of solutions focused on risk monitoring related to cybersecurity, financial health and compliance.  Many are also adding data around ESG and supplier diversity. 

So, What is the Best Vendor Management Software for Your Organization?

That’s a complex question as the vendor management software marketplace is evolving daily.

Many software companies are adding new functionality to support more comprehensive workflow. They are also extending their ability to provide rich data intelligence through integrations or through their own data sources.

Ultimately, your decision comes down to aligning your long-term goals and priorities with a software strategy that makes sense for your organization.

Here are six key factors to consider as you create that strategy:

  1. What is the scope of your current (and anticipated) vendor management operations?  You’ll want software to support both your current and future needs.
  2. What do your policies say?  Your software must support workflow and controls that ensure your policies are enforced.
  3. What are your workflow requirements?  You need to be clear on your procedures to know what functionality you need in the solution.
  4. Do you have existing solutions to consider?  Is your organization already using software to manage your vendors, even if it is isolated and not widely adopted.  You’ll need to evaluate how those solutions fit into the bigger picture, and if integrations are needed.
  5. Who will manage the software?  What resource capacity/constraints do you have?  Those will help drive decisions based on how simple or complex the solution is to manage.  
  6. What’s your budget?  Solutions can run from a few thousand to hundreds of thousand.  Knowing your budget will allow you to narrow the market.

Choosing new vendor management software is complex, costly and comes with a lot of risk.

My team at Vendor Centric has helped dozens of clients find the best vendor management software for their organization. Our team of specialists can help you define requirements, evaluate the market, facilitate the RFP process and provide implementation support.  

Vendor management software is a critical part of your vendor management infrastructure.

Good vendor management software automates tasks, streamlines workflow, enforces controls and provides a central ‘source of truth’ for information about your vendors.  It also supports your ability to comply with laws and regulations, manage contracts, track vendor performance, and much more.

But simply purchasing vendor management software doesn’t guarantee success. Your organization has to be ready for the change to get the results you’re hoping for.  

Here are five questions to help you determine if your organization is truly ready to purchase and implement vendor management software.

1. Have you defined and documented your vendor management policies? 

Defining your vendor management policies is crucial to ensuring that the software aligns with your organization’s governance, risk, compliance, and security standards.  Policies set the standard for vendor management compliance.  You need to be clear on what they are so you can ensure your selected software can support them.

2. Have you documented your desired vendor management procedures? 

Having defined procedures is necessary to identify the specific controls and workflow requirements for the software, and to evaluate potential software options based on how well they support your procedures. 

The vendor management software marketplace is large – and growing. There are operational solutions for procurement, contract management and third-party risk, along with niche solutions for compliance, risk management and policy management.  You need to be clear on what specific procedures the software will support to narrow down a large and crowded marketplace of software vendors.

3. Have you identified your users?

When purchasing software, it is important to take the time to define the users and roles that will be utilizing the system. Doing so allows you to engage them as part of your functional requirements gathering process and, in doing so, begin getting their buy-in for software selection and adoption.

4. Have you documented your functional requirements?

Defining functional requirements before selecting software is also essential for ensuring that the software meets the specific needs of your organization.  It provides clarity about your needs to prospective vendors, allowing them to evaluate whether their solution may or may not be a good fit for your organization.  

It also gives you a data-driven tool you can use to evaluate software workflow, security, scalability, and compliance, and mitigate your risk of overspending or investing in a software that doesn’t meet your organization’s needs.

5. Do you have the necessary resources to maintain your vendor management system? 

Lastly, to drive value from your investment in vendor management software, you need the right resources in place to manage the project, steer the software configuration, create reports, train users and, ultimately, drive adoption.  

Before purchasing software, make sure you establish your project manager and your project team, and define exactly who is going to ‘own’ the ongoing management of the software to resolve issues as they arise, and ultimately drive software adoption and continuous improvement.

If you’re thinking about implementing vendor management software, it’s important you’re able to answer ‘yes’ to these five questions to ensure your organization is  truly ready for the change.  Take time to plan and align so that you not only select a system that is best-suited to your needs, but that you can successfully implement and adopt it to maximize the value of your technology investment.

Rationalizing your supply base can be a daunting task, but it can also bring significant benefits to your organization.  By streamlining your suppliers and focusing on those who offer the best value and fit with your business goals, supplier rationalization helps you improve efficiency, reduce costs, and build high-value relationships with your suppliers. 

In this blog I’ll explore what it means to rationalize your supply base and how to go about it efficiently and effectively.

What is supplier rationalization?

Supplier rationalization is the process of evaluating and optimizing the number and quality of suppliers that you work with.  It involves assessing your suppliers to better understand the services they offer (and can offer) aligned to your business needs, and identifying ways to consolidate or reduce your supply base by eliminating duplicative, low-value, and poor performing suppliers. 

Why rationalize your supply base?

Rationalizing your supply base will not only help you reduce costs, it will also speed up purchasing decisions, improve quality, reduce risk and strengthen your supplier relationships.  Here are a few reasons your organization should consider supplier rationalization.

Stronger relationships: One of the best reasons to rationalize your supply base is to focus your time on the few suppliers who can help you drive the biggest results.  When you show a higher level of commitment to quality suppliers, they’ll be just as committed to you.

Improved quality: When you eliminate low-value and underperforming suppliers from your supply base, you’ll improve overall supplier performance along with the quality of the products and services you buy.

Enhanced agility: A streamlined supply base makes it easier to respond to changing market conditions and customer needs. By working with fewer suppliers, there is less complexity to manage, which can make it easier to pivot or scale as needed.

Reduced risk:  More suppliers equals more risk.  Rationalization provides the opportunity to replace your ‘too risky for me’ suppliers with others you may already be using who are more stable and/or have more robust policies, procedures and controls.

Cost savings: Of course, supplier rationalization also creates opportunity for cost savings through contract clean-up and greater leverage when you drive more spend through fewer suppliers.  You’ll also save on ‘soft costs’ related to process efficiencies you’ll gain in your purchase-to-pay process.

How to rationalize your supply base

So, how do you go about rationalizing your supply base?  A basic process you can follow to assess your suppliers and develop a strategy for supplier rationalization includes:

Identify your current suppliers:  Start by identifying all of the suppliers you currently work with, along with the products or services they provide. This will give you a baseline to work from as you begin the rationalization process.

Categorize suppliers based on what they do:  Establish spend categories aligned to your organization’s industry and size, and tag/categorize suppliers into the spend categories to understand who and how many you are working with in each category. 

Prioritize the categories you want to rationalize: Don’t boil the ocean.  Start with categories where rationalization is obvious and you can get some quick wins.  You want early traction and reportable results. Save the more complex categories for the next phase.

Analyze supplier contracts, spend and performance: Dig into the details to understand what contracts you have and what you are spending with suppliers in your targeted categories.  Also understand who’s performing and who’s not to help narrow down your strategy.

Create your category management strategy and transformation plan:  Develop your game plan for consolidating and streamlining each targeted category.  Determine which suppliers you want to keep as part of your supply base. These should be suppliers who offer the best value and fit with your business goals.  And don’t forget to align your timelines to contractual requirements.

Implement your transformation plan:  Depending on the number of suppliers you have, this can involve consolidating and negotiating new terms with your existing suppliers, or transitioning to new supplies entirely.

Build supplier rationalization into your supplier management process

Rationalizing your supply base can bring significant benefits to your business, including cost savings, improved quality, enhanced agility, and reduced risk.  To be most effective, though, don’t view it as a one time effort.

As time passes and your organization grows, your supplier base will start to grow again as well.  Supplier rationalization needs to be conducted at regular intervals to ensure you continue reaping the benefits of rationalization, and to mitigate risk throughout your supply chain.

If you’re interested in learning more about supplier rationalization and how it can benefit your organization, contact us today to schedule a free consultation. Our specialists can help you evaluate your current suppliers, determine which ones offer the best value and fit with your business goals, and help you implement any necessary changes to streamline your supply base. Don’t wait – start realizing the benefits of supply base rationalization today.

Vendor management is an important aspect of running any business, and it becomes even more crucial during times of economic downturn.  
With many economic indicators pointing towards a major recession looming in 2023, companies are looking to control costs, increase efficiency and mitigate risk.  Effective vendor management can help achieve these goals. 

Historically, the knee jerk reaction has been to simply cut costs.  Arbitrary cost cutting with vendors is an archaic vendor management strategy, and tends to do more damage than good.  It has the potential to negatively impact key services you really need, while also putting downward cost pressure on some of your most important vendor relationships.  

If a critical vendor has other customers who also apply cost pressure, it can lead to destabilization of the vendor.  You can’t afford an unstable supply chain.

The good news is that when it comes to effective vendor management during uncertain times, there are smart ways to control costs while also managing vendor risks and performance. 

Here are six practical tips and best practices for managing vendor costs, risk and performance in an economic downturn.

1. Evaluate vendor performance:

Assess the performance of your current vendors to determine which ones are delivering the most value. Consider factors such as quality, timeliness, and cost.  If you aren’t getting value, consider eliminating those contracts.

2. Audit your SaaS applications

Review all of your Software-as-a-Service (SaaS) products to eliminate unused, underutilized or duplicative applications. Most organizations underestimate the number of SaaS apps they have by two to three times, so an audit is a great way to save money without impacting operations. 

3. Rationalize your supply base:

Analyze categories of spend to identify opportunities to decrease the number of vendors you work with so you can streamline spend, improve purchase efficiency and reduce risk.  You’ll develop stronger relationships which can drive lower pricing, better performance and lower risk.

4. Communicate with your vendors

Keep the lines of communication open with your vendors, and be transparent about the challenges your business is facing. This can help foster a sense of partnership and may lead to more flexible and mutually beneficial arrangements.

5. Stay up-to-date on market conditions

Keep track of market trends and industry developments, as these can impact your vendor management strategy.

This is also a good time to take a deep dive into the financial health and stability of your critical and high risk vendors.   You want to ensure they are on stable footing and well positioned to bear the brunt of a tough economy.  

By following these tips and best practices, you can effectively manage your vendors and navigate the challenges of a downturn. This will help your organization maintain stability and continuity in uncertain times.

More and more organizations are taking a serious approach to third-party management, creating and maintaining an accurate inventory of your vendors is a great place to start.

Regardless of the organization’s size, when I begin a third-party management consulting project (especially when we are helping our clients implement a vendor management system) I usually find that organizations simply don’t have a good understanding of how many active vendor relationships they have.

Some would think that the larger the organization the more likely they are to have a process and system in place to keep track of their vendors. In most cases, that statement does not hold true. Large and small alike, it is common to see departments maintaining their own lists of vendors, databases being populated with inaccurate information (or no information at all), and contractual documents being stored in a number of different locations (on shared corporate drives, within email messages or even in filing cabinets!).

Here are four tips you can use to maintain a reliable inventory of your vendors.
Tip #1 – Follow the Money

As I mentioned earlier, it’s not uncommon for each department to maintain their own vendor list. This not only creates lack of visibility across the organization, but can easily result in vendors being unmonitored and flying under the radar.

If you want a good place to start to truly see who your active vendors are… ask Finance to run a report from your Accounts Payable system. It may take some time to sort through the various types of disbursements of funds, but once you can separate “vendors” from the other payments your organization makes you’ll be able to see who your third-party vendors are. You might even identify some cases in which a vendor is still being paid and there is not an active contract on file!

Tip #2 – Use a Vendor Management System (organization-wide)

Excel spreadsheets, access databases, filing cabinets… vendor and contract information probably lives in all of these locations and maybe some others, too. But wouldn’t it be nice if there was one, central place where anyone in the organization could go if they wanted to answer questions like: “How many contracts do we have with Vendor ABC?” or “Who is the vendor that provides service XYZ?”

Vendor management systems allow you to maintain your “source of truth” (i.e. your complete vendor list), but they also do much more. You can use vendor management systems to manage the entire vendor lifecycle, from procurement to contracting and from ongoing oversight to offboarding. Vendor management systems also give you the ability to see the entire profile of the vendor, which a/p systems can’t do. Take a look our recent blog post about different types of vendor management systems that are available in the marketplace to understand which is right for you.

Tip #3 – Assign Responsibility for Data Maintenance

The people within your organization who have business problems to solve (and who are finding vendors to help solve them) don’t have the time to make sure all

the required data points are added to a vendor management system. They simply want to execute the contract and begin working on a solution. Often times it’s these people who are maintaining the organization’s “vendor list” and that’s when the data starts becoming a bit more inconsistent.

If you’ve followed Tip #2 and have implemented a vendor management system, it’s very wise to set some rules regarding who can add new data or modify existing records within your system.

An approach I’ve seen that works well is to limit the responsibility for adding and maintaining vendor/contract data to only one or two people (usually staff within the Vendor Management Office, VMO). This way, vendor information and contracts are added in a consistent manner to your system, and the VMO gets their eyes on everything, too.

Tip #4 – Use Standard Naming Conventions

Once you’ve set some ground rules regarding who has the ability to add and modify your vendor data, establish some naming conventions for things like contract records and vendor names. It should be easy for someone to navigate to a vendor’s record and see what types of contracts are on file. If the contract record is named “Amendment” or “Master Agreement” that doesn’t provide much context. However, if the contract record is named something like “Amendment 1 to Software Licensing Agreement,” that can point someone in the right direction.

Organizations of all sizes share the challenge of maintaining an accurate inventory of vendors. So, don’t worry, you aren’t alone! While establishing an accurate inventory of your third-party vendors may take some time and effort, it’s a pretty easy win (low-hanging fruit in terms of the necessary components of a third-party management program).

If you have any questions about the topic covered in this article or want to discuss any other third-party risk management issue, just let us know! Reach out to us and we’d be happy to help.

Vendor scorecards are a fantastic tool to track and measure vendor performance. When used appropriately and consistently, vendor scorecards allow you objectively identify and remediate issues, control costs and, ultimately, strengthen relationships with vendors – especially those vendors that are critical to your operations.

Vendor scorecards also provide an objective lens for measuring vendor performance by allowing you to:

  • clarify vendor performance criteria that are most important to you,
  • share expectations with your vendors, and
  • evaluate vendors on their ability to consistently deliver value.

There’s no right way to build a vendor scorecard; however, there are definitely core performance criteria that should be included. Here are five I always recommend.

Level of Service

Your scorecard should include criteria on how well the vendor met pre-established levels of service in areas like quality, delivery and support. Most vendor contracts should include expectations regarding service levels or, in some cases, a formal, documented service-level agreement (SLA). Your scorecard should simply be the tool you use to measure the vendor’s performance against these SLAs.

Cost Control

Another criteria on which to evaluate vendors is how well they help you manage costs in two areas. First, does the vendor adhere to the pricing you’ve agreed to in the contract? And second, is the vendor providing you with new ideas on how to reduce the cost of the relationship going forward?

Good vendors deliver a product or service for the price to which they’ve agreed; great vendors look for ways to help you reduce costs through things like alternative products, better use of technology or better inventory management. Your scorecard should evaluate both.

Ease of Doing Business

Vendors who are difficult to work with cost you time and money, and frustrate your staff. You should evaluate your vendors on how efficient they make it for you to work with them, including their processes and systems.

Regulatory Compliance

Many organizations rely on vendors to meet a variety of third-party compliance mandates and regulatory guidelines.  These mandates are growing rapidly, and vendors are critical to ensuring compliance. Be sure to include these in your vendor scorecard, and require that your vendors track and report on their compliance with these requirements.

Innovation

Your most strategic vendors should bring new ideas to the table on a regular basis. They know what’s going on in their industry, and they should know what’s going on with your business.

The best vendors will look for ways to help you leverage changes in their industry to improve the way you do business. Your scorecard should include these criteria too, with a focus on process (i.e. they meet with you quarterly to discuss new ideas) rather than quantity (i.e. they called you to say hi six times.)

Using a vendor scorecard can really help you align expectations and generate more value from your vendors. To get the most from your scorecard keep these three things in mind:

  • Keep it simple. Use no more than one or two measures per criterion.
  • Focus on your key vendors. There are probably 15-25 that really matter, so focus on getting those relationships right.
  • Develop a consistent process. Incorporating the scorecard into a regular review process enables you to track performance over time and make better, data-driven decisions.

This article was originally published in Jan  2017. Updated February 2022

Vendor management is an evolving business discipline. As you can imagine, vendor management terminology is evolving too.

While terms like procurement and contract management are familiar to most, others like Critical Vendors and Residual Risk Remediation are new to many.

Regardless of where you are in your vendor management journey, here is a breakdown of 14 vendor management terms everyone needs to know.
  • Contract – A legal agreement that is used to document formal terms and conditions agreed to with Vendors.  Contracts can take many a variety of forms including, but not limited to, including master services agreements, statements of work, consulting agreements, licensing agreements, subcontracts and amendments
  • Contract Owner – The individual who is assigned responsibility for managing the contract, and monitoring the vendor’s compliance with contractual terms and conditions.
  • Critical Business Function – An activity (or collection of activities) normally performed by the business that must continue at a sufficient level without interruption, or restart within acceptable timeframes, in order to ensure continuity of operations and/or avoid adverse effects to the business, employees, customers or other key stakeholders.
  • Critical Vendors – A vendor that supports a critical business function and, if unexpectedly removed, would have an adverse effect on the critical business function. Ensuring business continuity with these vendors is of utmost importance.
  • Due Diligence – The process of gathering detailed information about a vendor (e.g., financials, processes, procedures, SOC reports, and other data) in order to evaluate their policies, procedures, and controls.  Due diligence should be risk-based and aligned to the vendor’s inherent risks.
  • Fourth Party – Downstream ‘vendors of your vendors’. (Sometimes also called ‘Nth Parties.)
  • Inherent Risk – The risk that exists in a vendor relationship (considering the products and/or services that are being provided) before the vendor’s mitigating factors (i.e. policies, procedures, and controls) have been evaluated.
  • Key Risk Indicators – A collection of metrics used to monitor risk exposure with a vendor or collection of vendors, and to provide early warning signs of increased risk.
  • Key Performance Indicators – A collection of metrics used to monitor a vendor’s performance against contractual requirements, quality standards, and other outcome-based expectations.
  • Procurement – The collection of activities necessary to obtain goods and services for a business.
  • Residual Risk – The risk that remains in a vendor relationship after due diligence has been performed, and the vendor’s policies, procedures, and controls have been considered. Residual risk can either be remediated, managed/mitigated, or accepted/rejected.
  • Service Level Agreements – Defines the level of service an organization expects from a vendor, laying out the metrics by which service is measured, and remedies or penalties should any agreed-upon service levels not be achieved.
  • Vendor – A supplier, contractor, consultant, or other type of third-party that provides goods or services as a normal course of business.
  • Vendor Risk Management – The systematic approach to providing reasonable assurance that inherent and residual risk associated with vendor relationships is mitigated and aligned with the objectives of the organization.

While this list covers a lot of the basics, it is far from being exhaustive.  If you’re looking for a term that’s not here, check out this glossary of more than 100 vendor and contract management-related terms from our friends over at Gatekeeper.

Looking for a clear and succinct definition that will help you explain ‘what is vendor management’ to your colleagues, senior management and even your Board? You’ve come to the right place.

The adoption of vendor management as a business discipline is growing rapidly, fueled by the need to:

  • meet mandates from regulators, auditors and customers
  • modernize & scale operations for procurement, contract management and third-party risk, and
  • stabilize the business and ensure continuity during supply chain disruptions and geopolitical unrest.

Boards, auditors, regulators, and customers are all pushing for standardized, effective vendor management practices. The types of practices that improve cost control, risk mitigation, business continuity and compliance with a growing list of regulatory requirements.

Staff are pushing too. A growing number are operating in a more remote and decentralized environment. They want clearer policies and simpler processes so they can quickly find and work with vendors they need in their day-to-day business.

But what exactly is vendor management? The answer is simple – and complex. Here’s what I mean.

What is vendor management?

Vendor Centric’s definition of vendor management is based on years of practical, hands-on experience helping companies establish, implement and optimize their vendor management programs. Here’s how we sum it up:

“Vendor management is a corporate business function whose purpose is to ensure vendor relationships are holistically managed so that more value, and less risk, is created for the enterprise.”

One of the things that makes the vendor management function unique from other business functions like accounting or marketing is that it isn’t isolated to a single department. Rather, it’s a coordinated effort between the three operational areas that, collectively, support nearly every aspect of vendor lifecycle management.

  • Procurement Management – finding and sourcing vendors
  • Contract Management – executing and managing contracts
  • Third-Party Risk Management – assessing and monitoring risk with vendors and other third parties

In essence, the vendor management function is the ‘quarterback’, providing strategic guidance, coordination and infrastructure necessary to get all three operational areas working in harmony. However, the function needs structure for everything to work harmoniously. That’s where the vendor management framework comes into play.

The Importance of a Vendor Management Framework

Like with any business discipline, there are fundamentals you need to follow – you can’t make them up as you go along. A vendor management framework provides the blueprint for the practices and infrastructure needed to holistically manage vendors from start to finish.

Vendor Centric’s Vendor Management Framework  is comprised of two main sections. The first section (the outer ring) defines the six stages of the vendor lifecycle that need to be managed over the course of your relationship.

  • Sourcing
    Identify and select the right vendor(s) to meet corporate sourcing requirements.
  • Risk Assessment & Due Diligence
    Evaluate and mitigate potential risks before entering a contract.
  • Contracting & Onboarding
    Negotiate high-value, low-risk contracts and integrate vendors into your operations.
  • Purchasing
    Buy the goods and services you need through efficient purchasing and spending control.
  • Ongoing Management & Monitoring
    Manage vendor performance and compliance and monitor and mitigate risks.
  • Termination & Of boarding
    Formally end and ‘de-risk’ the relationship.
The second section (the inner circle) defines the governance needed to align your people, processes, and systems to provide effective and efficient vendor management across all lifecycle stages.
  • Policies & Procedures
    Establishes the overarching rules, guidelines, activities and operational controls for vendor management.
  • People, Skills & Training
    Ensures the right level of vendor management resources, subject matter expertise and stakeholder knowledge.
  • Technology & Reporting
    Centralizes data, facilitates work low, provides reporting and ensures an audit trail of activities.
  • Accountability & Structure
    Defines the governing body and establishes the control structure to provide
    oversight and accountability.
  • Continuous Improvement
    Ensures operations are continuously improved for efficiency, scale and alignment with changing business priorities and regulations.
  • Value Creation
    Aligns vendor management with strategic priorities, and creates value through cost savings, risk reduction, performance improvement and innovation.

The scope of your vendor management function should always scale to your organization’s requirements, size, and overall risk appetite. But all components of the vendor management framework need to be in place for the function to be effective.

Risk-Based Approach to Vendor Management

Another important vendor management concept is recognizing that not all vendors are created equal when it comes to how they need to be managed. Some relationships are large and complex, while others are small and transactional.

That’s why the best practice is to employ a risk-based approach to vendor management. Taking a risk-based approach allows you to focus your time and energy on the riskiest – and oftentimes most important – vendors to your organization. Here’s what I mean.

When you enter a new relationship with a vendor, they bring a variety of potential risks into your organization such as:

  • Operational & business continuity risk
  • Information security risk
  • Financial risk
  • Legal and compliance risk
  • Reputational risk
  • plus many others

Identifying and mitigating these risks BEFORE you sign a contract, and monitoring (mitigating) them throughout the life of the relationship, is the key to risk-based vendor management.

Operationalizing a Vendor Management Business Function

If you’re just getting started with vendor management, establishing a new business function within your organization doesn’t happen overnight. But you can get traction quickly by taking a practical, risk-based approach to building your vendor management program.
Here are three phases you can follow[TR2] .

Phase 1: Baseline Current Operations and Set Priorities

There is no ‘one size fits all’ when it comes to vendor management. The size and complexity of your program needs to align to your individual goals, priorities and resources.

Start your journey by defining your near-, mid- and long-term vendor management priorities across all stages of the lifecycle. Then baseline your current operations to evaluate the strength of your current infrastructure and the gaps you’ll need to close. This enables you to determine the level of effort to get your program off the ground, and create a roadmap for building and operationalizing your program.

Phase 2: Create Your Governance Infrastructure

Next up is building out your program fundamentals – your vendor management governance. This includes:

  • Vendor management policies and procedures
  • Resources, roles and responsibilities
  • Vendor management technology and reporting

You also need to establish a control structure with accountability. This ensures there is an Executive Owner assigned to manage the function, and that there is an effective structure for control, escalation, and accountability.

Phase 3: Operationalize Your Vendor Management Program

Finally, once your fundamentals are established, you’re ready to operationalize your program. It’s important to provide orientation and training to all key stakeholder groups, and to monitor adoption in the early stages of the process.

Once your vendor management function is up and running, the real magic happens when you start creating ‘quick wins’ that demonstrate real, measurable value from your vendor management activities. This includes things like:

  • Generating cost savings
  • Improving vendor performance
  • Avoiding unwanted contract renewals
  • Reducing third-party risk
  • Meeting audit and regulatory requirements

If you’re interested in learning more about vendor management, we have a variety of free resources and over 100 blogs on the topic.

If you’re looking to get a new vendor management program up and running, download our free Kick-Start Guide which includes a practical playbook for building a scalable program to create long-term value.

A fundamental component of a risk-based vendor management program is knowing who your most important vendors are – that is, your critical vendors.

It is a common misnomer that a ‘critical vendor’ and a ‘high-risk vendor’ are one in the same. They are not, and it’s important to delineate between the two when establishing your program.

Let’s break them both down.

Critical Vendors

A critical vendor is one that you rely on heavily to support the most important activities within your organization – oftentimes called ‘critical activities’. While critical activities will differ between organizations, examples of critical vendors might include those who:

  • support the processing of your financial transactions;
  • provide infrastructure that powers back-up servers and/or provides remote access to daily activity for employees; or
  • perform a core business function that you have outsourced to them.
High Risk Vendors

On the other hand, a high-risk vendor is one that presents a heightened level of risk to your organization regardless of how critical they are to your operations. A common example is a vendor who processes, stores and/or has access to your non-public data. While these vendors are higher risk due to the fact they have access to your data, the actual services they provide may not be critical to your operations. Other factors that can elevate the risk of a vendor include:

  • reliance on them to support for your own compliance with laws and regulations;
  • provision of direct services to, or interface with, your customers;
  • unsupervised access to your building/offices and direct contact with your employees; and
  • use of downstream contractors or service providers (i.e. 4th parties) to provide the goods or services to you.
Is a Critical Vendor Always a High-Risk Vendor?

No. Every organization has a subset of vendors that are both critical but also lower risk. Your internet services provider is a good example. Clearly, your internet connection is critical to your day-to-day operations, but the risks associated with most internet service providers are relatively low.

critical

Identifying Your Critical Vendors

Defining your critical vendors begins with being clear about your own critical activities. A good place to start is with your company’s business continuity/disaster recovery plan, which defines critical activities within your own operations.  Knowing those activities will help you determine which vendors support those critical operational areas.

If you are new to third-party risk management, getting these critical vendors into your TPRM program is the first place you should start. Download our eBook How to Kick Start Your Vendor Management Program to learn more.

One of the fundamentals to effective vendor management is recognizing that not all vendors are created equal when it comes to how they need to be managed. Some relationships are large and complex, while others are small and transactional.

That’s why these three words need to be baked into the core of your vendor management program: Risk-Based Approach

Taking a risk-based approach to vendor management allows you to categorize your vendors by risk, and focus your time and energy on the vendors that are riskiest – and oftentimes most important – to your organization. Let me explain what I mean.

When you enter into a new relationship with a vendor, they bring a variety of risks into your organization. Risks such as:

  • Operational & business continuity risk
  • Information security risk
  • Financial risk
  • Legal and compliance risk
  • And sometimes most important – reputational risk

Identifying these risks BEFORE you sign the contract (and during the procurement process) is the key to risk-based vendor management. Doing so enables you to properly vet the vendor, mitigate risks contractually or through alternative controls, and establish a risk-based plan for monitoring the relationship post-contract.

This won’t work though if your approach to risk identification is ad hoc. You need to follow a standard process, that starts with an inherent risk assessment.

The inherent risk assessment allows you to ask risk-related questions about the prospective vendor relationship in order to identify risks and determine the type of due diligence and risk oversight that is needed. Questions like:

  • Are any key activities being outsourced to this vendor?
  • Will the vendor be supporting one or more critical areas of operations?
  • Will the vendor have access to confidential information? What type and how much?
  • Will the vendor be interfacing directly with clients or customers?
  • Will the vendor have unsupervised access to our offices and our employees?
  • Does the vendor play a role in our own compliance with laws and regulations?

Answers to these and similar questions are the only way to understand risks with the vendor, and to employ a risk-based approach to managing the relationship.

Learn more about risk-based vendor management by downloading our eBook, How to Kick Start Your Vendor Management Program.

At Vendor Centric, we’ve been advising companies about vendor risk management for years.  But not too long ago, the concept of ‘vendor risk’ was one that many companies were just getting their arms around.

So exactly how did vendor risk management start to get traction? Here’s a little background on where it started and where it’s evolved to today.

Vendor risk management (also referred to as third-party risk management) started to really come into focus in 2008 when the FDIC issued Financial Institution Letter 44-2008 (FIL-44-2008): Guidance for Managing Third-Party Risk. The guidance was an inflection point for vendor management because it introduced the concept of taking a systematic, risk-based approach to managing vendors and other third parties.

The guidance also also established several concepts that have become fundamental to vendor risk management today such as:

  • Performing risk assessments to understand inherent risks of new relationships;
  • Conducting risk-based due diligence prior to contracting to evaluate a vendor’s controls and mitigating the residual risks remain;
  • Following contracting standards to ensure proper risk transfer in legal agreements;
  • Performing an appropriate level of ongoing oversight to ensure performance and manage changing risks over the course of the relationship.

Other regulators to the financial services industry like the OCCNCUA, and FHFA followed the FDIC and issued their own third-party management regulations. In healthcare, the Health Information Technology for Economic and Clinical Health Act (HITECH) was introduced which extended HIPAA rules to third-party “Business Associates.” And in the municipality and nonprofit sectors, the Office of Management and Budget issued the Uniform Guidance which, among other things, required that recipients of federal funding perform risk assessments and ongoing monitoring of their third-party “Subrecipients.”

States such as New York, South Carolina and California have also come out with regulations focusing on third parties, and more states are joining them each year. Some of these newer federal and state regulations expanded upon FDIC fundamentals to introduce other important tenets of vendor risk management including the need for:

  • board and senior management accountability,
  • cybersecurity standards,
  • termination standards,
  • periodic program reviews, and
  • compliance attestations.

While the regulations came out at different times, and targeted different industries, they all had one thing in common: that companies need to take a systematic, risk-based approach to managing vendors in order to drive more value, and less risk, from these important (but risky) relationships. Risks like:

In today’s environment, if you’re not taking a risk-based approach to managing vendor relationships, you’re playing with fire.  And if done right, you can get a new vendor management program up and running in 90 days or less.  Download our eBook, How to Kick-Start Your Vendor Management Program, to learn how.

From supply chain disruptions to massive third-party data breaches, one of the clear lessons learned from 2021 is that proactively managing vendor risks no longer an option. It has moved up in priority in every company and now has visibility by senior management, internal audit, and the Board.

In fact, I frequently argue that managing vendor risk is just as important as managing risk with your own employees. If you lose a key staff member, it’s going to be painful. But if you lose a key vendor, it can shut down entire portions of your operations.

But while vendor risk management is critical, mitigating vendor risk must be complementary to the primary purpose of working with vendors – which is to help you get work done better, faster and/or cheaper than you could on your own.

Great vendors provide wide-ranging benefits to your company including:

  • Knowledge. They offer strategic ideas and tactical insights on how to plan, grow, manage risks and streamline operations.
  • Skills. They provide technical and industry-specific skills like legal, marketing, technology (and even vendor management) that you may not have on staff or that you need for a particular project or initiative.
  • Experience. They bring best practices they’ve learned from working on many projects across multiple companies and industries.
  • Scalability. They give you a way to grow (or shrink) in a way that limits your investment and risk, and provide you with people, space, technology and other resources crucial to operations.
  • Distribution. They enable you to extend your business and reach new markets by leveraging proven, established distribution channels.
  • Cost Efficiency. They give you the ability to operate faster and cheaper, and turn fixed costs into variable costs.

The very best vendors become a strategic asset, a partner in execution, and an important member of the extended workforce.

So, as you plan for your own success in 2022, make sure it includes a strategy for finding and working with the right vendors so you can drive more value, AND less risk, from those important relationships.

Learn more about the importance of vendor relationships in the new and updated version of my cornerstone e-book, Rethinking Vendors 2.0.

Requests for Proposals (RFPs) are an important procurement tool, allowing buyers of products and services a structured way to define requirements, solicit proposals and compare potential vendors efficiently in order to find the best fit for their company’s needs.

Writing a Request for Proposal isn’t always easy, but the benefits they provide – especially for larger and more complex procurements – vastly outweigh the costs. Here are five tips for creating a great RFP.

  1. Get stakeholder input upfront. Nothing can doom an important procurement project to failure more than creating an RFP in a bubble. At the very beginning of the creation process, it’s critical to identify all key stakeholders and engage them in the process of creating the RFP. Internal teams need to provide input, and be in harmony, before sending anything to your vendors.
  2. Be specific with your requirements. If you don’t know what your requirements are, how will prospective vendors? Vague, poorly written requirements sections will lead to vague, poorly written proposals. Which will then lead to poorly written contracts and lots (and lots) of problems after the contract is signed. Make sure to invest ample time to create clear, specific requirements.
  3. Define your evaluation criteria. Unless you are buying pure commodities, price should rarely be how you select a winning vendor. You get what you pay for, which includes quality products, fast delivery and great service. Determine what criteria really matter to you, and define them in your proposal. It will allow vendors to talk to their strengths in those areas, which will help you make a better overall selection.
  4. Know what’s negotiable (and what’s not). Define what you really care about, and what you’re willing to give up to get it, before you go out to bid. For example, if fast turnaround is critical to you, and speed of payment critical to the vendor, would you be willing to swap faster payment for faster turnaround? Spend time up front to define your swaps, and get buy-in from those that need to give you approval to do so.
  5. Speak with one voice. RFPs are often the work of teams, which can frequently be seen through a mixture of voices, strategies, goals and definitions. Multiple viewpoints can make reading and comprehension difficult for vendors, and can result in proposals that are too long and full of mixed messages. Assign one person to be the ‘quarterback’ of the RFP, and responsible for merging all those different perspectives into a single voice.

Need help writing a great RFP for your next procurement? We are here to help. Just email me at trogers@vendorcentric.com.

As we continue to operate in uncertain times, it is important for every company to be proactively assessing their overall operations to determine how best to prepare for both best case and worst-case outcomes.  This is especially true for your Vendor Management Program.

As many companies invest 50% or more of their capital with outside vendors and third parties, having a properly structured and resourced Vendor Management Program is essential to mitigate risk and ensure regulatory compliance.

As you consider how best to operate a Vendor Management Program, it is critical to determine whether it makes sense to resource your program internally or outsource some or all of your Vendor Management Program to provider with a proven approach and dedicated subject matter experts.

When used effectively, outsourcing can be both a way to optimize your costs and operational performance while also accessing dedicated subject matter experts who offer a best practice approach to Vendor Management.

Key Considerations

Here are some key considerations your company should be looking for as you determine if an outsourced managed service solution will create value for your company:

Operational Alignment

Does the solution align with your team and resourcing needs?  As you assess your internal staffing, resource plan and operational processes does the proposed managed solution allow you to free your staff up to handle other activities while having confidence the managed service provider will deliver the service and outcomes you require.

Subject Matter Expertise

You need to ensure the managed solution is designed and resourced by a team of subject matter experts that have the appropriate mix of technical expertise and industry expertise to provide you the required outcomes and best practice recommendations to achieve your objectives.

Technology-Driven Process

Is the managed solution enabled by a system which enables the provider to operate efficiently and effectively?  Can you integrate your existing system(s) with the system the provider uses so you have access to data and reporting you need to maintain your oversight responsibilities?

Scalable and Reliable Service Level Performance

Can the provider meet your unexpected demands (higher number of new vendor diligence than you anticipated) and align with your growth plans to scale with your accordingly?

Are You Ready for Outsourcing?

If you are unclear if outsourcing makes sense for you, consider the following as leading indicators that outsourcing some or all of your Vendor Management Program is something you should be considering:

Lowering Costs

If lowering costs are a priority for your company, in many cases outsourcing a vendor management activity like your due diligence will allow you to save on salary and benefits costs as you are paying a fee for the specific work being performed which may vary vs paying fully loaded overhead which may not be fully utilized.

Streamline Operations

To streamline your vendor management operations, how better than to free up your internal staff to focus on their core capabilities instead of being distracted by a range of ancillary activities which may not align with their skill set.  Working with an external managed service provider enables you to work with a resource that specializes in specific thing like due diligence, procurement or contract management so your team can focus on day-to-day, more strategic activities.

Best Practice and Program Maturity

When you want to update your program and ensure you are implementing industry best practices, it is a great idea to consider outsourcing.  Not only do you achieve all of the other benefits highlighted above you also have continued access to industry best practices as your provider can actively bring you the trends they are experiencing in the work they are doing with their other clients.

Final Thoughts

In the end, outsourcing some aspects of your Vendor Management Program can make sense on many fronts.  It can send a message to your staff, executives, board members and investors that your take seriously the responsibilities to mitigate third-party risk, optimize your operating costs, ensure regulatory compliance and strive for excellence.

As you begin exploring outsourced vendor management solutions, we are here to help you start this journey to optimize your Vendor Management Program.

When we speak about vendor and third-party risk management, we often think about managing risks after a vendor has been selected. The reality is that risks exist from the moment a business need is identified. Organizations nowadays rely more and more on third parties (think of the small business that uses Quick Books Online for their accounting needs… to the billion-dollar health system that relies on an outsourced IT provider to manage all of its technology). When the need arises to hire a new vendor, you need to be aware of the various procurement risks that exist.

Here are a few types of procurement risks that you may encounter, as well as suggestions on how to address each of them:

Inadequate Requirements

“We need a new software solution.” “We need to hire a vendor to help us.” These comments might sound familiar to you if you are involved in your organization’s procurement management process. Employees tend to have an easy time identifying when a third party may need to be hired to help solve a particular problem, but defining the exact requirements that vendors need to meet proves to be a much more challenging task. When you don’t explain exactly what it is that your organization needs, you increase the risk of:

  • Under/over estimating the cost of the solution you are looking for
  • Receiving proposals from vendors that wildly vary in scope and price (likely because the vendors didn’t truly understand your organization’s requirements)
  • Procuring a good or service that doesn’t address the problem your organization is trying to solve (perhaps your requirements represented only one person’s needs, and not the needs of every stakeholder who will be impacted by the new vendor/solution)
  • Creating a contract with a scope of work that is not clear, or that does not completely satisfy the business need

As you can see from the risks identified above, defining your requirements accurately can drastically improve the outcome of the entire procurement process. One of the best ways to improve the requirements development process is to increase stakeholder involvement. Stakeholder involvement ensures that everyone’s voice is heard, which in turn helps to incorporate various perspectives when drafting requirements. Create some guidelines for your staff to follow to help them think about the various people they may need to involve in the requirements development process, and you’ll already be on your way to a better (and less risky) procurement.

Exposure to Information Security Risk

There is typically a lot of “back and forth” with vendors during the procurement process before you ultimately enter into a contract. Depending on the specific product or service that you are procuring, that back-and-forth correspondence could result in the exposure of some of your organization’s non-public/confidential information.

For example, let’s say you are planning to procure a new software solution. You’ve already seen a generic system demonstration, but now you want to go a step further and load some of your real/live data into the system to see how it works first-hand (either via using a trial account or by providing the software vendor with some of your organization’s information to load into the system). This scenario presents a real information security risk. You could unintentionally provide non-public/confidential information to the software vendor before you even have a contract with them.

You can significantly reduce this risk, or eliminate it entirely, by putting some standards in place at your organization around data sharing during the procurement process. Perhaps you create a policy that only allows “dummy data” (fake data) to be shared with vendors when you are evaluating their product. If non-public/confidential data needs to be shared with a vendor during the procurement process, make sure to sign a Non-Disclosure Agreement with the vendor to protect your data.

Noncompliance with Procurement Regulations

Regulatory bodies exist for almost every major industry, and some regulations even explicitly call out procurement. For example, non-Federal entities (typically nonprofits) who receive federal funding must follow the Uniform Guidance (UG) procurement standards when expending federal funds. The UG procurement standards set requirements around methods of procurement to be used (i.e., RFQ vs RFP vs Sole Source), documentation needed (i.e., what records need to be maintained to sufficiently document the history of the procurement), and much more. If the UG requirements apply to your organization and you don’t comply with them, you could put your organization at risk of receiving an audit finding or even losing Federal funding.

While the UG procurement standards may not apply to your organization, you might need to comply with other procurement requirements that are specific to your own industry. Here are some tips for ensuring that your organization complies with requirements:

  • Review the regulations that apply to your organization and create an inventory of all the various requirements with which you need to comply
  • Map your existing policies and procedures to the regulatory requirements to see if any compliance gaps exist (i.e., requirements that are not sufficiently addressed in your organization’s polices/procedures)
  • Update your policies, procedures and tools to ensure any compliance gaps are fixed
  • Ensure that staff are provided with the proper training to ensure they understand how to comply with the requirements.

Procurement is the first step in the vendor management lifecycle, and it’s important that your organization doesn’t overlook risk at this early stage. Manage your procurements in a thoughtful and consistent manner, and you’ll reduce your organization’s risk exposure during the process!

As we approach the end of the first quarter of 2021 simultaneously with the complete and/or partial vaccination of approximately one-third of the population of the United States against the Covid-19 virus, the business community is looking ahead to financial recovery and a return to business as usual. Although the principal and the most positive result will be negotiations for new and/or renewal of existing contracts, we must realize that things have changed. Things may or may not be back to whatever we once considered to be normal new contract negotiation or contract renewal negotiations.

During this last year of the Covid-19 pandemic crisis, business organizations have been hard-pressed to not only survive, but to develop new management practices to compensate for the lack of personal presence in their dealings with not only their vendor base but their clientele in general. Their business strategies have adapted to a new atmosphere, their business acumen has become increasingly discerning.

We must take this perceptive transformation into consideration when approaching any contract negotiation. A new strategic contractual planning process must be developed and implemented in accordance with this new emerging business atmosphere, allowing measured flexibility in order to adapt to the changes which will evolve as the economy begins to stabilize, just as the evolved changes provoked the economic destabilization during the height of the Pandemic.

In order to develop a new strategic contractual planning process for all contract negotiations while focusing on key information, a contract negotiation strategy is critical for prospective stakeholders involved in the negotiation to ensure all are in agreement with the outcome. At a minimum, one should have the following included in the contractual negotiation strategy:

The most desired contractual outcome
The contract negotiators and all parties to the contract must have an extensive analysis of the key information regarding the potential business, including a summary of details regarding the vendors’ services, cost, and benefits, in order to knowledgeably take the most advantageous steps to reach the ideal contractual outcome for all stakeholders involved.

Best alternative in a negotiated contractual outcome
The second part of a contractual negotiation strategy must include a keyword or situation that would clearly indicate that the most desired contractual outcome could be difficult or impossible to reach. At this point in the negotiation, a slight detour in strategies should be outlined in order to reach the best agreement with which all involved are still comfortable. This potential outcome should be part of the initial analysis and part of the strategy where the vendors’ strengths are recognized, along with their weaknesses to be overcome in order to reach an acceptable agreement.

Least acceptable contractual outcome
The third part of a contractual negotiation strategy must be as thoroughly outlined as the first and second parts detailed above, and must never be approached empirically as a “Hail Mary” solution when faced with a potential contractual loss. This potential outcome should be part of the initial analysis and part of the strategy where the stakeholders identify the minimum acceptable requirements needed in order to reach an agreement.

It is always important to visit and adjust the contractual negotiation strategy to demonstrate flexibility more so recognizing the difficult times that have affected the business and general population, but always focusing on successfully achieving the contractual negotiation strategy outcomes, but more importantly, demonstrating that adapting to constantly changing economic atmospheres is achievable!

Over the last couple weeks, I’ve explored ways that Procurement teams can more effectively help their organization’s weather the storm when it comes to catastrophic market conditions. This year’s challenges have certainly forced organizations to make tough choices – my hope is that managers can avoid having to lay off employees if Procurement can help cut costs to the greatest degree possible.

I’ve chosen to use the Kraljic Matrix as the map to this exploratory journey. In case you missed them earlier, we’ve already moved through the first two quadrants in the links below:

  • Non-Critical Suppliers – Procurement can cut costs if we can avoid wasting time on high-volume, low-spend purchases. These purchases cost more in our time and energy than the price of the buys, themselves.
  • Bottleneck Suppliers – Procurement can cut costs by taking back negotiating leverage held by these suppliers (but should more likely attempt to reinforce the supply chain here).

These two quadrants represent the bottom of our quadrant map, and are the tougher two to wade through in terms of cutting costs effectively:

Today, we head into Procurement’s bread-and-butter quadrant – the “Leverage” quadrant.

Leverage Supplier Relationships

Suppliers in this quadrant share a new key traits that make them stand out to Procurement teams:

  • They tend to make up a larger portion of an organization’s product’s costs.
  • They also tend to be in markets with an abundant supply. Organizations don’t face much supply chain risk.
  • Typical supplier sales strategies point out and pick apart perceived competitive differentiation… this is often smoke and mirrors. Many purchases here are fairly commoditized.

When Procurement thinks of cost savings, this is the traditional “sweet spot” that is top of mind: Low risk with high reward. Going to market with an RFQ or RFP will likely yield results. But, in a space where we’ll always find some cost reduction, how do we know we’re maximizing our success?

Maximizing Leverage Supplier Relationships

I won’t delve into the tactical elements of going to market with an RFQ or RFP. You’re probably aware of them or, if not, there are plenty of resources to learn more. Instead, let’s focus on elevating Procurement’s role from the tactical to a more strategic level.

How can Procurement influence the nature of the purchase in order to maximize cost savings?

Requirements definition

When Procurement functions tactically, the team is handed a scope of work or spec sheet by stakeholders and is expected to craft and execute an event using those parameters. However – are those the right parameters?

Viewed strategically, Procurement should be digging into these parameters and asking, “why?” In other words, are these real requirements, nice-to-haves, or irrelevant to the need entirely? Consider a request for printed materials – A stakeholder approaches Procurement with the following specifications:

  • Full color cover/back, full color pages
  • 100# stock paper
  • Printed to bleeding edge

Are these specs valid? If the print job is for a small, prospect-facing brochure then potentially so. They’d make for effective marketing visuals. However, what if we’re talking about a hundred page instruction manual for a product? These specs would be overkill. We could take these specs to market and get some level of cost reduction… but any success would pale in comparison with rightsizing specs to better fit the need.

Considering Total Cost of Ownership

One mistake I’ve seen among Procurement teams time and again is hyper focusing on unit price and forgetting about total cost of ownership. Getting the lowest unit cost is meaningless if other associated costs aren’t taken into account:

  • What if the cheaper unit price option requires more resources to operate?
  • What if it is more prone to downtime, cutting operation time and output?
  • What if replacement parts are more expensive, or wear out faster?
  • What if average lifespan is half that of a more expensive unit price option?

Think through the use case with stakeholders and develop a complete understanding about the costs hidden below the surface. Stakeholders, themselves, may not be fully considering TCO.

Keep Control over the Event

One of the greatest benefits of a strong supplier relationship is the ability to leverage that supplier’s subject matter expertise above and beyond the purchase. There are plenty of ways Procurement should utilize this expertise. Market event development is not one of those ways. Focusing on refining requirements and placing the right emphasis on TCO only works when Procurement retains control of the sourcing process.

When organizations don’t have internal expertise, they lean on incumbent suppliers to help guide them along the process. The problem here is clear: allowing an incumbent to guide the RFQ or RFP process opens the door to a conflict of interest:

  • Incumbents often propose shortened event timelines. Why? Because they already have a leg up on the competition – they understand an organization’s environment and may be working on a proposal before the event is released, giving them an advantage.
  • Incumbents emphasize artificial differentiators. Is the incumbent proposing requirements because they are critical or simply to differentiate themselves? An example here is tech development or managed services – an aging incumbent may propose years in business as a key point (touting their 30 years). However, in the world of cutting edge tech development, how important is decades of experience when tech that old isn’t even industry standard anymore?
  • Incumbents push their strengths (and hide weaknesses). Some KPIs will be more or less important to an organization. However, an incumbent may propose that KPIs they’re naturally good at tracking against are of higher importance than they should be. Likewise, they may put critical KPIs that they struggle with lower on the list.

So, how can Procurement move ahead if they don’t have SME and can’t rely on an incumbent? The best bet is kicking off the event with an informal RFI. An RFI signals to participants that an organization doesn’t know the best path forward to solve a problem and that they may have the chance to win business when the formal RFQ or RFP is released down the line.

Keep an Eye on “Why”

The concepts above may seem like common sense, so why do so many Procurement teams forget about them? When everyone on the team is focused on keeping the trains running, there’s a strong push to follow a simple path forward.

What we need to do instead is constantly question, “why?” Why are we making this purchase, why are these the specifications or scope that we’re using, why is this our go-to-market strategy? So on, so forth. By understanding the strategy behind these actions, Procurement is in a position to confirm that savings outcomes are the best they can be.

By this point, we’ve covered the vast majority of all suppliers we work with. While the last quadrant covers the fewest suppliers, they’re also the most important suppliers to our organization. In our upcoming final installment, we’ll cover how to manage Strategic suppliers.

With what feels like an exponential rise in the number of cloud-based solutions available over the last 5 – 10 years, organizations are in a better place now than they ever have been before to automate business processes. Automation might seem like a no brainer in certain functional areas of the business, but when it comes to vendor risk management, are there use cases for introducing automation into the process?

The answer is YES!

In this article we’ll explore the 4 vendor management activities that you should automate in your vendor risk management program, but there are certainly many, many other ways in which automation can be worked into the vendor management process.

1. Inherent Risk Tiering

Often one of the first activities performed in the vendor risk management process, determining the inherent risk of your vendor relationships is key to understanding how that vendor will be assessed and managed. If this risk tiering process is subjective, you may end up tiering your vendors inconsistently. If the process is manual, you may be wasting valuable time assigning risk tiers when automation could do it for you.

Vendor risk management systems enable you to standardize your inherent risk assessment process, and also build automation in as well. For example, if you are using a point-based question and answer inherent risk assessment, you could set up point thresholds in your system to automatically assign an inherent risk level based on the assessment’s final score. Even better, you could set up logic that automatically triggers a particular inherent risk level based on an answer to a single question (i.e., any time a vendor has access to PHI, protected health information, automatically trigger ‘High Risk’).

2. Due Diligence Scoping

Many organizations don’t have a good way to scope their due diligence questionnaires. Scoping means “right-sizing” the questionnaire based on the specific vendor that is being assessed (i.e., you wouldn’t send your landscaping vendor a 300-question information security questionnaire).

Best-in-class vendor management systems allow you to establish workflow rules that automate when certain questionnaires are required to be launched. For example, let’s say that your organization maintains three different vendor questionnaires – 1) a Corporate Health Assessment, 2) an Information Security Assessment and 3) a Business Continuity Assessment. Automation would allow you to implement rules such as “always send our Business Continuity Assessment to any vendor classified as ‘Critical’”.

3. Vendor Response Evaluation

The process of evaluating vendor responses to due diligence questionnaires may be one of the most time-intensive activities associated with vendor management. But it doesn’t need to be! If you scope your questionnaires and send vendors only the questions they need (#2 above) AND, if you introduce automation into the evaluation process, you’ll save hours of valuable time.

Best-in-class vendor management systems allow you to configure “preferred responses” within your questionnaires. This means that when a vendor submits a questionnaire, you will be able to quickly identify whether or not the vendor’s response to each question aligns with how you wanted them to answer those questions. Some systems even take this automation process a step further and automatically associate pre-defined risks with questions that did not meet your organization’s response standards (i.e., preferred response).

4. Continuous Monitoring of Vendors

Continuous monitoring is key to effectively managing vendor relationships. Your work as a vendor risk manager does not stop once the initial due diligence of a vendor has been completed. You need to continuously monitor your vendors to identify if any new risks present themselves.

Automation can make this a much more efficient and manageable process. There are a number of online tools out there, such as Argos Risk or Prevalent, that constantly scan for emerging threats that you may not be aware of. For example, you can configure these types of systems to send you automatic alerts when certain events occur that may increase your organization’s risk exposure (such as alerts on a vendor’s declining financial condition, lawsuits the vendor is involved in, data breaches, etc.). Working these types of automated alerts into your overall vendor risk management process drastically improves your ability to prevent risks.

Automation is no longer something that is only available to extremely large organizations with even larger budgets. You could begin automating your vendor risk management process today. Use the tips in this article to begin your automation journey!

As we all deal with the impacts to our global economy and supply chain, one thing that this pandemic is brought to light is the importance of having a Contract Management System as a primary component of your vendor management program.  To mitigate risk and ensure compliance with your vendors, it is a necessity to have a contract management system to manage the full lifecycle of your agreements with these important stakeholders.

At the heart of effective contract management is having solid business processes and a contract management system, a technology platform which acts as a central repository for all of your contract documents and facilitates all of the critical activities required to author, execute and manage these important documents.

In a recent IACCM member survey ‘Impact of Coronavirus’, conducted April 7th – 10th, 2020, a total of 81% of those responding indicate that they either have or will now develop plans to implement, replace or add to contract automation.  This reinforces the importance of having a contract management system especially in the current and post Covid-19 world.

Let’s begin with a brief description of each stage of the contract management lifecycle and then highlight some important functionality found in many contract management systems.  Here are the key stages of the contact management lifecycle:

Contract Request

The contact lifecycle begins when an internal business owner initiates the contracting process after they have identified a business need and selected a vendor.

Contract Authoring

This is where the business owner begins to draft the contract document to pull together all clauses, terms and conditions they believe are required.  They also identify the contract approvers and signing parties to be included in the contract.

Contract Negotiation and Approval

The draft contract is submitted to internal and external approvers and may go through a series of reviews and redlining with all required stakeholders until it is ready for execution.

Contract Execution

The final contract document is sent to respective parties for signature either online using a contract management system or using manual process.

Contract Obligations and Performance

Monitor contractual obligations and service level agreements to ensure the vendor delivers on their contractual obligations, meets spending and budget limits along with adhering to all terms and conditions.

Contract Renewals & Closeout

Manage termination and renewal dates to ensure you can renew, negotiate, cancel and offboard vendors in a timely manner and on your desired terms.

As you can see from reviewing the above contract lifecycle stages, there is a great deal of work that goes into maintaining effective contract management with your vendors.  That is why we work with our clients to help them develop requirements and implement the appropriate technology, a contract management system, to centralize and automate these activities.

One of our technology partners, Gatekeeper, offers full contract lifecycle management functionality. Some of the key features of the Gatekeeper system are:

AI Extract™

Artificial Intelligence enables contract auto-creation and analysis to streamline the process of creating contract records in the system.  Simply upload a PDF or scanned contract and the AI Extract™ engine will auto-extract all key metadata and clause language.

Trained on billions of relevant data points, AI Extract™ becomes more accurate by the day. The AI Train™ engine unleashes the power of machine learning to understand your unique use-case and data set.

Workflow Engine

The Kanban workflow engine digitizes important contracting processes. Transform complex, fragmented processes into centralized, visual Kanban workflow boards. Digitize any form-based process and break down complex workflows into visual phases.

eNegotiate

A Microsoft WORD® based template and track changes solution to automate legal redlining using vendor-supplied contracts or your own.

eSign

Manage end-to-end simple and advanced eSignatures compliant with ESIGN, UETA and European eIDAS standards, fully integrated with contract records.

As you begin your contract management journey, need help assessing your existing contracting process and/or want assistance in procuring and implementing a new contract management system, here are the contract management services we provide. We are here to help!!

Vendor risk assessments are an integral part of the vendor management lifecycle. You perform them initially for new vendors and on an ongoing basis for existing vendor relationships. There were times when sending a simple questionnaire to your vendors may have cut it, but times have changed, risks have evolved, and the vendor risk assessment process needs to be much more than a one-and-done questionnaire exercise.

Let’s take a look at five best practices for performing successful vendor risk assessments:

1. Scope Your  Vendor Risk Assessments by Identifying Inherent Risks

Your inherent risk assessment process is what should kick off the vendor risk assessment process. It allows you to “scope” your vendor risk assessment to ensure that only relevant topics are evaluated. Scoping means that your assessment process is dynamic. Gone are the days of sending one, all-encompassing due diligence questionnaire to your vendors.

For example, if your vendor will not require access to any confidential data or access to your corporate network/systems, you may not need to perform an Information Security Assessment on the vendor. Likewise, if a vendor will provide a business-critical service to your organization, you will want to assess their business continuity and disaster recovery framework (whereas you would not perform this type of assessment on a non-critical vendor, such as your office supply vendor).

2. Define Your Standards

You’ve created your own due diligence questionnaire/vendor risk assessment (or you have decided to use an existing framework such as SIG or NIST). Great! Now what?

Having the appropriate question set is only half the battle. In order for the vendor risk assessment process to be as efficient as possible, your organization should create standards that “set a tone from the top” in order to identify how vendors should answer your questionnaires. Think of this process as essentially pre-defining the correct answer for each question, allowing you to easily identify when vendors don’t answer the way you were anticipating they would, therefore streamlining the identification of risks and/or areas where vendor follow-up may be needed.

3. Define Suggested Remediation Items

Take your vendor risk assessment process to the next level by not only identifying how vendors should answer your assessments (#2 above), but also by maintaining a predefined list of suggested remediation items (tied to specific risks) in order to directly address how risks should be resolved. This takes the guesswork out of the risk remediation process by referencing guidance (created by your organization’s subject matter experts) rather than determining the appropriate remediation activities from scratch each time a risk is identified.

4. Don’t Rely Solely on Point-in-Time Assessments

Due diligence questionnaires are a great tool to have in your vendor risk arsenal – and they are what this blog has primarily focused on so far – but they aren’t the only tool. Due diligence questionnaires/vendor risk assessments utilize an inside-out approach, relying on the vendor to self-report the effectiveness of their controls. These types of assessments are also sometimes referred to as “point in time” because you are only assessing the effectiveness (or existence) of controls as of the time the vendor completes your assessment. What about 6 months from now? Do your vendor’s answers still apply, or are they already stale?

This is where the outside-in (or continuous monitoring) approach comes in. Using software (such as Prevalent or Argos Risk) you can access real-time data on your vendor’s business/financial health, cybersecurity posture, and compliance issues, to name a few. As a best practice, consider using a combination of inside-out AND outside-in assessment strategies to get the full picture when assessing your vendors.

5. Utilize Technology to Support the Process

Spreadsheets just don’t cut it in the world of vendor risk management. In order to have a scalable, effective vendor management program, you need to use a system dedicated to the practice of managing vendor inventories, vendor contracts, assessments, risks, issues and much more. With regard to vendor risk assessments specifically, technology supports this process by managing the distribution of assessments, collection of vendor responses, automation of risk identification and remediation strategies, and the management of any remaining residual risks.

There seem to be an increasing number of systems showing up on the market with vendor management capabilities. Take a look at our software page to see some of our most trusted partners in this space, and also check out this blog which identifies 7 elements you should consider when looking for a vendor management system.

The most important thing to consider when creating (or revising/updating) your vendor risk assessment process is to make sure it is right-sized for your organization. Don’t feel like you need to tackle everything on day 1. Get the fundamental components of your assessment process up and running, then focus on the rest. If you don’t know where to start, or just need a little help, know that Vendor Centric offers a comprehensive set of solutions aimed at helping you manage the vendor risk assessment process.

Last month I wrote about the vast scope that Vendor Centric´s Vendor Risk Management Program that must be covered throughout the business relationship with third parties in order to optimize profits and minimize their risks.

Vendor Centric would be remiss in it’s responsibilities by simply creating a Vendor Risk Management Program, without assisting our clients in operationalizing the program in such a way that each vendor can proceed in their daily operations with the assurance and confidence in the risk solutions implemented, are designed for their particular needs and risk potential.

An effective Vendor Risk Management Program goes beyond basic procurement functions to deliver strategic value by optimizing vendor relationships and accountability. It is about ensuring that the day-to-day application of the program delivers the needed operational requirements to get the most from your vendor relationships. Operationalizing your Vendor Risk Management Program allows you to:

  • Ensure ongoing monitoring of compliance requirements not only aligned to service delivery but also vendor financial health, inherent risk and due diligence reassessments ensuring the company lowers the risk of service disruption if a vendor experiences financial difficulty.
  • Give more structure to spending, saving, and reporting. In today’s data-driven business world, managing the organization’s spending as a visible portfolio, a critical factor in determining the value created by the service.
  • Monitor vendor performance ensuring that your company gets the most out of its investment.

To ensure your vendor risk management program is brought to life, it is critical for your organization to fully understand their role within the program and the impact they can have if their vendor relationships are not managed effectively. In order to do this, regardless of the organizational structure you have in place, or whether or not a specific function is created within procurement, or if a stand-alone Vendor Management Office exists, the following standards must be in place:

Governance & Oversight: By having this in place, it allows any individual, department, structure or organization to provide direction and accountability for the vendor service, allowing the appropriate measures to control cost and reduce potential risks related to vendors.

People, Skills & Training: Get more value from vendors by having the right level of vendor management resources with the skills and subject matter expertise needed to control costs, increase value, and mitigate risk.

Policies & Standards: Establishes the scope and guidelines for the program, and defines key roles & responsibilities; they are an essential part of any organization.

Operating Procedures: Defines the day-to-day activities stakeholders will undertake to execute the program, as a useful business tool as it communicates the correct way of carrying out an activity within your organization.

Vendor Centric looks forward to working with clients to minimize their risks through our constantly updated Vendor Risk Management Program, while always maximizing profits through our extensive services.

In April 2021, the New York State Department of Financial Services (“NYDFS”) released a report on its assessment of the SolarWinds cyber espionage attack, its impact on NYDFS-regulated entities and recommendations for reducing supply chain risk. While the primary audience for the report is NYDFS-regulated entities, there are a variety of lessons learned and recommended best practices that are applicable to any organization looking to strengthen third-party risk management.

The report begins with a background on the attack and the department’s assessment of how regulated entities responded.  But at the heart of the report are four “key cybersecurity measures” the department recommends to reduce supply chain risk.  While the recommendations don’t rise to the level of new regulatory requirements, many believe that NYDFS expects its regulated entities to adopt these measures as part of their third-party risk management program.

Here is a summary of each of the four measures.

1. Companies Must Fully Assess and Monitor Third Party Risk

While NYDFS-regulated entities are already required under the department’s Cybersecurity Regulation to conduct due diligence into the cybersecurity practices of third parties, the report emphasizes that “vendor risk management policies and procedures should include processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors.”  The focus on ‘monitoring’ is important as it recognizes that point-in-time assessments are not enough, and that higher risk vendors require continuous monitoring.

Furthermore, there is an expectation that contracts with critical vendors include provisions requiring the vendor to provide immediate notification – preferably to at least two persons in different roles within the organization – when a cyber event occurs that impacts or potentially impacts an organization’s Information Systems or any nonpublic information (“NPI”) that is maintained, processed, or accessed by the vendor.

2. Companies Must Adopt a “Zero Trust” Approach and Implement Multiple Layers of Security

Incorporating guidance from the National Security Agency, the report states that NYDFS-regulated entities should use a “zero trust mindset” when assessing supply chain cybersecurity risks. To do this most effectively, organizations should assume that (1) any software installation and (2) any Third-Party Service Provider could be compromised and used as an attack vector.

NYDFS recommends that “access should be limited to only what is needed” and systems should be monitored “for anomalous or malicious activity.” Organizations should have layers of security and extra protection for sensitive information so that if one layer is compromised, other controls can detect or prevent an intrusion.

3. Companies Must Address Vulnerabilities in a Timely Manner Through Patch Deployment, Testing, and Validation

The report emphasized that regulated entities’ vulnerability management programs should include an effective patch management strategy.  This requires having a vulnerability management program that prioritizes patch testing, validation processes, and deployment – including which systems to patch and in what order they should be patched.  Furthermore, the strategy should include performing tests of all patches to the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities.

4. Companies Must Incorporate Supply Chain Risks in Incident Response Plans

Lastly, NYDFS recommends that incident response plans be detailed with procedures and playbooks – and be tested on a regular basis – to be considered effective. The department also identified the following procedures that, while not addressed directly in the Cybersecurity Regulation, should be included:

  • Procedures to isolate affected systems;
  • Procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software;
  • Procedures to rebuild from backups created before the compromise;
  • Procedures to archive audit and system logs for forensic purposes; and
  • Procedures to update response plans based on lessons learned.

NYDFS also recommended table top exercises to increase awareness and evaluate preparedness as well as ensuring that an organization’s incident response plan is aligned with its overall business continuity plan.

Final Thoughts

Regulated entities should examine this guidance closely to not only understand NYDFS’s expectations, but also identify improvements that may be necessary to their own third-party risk management policies and procedures.

More broadly, though, all organizations can learn from these findings (as well as the National Institute of Standards and Technology’s (NIST) draft Cyber Supply Chain Risk Management Practices for Systems and Organizations) and should consider them as part of their own third-party risk management program.

When introducing the Pillars of Procurement (Role of Procurement, People & Organization, Processes, Tools & Technology, and Metrics & Reporting), I make sure to explain how each of these core elements interact with one another. It is important to note that without factoring them all in holistically you are likely to develop gaps in your approach, no matter how big or small the scope is.

  • The People & Organization pillar covers those who support the business including their development, structure, and engagement model, as well as the suppliers and stakeholders that interact with them.
  • Process captures anything that Procurement designs, sources, buys, contracts, and manages.
  • Tools & Technology enable Procurement to operate efficiently and effectively.
  • These three core pillars make up the main body of procurement, however the Role of Procurement sits at the very top. This position is crucial and intentional, because you can have the best talent in the industry, the most streamlined process, and best of breed technology, but without a solid Role of Procurement all of that goes to waste.
  • Finally, once all of the above are working in concert and designed as envisioned, it is important to validate the value of procurement through hard Metrics & Reporting. After all, to effectively become a trusted advisor, you need good data.

Procurement’s Shifting Role

The Role of Procurement will naturally shift as an organization matures through the stages of maturity defined as Laggard, Traditional, Augmented, and World-Class. At Laggard, the Role of Procurement is likely to be seen as a low-value, reactive function. Traditional procurement teams might be viewed as a necessary function offering tactical support only, not leveraged by stakeholders in a strategic manner. When procurement evolves into Augmented, the Role of Procurement is seen as adding value and beginning to play a critical role in the supply chain well beyond contract negotiations. Finally, at World-Class Procurement is strategic, a trusted advisory to stakeholders and leadership, and has a permanent seat at the table. As you can imagine each of the pillars will need to be managed differently as procurement matures. It’s important to keep the end state in mind as procurement grows.

In order to stay the course towards that goal and meet your long-term objectives you will need to consider the four primary factors of the Role of Procurement: Vision, Interaction, Perception, and Function.

I am fortunate enough in my role to have the opportunity to educate others on all the amazing things that Procurement can do for an organization. I get to interact with individuals at all levels from the C-suite to emerging professionals and open their eyes to a world of value beyond cost savings and transactional support.

I was also recently invited to speak at ISM World in May 2021 about some of the work Corcentric has done to elevate the Role of Procurement in two separate sessions, and I could not be more excited to share my experiences and collaborate with some of my customers. To ramp up excitement for the rest of the world, some members of the Corcentric Advisory team have put together a multi-part blog series that we will release over the next few weeks as ISM World 2021 approaches on the topic of the Role of Procurement, which will be covered in one of the sessions I am presenting in.

In this blog series, we will discuss the four primary factors that define the Role of Procurement: Vision, Interaction, Perception, and Function. Stay tuned for the next blog in our series on setting the Vision of procurement.

This blog originally appeared on the Strategic Sourceror

When it comes to managing your organization’s vendors and other third parties (and the risks those companies present to your organization), paper forms, Excel and custom/home-grown databases just won’t cut it nowadays. You truly do need a software solution that is dedicated to third party risk management in order to make sure your vendor management program succeeds. But before you dive right in, take a step back and follow these best practice guidelines to ensure you select (and implement) your new vendor management system effectively.

1. Choose the right system

Before we touch on implementation best practices (which the remaining tips in this blog post address), you first need to make sure you select the right vendor management system. The market in this space used to be slim, but now there are a growing number of cloud-based systems that are dedicated to vendor and third-party risk management. Some systems may have lots of bells and whistles, while others may just cover the basics. Whichever system you choose, you need to make sure that it ultimately is capable of meeting the 7 essential elements of a vendor management system.

2. Define your operational processes

Having a system that meets all of your functional needs is, of course, a step in the right direction. But when it comes time to implement your system, you’ll need to answer questions like “Who approves that assessment?” or “Which risks trigger additional due diligence?”. Dedicate the proper amount of time on the front end to make sure that you define your vendor management process. This will allow you to document (or improve) your organization’s vendor management policies and procedures, but will also equip you with the necessary information to ensure that workflows and approvals are configured appropriately in your vendor management system.

3. Don’t tackle it all at once – Make a project plan and set priorities

Most of the big software providers in the vendor management space offer extremely robust systems. It’s impressive what modern systems are able to do, but sometimes it’s overwhelming to even imagine where to start when it comes time to configure and implement. You don’t want to end up with analysis paralysis, where you’re constantly iterating and tweaking the configuration plan before you even begin the implementation. Meet with your organization’s stakeholders (particularly those who will be impacted the greatest by your new vendor management system) and agree on what the most important near-term objectives are. From there, work with your software implementor to establish a prioritized implementation plan, configuring the most pressing functional needs first, and working towards lower priority needs later in the process (or even adding to a “future-state” roadmap).

4. Establish vendor and contract profiles

If you don’t yet have a vendor management system, take the time to determine which data fields you want to track for your vendors and contracts. Forming the appropriate “profiles” for vendors and contracts will allow you to easily report on data maintained in those profiles. On the other hand, if you already have an existing vendor management system (or maintain some type of vendor/contract profiles), use this as a time to reflect on whether or not ALL the fields you currently track are absolutely needed. It’s important to track enough data within a profile to make it meaningful, but it’s also possible to track too much data and overwhelm the users who are responsible for populate the profiles.

5. Prepare your data for import

Once you have defined the data fields that will make up your vendor and contract profiles, perform some level of “source to target” mapping. This process allows you to identify whether or not the data fields in your future-state profiles are already tracked in legacy systems, or if they are new fields that will need to be populated. Also, there’s a good chance that the format your data is currently maintained won’t align perfectly with the formatting requirements of your new vendor management system. Make sure to give yourself plenty of time on the front end to scrub/clean your data to ensure it is ready to go. This way, once you’ve configured your new system, you can simply upload/import your clean data and begin using and reporting on it!

6. Identify and collect documents

Along with data for your vendor/contract profiles, you’ll want to think about the types of documents that you currently maintain with those profiles. For example, a vendor profile may contain documents such as audited financial statements, SOC reports or insurance certificates. A contract profile may contain fully-executed agreements, but also amendments or exhibits associated with an agreement. With regard to the implementation process, what you want to focus on is identifying which documents you want to migrate to your new vendor management system, and also where those documents currently reside (i.e., paper copies in filing cabinets, PDFs on shared drives, etc.). It may take some time to hunt certain documents down, so it’s important to do this step up-front.

7. Define user roles, and identify users

Lastly, take an inventory of how many people within your organization will need access to your vendor management system. Not only will you need to create user accounts for all of your staff who require access, you’ll also need to ensure they have the appropriate level of permissions. Each vendor management system on the market is different, but the good products all offer some level of role-based access controls (RBAC). Taking the time early in the process to think through various levels of access permissions and collect basic user info (such as email addresses) means that, once your system is configured, you’ll simply be ready to roll it out.

Whether you need help documenting system functional requirements for a new vendor management system, creating policies/procedures/workflow for a vendor management program, or simply evaluating various software providers… Vendor Centric is here to help.

The recent ransomware attack of the Colonial Pipeline has dramatically emphasized the need for Cyber Risk Evaluations and Management.

While many of the factors regarding this cyber-attack are still unknown, the primary realization worldwide is the fact that not only the United States, but the entire world, is starting to realize they must become more proficient at managing their risk, more so related to the risk brought on by their third-party suppliers. In the United States, the most important corporate infrastructures have been cyberattacked. The Colonial Pipeline ransomware attack, in itself, had a domino effect on all areas inherent to the industry; from chemical factories and refinery operations to gas stations, all related corporations, small businesses and the public in general were adversely affected.

The Colonial Pipeline has not been the sole target of cyber hacking. Many major corporations in the United States, from retailer Target to the IT firm SolarWinds, have been victims of ransomware attacks. Although one may never know why these companies were targeted, it makes the rest of the industry question their own controls in place to ensure they are not vulnerable and exposed.

There is a need to recognize that far too many third-party relationships by definition present a vast array of potential risks that should be properly identified and managed prior to and throughout the business relationship in order to optimize profits and minimize their risks.

Implementing a Vendor Risk Management Program will help any organization establish the policies, standards and procedures by:

  • Offering a framework to develop a standard of evaluation and management of vendor and third-party operations: identifying the types of risks to ensure against potential losses arising from ransomware attacks on third parties.
  • Ensuring that all vendor and third-party relationships are managed in a way that complies with all relevant regulatory requirements, while determining how far our vendors will have to go in order to prevent and deal with cyberattacks and or create rapid backup systems for when or if critical infrastructure fails.
  • Assisting vendors in calculating residual risks discovered during the evaluation process, along with monitoring and re-assessing the overall risk management to achieve the maximum protection, while enhancing and optimizing profitability for our vendors.

While no vendor risk management program can guarantee that business will remain free of ransomware or cyberattacks forever, the World recognizes and generally fears the uniquely creative tricks of hackers to violate systems. Because of this, we must become smarter in managing our vendors and ensuring they are performing the necessary tasks to manage all of our data. By having a Vendor Risk Management Program in place where knowledgeable due diligence is performed, as well as on-going monitoring of the controls in place, ensuing third party relationships with state-of-the-art technology in cyber risk assessments, we can try to enjoy the peace of mind that our proper due diligence and preparation and controls in place, are protecting us just in case something were to happen.

Launching a structured vendor management program doesn’t happen overnight.  And it can be easy to get overwhelmed with the process. That’s why it’s so important to take a risk-based, phased approach to getting a new program up and running.  It allows you to get the basics in place in short order, and get some quick wins under your belt.

When we help a client get a new program up and running, we tackle it in three phases.  Phase 1 focuses on getting the fundamentals in place – the building blocks for the program.  Phase 2 focuses on getting the program operationalized quickly by focusing on the riskiest vendors first.  And Phase 3 provides opportunities to expand and mature the program over time.

Here is an overview of each phase.

Phase 1: Establish Your Foundation

Start by establishing your fundamentals with support from senior leadership. This ensures alignment and the right tone-from-the-top.

  • Develop your policy
  • Inventory your vendors to determine who’s in scope
  • Identify stakeholders and clarify roles and responsibilities
  • Create your core assessment tools such as your inherent risk and due diligence questionnaires

Phase 2: Get Traction and Some Quick Wins

With your fundamentals in place, get traction by beginning to assess your most critical and riskiest vendors.

  • Risk assess and categorize vendors into risk tiers
  • Start conducting due diligence with your highest-risk vendors
  • Begin tracking and remediating issues you identify
  • Start with some basic monitoring activities around performance, information security, business continuity and financial health.
  • Rinse and repeat with the rest of your vendors, starting with the next riskiest group and working your way down

Phase 3: Create a Roadmap to Mature Your Program

Finally, once you are doing the basics consistently, create a path for enhancing and maturing your program. These can include:

  • Developing contingency plans for critical vendors
  • Identifying and assess 4th parties
  • Creating standards for contracting, termination and of‑boarding
  • Auditing contracts and consolidate spend with fewer vendors
  • Assessing concentration and geographic risk

If you’re committed, you can build your foundation and start managing those high-risk vendors in 90 days or less.

Getting a new program up and running?  Download our guide on How to Kick Start your Vendor Management Program.  It provides a practical guide for getting your program up and running in as little as 90 days.

 

One of the most important parts of an effective third-party risk management function is creating an effective governance and oversight structure. Doing so drives accountability and ensures that the right ‘tone at the top’ is set by your board and senior management. Plus, in the past decade, regulators across most industries have made this a consistent theme in their communications about their own expectations for third-party management programs.

So, what does effective oversight of the third-party risk management function look like? Since complexity can vary based on an organization’s industry and size, I recommend that – as a baseline – a well-designed function should have the following five components.

1. Policy. The starting point is to formally document the third-party risk management policy and obtain board approval (initially and annually thereafter). This provides the framework for the program and ensures the appropriate tone at the top.

2. Lines of Defense and Accountability. Roles should be defined in all parts of the risk framework from the day-to-day business owners to the various lines of defense and senior management – if possible, placing these into performance goals also helps ensure attention is paid throughout the year.

3. Vendor Management Function. The vendor management function should be clearly defined within the organization and, as importantly, properly resourced and independent from the lines of business. Resourcing goes hand-in-hand with effectiveness, and independence ensures that business needs or “favorite vendors” don’t drown out proper risk decisions.

4. Data and Reporting. Timely reporting is crucial for effective oversight. This requires three things: leveraging technology to capture and report data, using key indicators to compare against contract standards and trends, and distributing the appropriate reporting segments to each line of defense. Further, reporting should include both quantitative data along with more qualitative “color commentary” on where levels of risk are increasing or decreasing and any inconsistency versus the overall enterprise risk appetite for risk.

5. Documentation and Rigor. Lastly, complete and accurate documentation of risk management activities should be maintained to support oversight by internal audit and regulators. Further, minutes from board, audit committee, and risk committee meetings should also be maintained to evidence discussions and actions, in case of a dispute or regulatory inquiry.

Effective oversight also requires buy-in and active support from the senior leadership team. Simply providing direction and passive support isn’t enough – accountability needs to be evident in follow-up actions. Their ability to receive and help resolve issues when escalated, and \”wield the hammer\” when needed, will ensure the function has teeth. Conversely,

Depending on the size and complexity of your organization, gaining the support of the senior leadership team may not be easy. Particularly since third-party risk management, and certain vendor relationships, are often controversial in terms of expense, preferred vendors, and missteps that span across multiple business lines. However, building that level of trust and support can help immensely when things go wrong – if the vendor management team knows that they have the backing of senior management, it makes difficult decisions such as terminating a contract or declaring a breach a much more confident decision.

Setting aside the regulatory guidance, if that’s possible, remember that third-party risk management creates a real strategic business advantage in the form of cost savings, solid contracts, and greater confidence that outsourcing a particular product or service will continue to go well. And effective governance and oversight of the third-party management function is necessary to make it all happen.

What value does Procurement bring to the table? I don’t mean the need to buy goods and services, or the collection of policies and SOPs that govern it. I mean you and your teammates. How important would senior leaders say your Procurement Team is to the organization?

Every Procurement team is different, but they all fall somewhere on a continuum with these bookends:

  • They are either high-impact, proactive organizational leaders…
  • … Or reactive, tactical followers that add plenty of process but little value.

So, where does your Procurement team fall? More to the point, what can you do build a better vision to help your team mature?

The Maturity Scale

First, let’s add a couple points to our scale and define four stages of Procurement maturity:

  • Laggard/Transactional. These teams are highly reactive and focused on tactical purchasing. They exist to “check boxes” and have stakeholders jump through hoops for the sake of policy. Transactional teams generally have a net negative organizational impact.
  • Traditional/Shared Services. As teams mature, their view starts to expand. Teams in this group look beyond the transaction and start assessing the market. However, they’re often limited to three-bid-and-a-buy thinking. Focus is on reducing unit costs and managing PO processes more than anything else.
  • Augmented/Supplier Management. Teams eventually become proactive, value-adding functions by engaging in strategic sourcing initiatives and focusing on spend visibility and opportunity assessment.
  • World-Class/Supply Management. At the highest levels of maturity, Procurement teams help guide supplier relationships in a way that moved the organization forward. These teams have a seat at the decision-making table, helping senior leaders shape the direction or the organization.

Where a team lands is largely based on the strength of their vision – the ability to set a path forward that aligns with organizational goals and follow through on it.

Moving Along the Maturity Scale

How can immature teams move up this scale to become world-class? There’s no checklist that ensures this will happen (and that kind of thinking is “laggard thinking”). However, there are several questions Procurement must ask and answer along the way:

  • What metrics and reporting are we delivering to organizational leaders? Beyond churning out reports, we need to ensure we’re developing information that defines and helps solve for organizational challenges.
  • What tools and technology do we have at our disposal to enable us to operate efficiently and effectively? We can’t manage strategic work if we’re mired in the tactical.
  • How do we ensure our process has value? We need to design policy and SOP in a way that benefits the organization without adding unnecessary bureaucracy to the equation.
  • How do we define our role beyond buying tasks? We need to understand where and how to support stakeholders in achieving their goals – this often means moving beyond helping them find the best price for a purchase.

Managing Complexity & Risk with Vision

Leading organizations keep on eye on the future. They look for ways to pivot and expand their products and services to keep up with demanding markets. This change often results in a more efficient and capable organization. However, growth also leads to complexity and risk. All teams must learn to manage this complexity – or risk hampering greater organizational goals. Procurement is no different.

Jennifer Ulrich from Corcentric will be speaking at the ISM World Annual Conference in May on this topic. Her session covers how Procurement can build a vision to move beyond the tactical. Three case studies demonstrate the challenges and solutions for doing so that we’ve seen among our clients.

Need help getting your vision off the ground? Register today to attend.

This blog originally appeared on the Strategic Sourceror

Pre-Pandemic, but post 911, risk prevention and recovery were calculated from the knowledge and experience the country had at the time: from small towns to major cities, from elementary schools to Ivy League Universities, from small businesses to major corporations, Community or Business Continuity Disaster Recovery Plans had already become essential. Children had fire drills, which sadly became potential gunfire drills, to keep children and teachers safe in schools. Universities had warnings and drills to evacuate classroom and dormitory buildings to keep the students and faculty safe from fire or gunfire. We had bomb shelters, tornado shelters, evacuation routes in case of tsunamis, floods or hurricanes.

But we had no shelters from the consequences of the Covid-19 Pandemic. This is why reviewing a Vendor’s Business Continuity Disaster Recovery Plans (BCDRs) is so important at this time. An incomplete or faulty BCDR can be disastrous for any company for several reasons, all of which boil down to one basic cause: Insufficient Preparedness Planning and Training. 

Insufficient preparedness planning and training can bring the organization’s operations to a veritable halt. Depending on the magnitude of the disaster, it could either interfere with the Vendor’s business longer than allocated by the BCP/DRP, or through other unimaginable factors, such as the loss of your customer base or organizational data due to an inadequately prepared IT staff.

Vendors should be trained and drilled on the ways and means by which business can and must continue when faced with unexpected natural, economic and logistic catastrophes and/or personnel adversities.

Until now, smaller companies tended to simply run the basic risk assessments related to financial performance or to meet compliance requirements, but very rarely did they look to perform due diligence against their new or existing vendors’ BCDRs. In this new recovering business environment, due diligence in risk analysis and recovery planning is of paramount importance to comprehensively understand and safeguard the vendors against all potential vulnerabilities.

One of the newer factors resulting from the Pandemic is that the remote workplace from home has been not only successful for the continuity of both smaller and larger businesses in the world, but in many cases, it has been more profitable. Part of the risk assessment analysis should not only calculate the risks involved in remote administration and employment, but in the overall economic and financial consequences of this new environment. Although this new atmosphere may be far more profitable for many enterprises, this new environment undoubtedly will have an impact on the future of geopolitical economic climates.

Through our perceptive understanding of this new Post-Pandemic reality, Vendor Centric will continue providing our vendors with the necessary tools to help perform a robust and comprehensive risk assessment with our customary due diligence approach, to help our vendors reach a realistic Business Continuity Disaster Recovery Plan.

Vendor Centric’s goal is the same as yours, to assure your customers that your highly reputed company will remain viable and competent under both the best and even the worst circumstances, as we assist you in creating or improving your comprehensive, profoundly researched and well-developed Business Continuity and Disaster Recovery Plans.

Vendor management is an emerging business discipline, being adopted with greater frequency by companies across every industry. Part of this emergence has been a transition from a purely compliance-based function to an enterprise risk-management function, oftentimes residing outside of compliance in its own vendor management office.

But there is no one-size fits all when it comes to a vendor management program. Rather, every organization should scale its vendor management function to align with its size, complexity and overall risk appetite.  If you are getting a new program off the ground, or in the early stages of getting adoption within your organization,  consider the best practices highlighted below.

1. Right-size your vendor management program for you.

Many companies delay starting a vendor management program because it seems overwhelming. Our advice – don’t try to boil the ocean. Get your fundamentals in place and kick things off by focusing on your most critical and riskiest vendors.

2. Set the right tone at the top.

Your leadership must buy into the fact that vendor management is a core business discipline and not a compliance function. It’s critical to have buy-in from senior management (and the Board, when applicable) for the program to have teeth, and deliver the type of measurable value it’s capable of.

3. Establish governance and engage your stakeholders.

Vendor management involves multiple stakeholders and subject matter experts from across the organization. In addition to the Business Owner who actually manages the day-to-day vendor relationship, you need to establish responsibilities across all lines of defense including risk, compliance, legal, information security and business continuity.  You also need to define who is ultimately accountable at the top, and a reporting hierarchy to keep everyone informed and working together

4. Get visibility into your vendors and contracts.

Too many organizations lack even the basic systems to know who their vendors are and what contracts they have with them. Data and documents reside in multiple places including emails, shared folders and file cabinets. You can’t run a vendor management program with incomplete and disparate data. You need a central system for storing, managing and reporting on vendor-related information.

5. Know which risks apply to which vendors.

Not all vendors are created equal, and different types of vendor relationships bring different types of risk. Vendor risk assessments and tiering are core components of your vendor management program. They allow you to know where your risks are with every vendor relationship and align your due diligence activities accordingly.

6. Don’t skimp on due diligence.

Assessing risks is only part of the process, though. Due diligence is where the rubber meets the road in terms of drilling down to really understand your risk exposure and implement the appropriate tactics to reduce residual risk. Be sure to align your activities with the risk level of the vendor – more risk always requires more due diligence.

7. Be disciplined in contracting.

Contracts are your only opportunity to legally document the business terms to which you and your vendor have agreed. Yet contracting is an inconsistent process in many organizations, resulting in unclear expectations and unnecessary risk. Your vendor management program should provide for a standard, consistent contracting process that ensures all of the necessary, risk mitigating contractual clauses are incorporated into the final agreement.

8. Establish expectations during onboarding.

Vendor management doesn’t stop once the contract is signed. Rather, that’s when most of it begins. Your vendor management program must address what happens post-contract and who will be responsible.

9. Monitor and grow the relationship like you would any other.

Developing a strong, mutually beneficial relationship with your vendor requires an investment from both of you. It also requires following a consistent process for continually evaluating performance, costs, risks and compliance. This is where the relationship can blossom and provide tremendous value, or fall flat and lead to big problems. Nurture your vendor relationships to get the most value from them.

10. Have a formal process for breaking up.

When the relationship needs to end, don’t guess on what to do next. Have a formal process for off-boarding your vendors, especially as it pertains to key contractual requirements such as transfer of assets, data, or destruction of confidential information. You don’t want to leave this stuff to chance. So don’t.

At Vendor Centric, we believe that a formal vendor management program is not a nice to have – it’s a must in today’s business environment.  If you need help creating a new program, or taking your existing one to the next level, give us a call.

 

Third Party Risk Management (TPRM) as a business function contains many moving parts – touching everything from procurement to contracting to offboarding/termination (and everything in between). There is a component of third-party risk management that is often overlooked, and that’s the concept of fourth party risk. Who are your vendor’s vendors, and what risk might they pose to your organization?

Managing your organization’s vendors from a risk, performance and compliance perspective can be a tough job in and of itself… So why bother going a level deeper and assessing your vendor’s vendors?

Evaluating fourth party risk is a good business practice. Your vendors (your third parties) may use vendors of their own (your fourth parties) to support the work they provide to your organization. The following examples help to demonstrate the concept of fourth party risk:

  • Your organization shares confidential data with one of your vendors, and they in turn share it with one of their vendors. Can you trust your vendor’s vendor (fourth party) to protect your data? Do you even know who that fourth party vendor is?
  • A vendor provides your organization with a software solution that directly supports one of your critical business functions. Without this software, your business could not operate. Does your vendor host their software on another vendor’s servers (your fourth party)? If something were to happen to that fourth party, your vendor may not be able to provide the software you depend on.

Fourth party risk is something that your organization can grow into and mature over time. Here are four tips for managing fourth party risk:

1. Create an Inventory

Before you can start managing fourth party risks, you need to identify who your fourth parties are. The best way to obtain this information is to ask your vendors directly. Have them tell you who they work with.

Be specific in what you are asking for, though. You don’t need them to provide you with a list of all of their vendors. What you really need is for them to tell you about vendors they use who have a role in delivering the product/service you are paying your third party for.

If you are looking for a good place to start, try beginning with your organization’s critical and high-risk vendors. Find out who they work with first, then work your way to vendors who are lower risk.

2. Don’t stop at just knowing who your 4th parties are

Knowing that your software provider uses Amazon Web Services (AWS) to host their software is great, but there are other (potentially more important) things you need to find out as well. Some additional detail you may want to ascertain could include:

  • Will the fourth party have access to your data?
  • Will the fourth party have access to your organization’s system and/or network?
  • Will the fourth party have access to your building/offices?

3. Address concentration risk

As you begin to build out your inventory of fourth parties, you can use the information you collect to start evaluating concentration risk as well! While there are a few different types of concentration risk to be aware of (geographic, operational, etc.), fourth party concentration is certainly an area to pay attention to.

Fourth party concentration risk occurs when many of your third parties (especially your critical third parties) all rely on the same fourth party. If that fourth party experiences a significant/disruptive business event, your third parties who rely on that their party may not be able to provide the goods/services you need.

4. Ask how your vendors manage their vendors

Aside from asking your vendors to tell you which vendors they work with, you also should ask them about their own business practices for managing their vendors. In other words, what does their Third-Party Risk Management (TPRM) program look like? Here are some questions to consider:

  • Does your vendor have a formal TPRM program?
  • Ask your vendor to provide copies of their TPRM policies and procedures.
  • Does your vendor review and update its TPRM policies at least annually?
  • Does your vendor provide any type of TPRM training to its staff who engage with vendors?

The goal of this exercise is not to audit your vendor’s TPRM program and tell them to make improvements if you don’t agree with something. Rather, it’s to allow you to obtain a level of comfort with regard to how your vendor manages their own third-party risks.

You may also want to consider asking your vendors to provide evidence that they performed certain risk management activities (a “trust but verify” exercise). In addition to asking them for a copy of their TPRM policies and procedures, you could also ask them to provide a copy of a recent risk assessment and/or due diligence assessment they performed for one of their vendors.

As mentioned earlier, fourth party risk is not something that organizations with newer TPRM programs typically assess. However, it is certainly an area of risk you do not want to ignore. So, as your TPRM program matures over time, fourth party risk should be an area of focus for you to develop and/or improve.

 

Most organizations deal with a large number of suppliers on a daily basis. We’ve examined three different groups of these suppliers throughout this series – check out the links below for any you may have missed:

  • Non-Critical Suppliers – Procurement can cut costs if we can avoid wasting time on high-volume, low-spend purchases. These purchases cost more in our time and energy than the price of the buys, themselves.
  • Bottleneck Suppliers – Procurement can cut costs by taking back negotiating leverage held by these suppliers (but should more likely attempt to reinforce the supply chain here).
  • Leverage Suppliers – Procurement can cut costs by fully leveraging our stronger position at the negotiation table to drive down prices.

Together, these three categories contain the vast majority of our suppliers. The final category is significantly smaller than any of the others – yet is much more important. Today, we’ll review our Strategic Suppliers. These suppliers sit at the upper right-hand corner of our Kraljic matrix (shown below for the last time in this series), the highest point of supply risk and profit impact:

Up to this point, much of the cost-cutting strategies we’ve discussed take place in the short- to medium-term. Impacts to this quadrant, however, can have a lasting impact on our organizations for years to come.

Strategic Supplier Relationships

Suppliers in this quadrants all share some big ticket commonalities:

  • First and foremost – the products we buy from these suppliers shape our organizations. The way we conduct business and the final product we offer to our own customers rely on these suppliers.
  • There is a natural scarcity in the market. Not many suppliers can deliver these products, and there will likely be significant variation between offerings. Replacing suppliers will not be “plug and play.”
  • Relationships here last years, sometimes decades.

Examples here are simple. If you make cars, this is your engine. If you build computers, this is your processor. If you’re Kenny G, these are the smooth, buttery sounds flowing out of that sax and into your local elevator or weather channel playlist.

A huge part of the products we buy from these suppliers is the subject matter expertise held by their teams. As talented as a Procurement team may be, we will not match the insights these suppliers can provide. Instead, we should do what we can to leverage this SME.

Promote Integration with Suppliers

Points of negotiation leverage are much more fluid and balanced here than in other quadrants. Buyers don’t have a lot of options in the market and would have trouble substituting a competing product. Likewise, suppliers often can’t risk losing big ticket customers.
Rather than trying to think in terms of leverage (or a lack thereof), we’ll need to shift focus towards developing a partnership.

  • Bring suppliers into company activities. For example, train their personnel on your team’s processes and brainstorm how they could be more supportive of any weaknesses. Where along your workflow could they be better ingrained to build process efficiencies?
  • Develop joint partnerships. Your organization is heavily invested in the products these suppliers offer – further investment in joint R&D for product redesign or new service offerings will take an already key product and tailor it to your organization’s specific use while further orienting the supplier to better serve your needs.

Monitor the Relationship

Long-term relationships tend to lose our attention over shorter periods. If a supplier appears to be delivering consistently, why check up on them every month considering they’ve been a supplier for a decade, right?

This is a slow-moving trap that many organizations fall into. Think about the story of the boiling frog. Put a frog in a pot of boiling water and it jumps away – put that same frog in cool water while slowly raising the temperature and it won’t even notice. At the end of the day, issues that build up incrementally grow into big problems that all too often fly under the radar until too late.

  • Watch your SLAs and KPIs like a hawk. Now is the perfect time to take a look at your supplier’s obligations and make sure they’re living up to them. If you haven’t developed any KPIs or monitoring processes, start thinking through what measures define success or failure, and how Procurement can go about confirming a supplier stays on track.
  • Stay rigid with scheduled check-ins. It is common for quarterly reviews to get pushed back, shortened, or skipped altogether years into these long relationships. Don’t let it happen. Likewise, stick to the agenda even if it feels “done to death” over the years: These meetings are to reconcile today’s performance, not recounting the good years of the past.

Move Beyond the End Point

It is too easy to consider suppliers in terms of their product delivery. In fact, this makes sense for some other quadrants – not so for Strategic suppliers. Procurement should fully consider these critical supplier’s operations.

  • Know what their BC/DR strategy is, know what understand their risk level. Your organization likely spend plenty of money making sure operations aren’t interrupted if and when disaster strikes. However, can your supplier say the same? A chain is as strong as the weakest link – and strategic suppliers are a very important link. Review business continuity and disaster recovery plans with suppliers. If your organization is much stronger here, work to have your own resources help guide the supplier in revising policy and procedure.
  • Understand where the product you rely on fits within the supplier’s portfolio. Sure, this product is critical for you to buy… but is it just as critical for your supplier to sell? Are they planning to make changes to better serve the market… but to your organization’s detriment? Are they pivoting their business away from your product and towards another entirely? If either ends up being the case, we can help our organizations align our own business to either shift alongside these changes…. Or begin the process of finding a replacement. Given the large influence these products have, however, we can’t do either if we don’t see this change coming.

Bring in the Whole Organization

The key to successfully improving Strategic relationships is bringing the whole organization into the initiative. Procurement, alone, can’t have a big enough impact to move needle. The importance of these relationships, and the wide-reaching impact they have, requires buy-in and commitment from upper management on down to the front line stakeholders who directly work with these products.

As we wrap up this series, I’d like to extend this notion to all four quadrants – “business as usual” can often be a euphemism for complacency. Our organizations may have spent years approaching procurement activities and supplier relationships in the same tried-and-true way. Trying to move from autopilot to thoughtful, deliberate decision-making will be met with resistance. Why? Because we’re asking for more time spent and more attention paid to something that stakeholders don’t even see as an issue.

Yet this is what Procurement must do. This is a monumental task during the good years when business hums along – however, this year is not shaping up to be one of those years. If we can take just a small silver lining from everything happening in the world, perhaps it is that Procurement has a direct example of just how much uncertainty we face – and how we can work to address it.

This blog originally appeared on the Strategic Sourceror

When discussing vendor management, the term “assessments” is one that is almost solely used in conversations around assessing controls and risks with your vendors. This includes initial and periodic inherent risk assessments, as well as the related vendor due diligence assessments.

But remember. Assessments don’t apply only to your vendors. They also apply to you, and your need to self-assess your own policies, procedures and internal controls and how well they are performing.  For example, a common gap in many vendor management programs is not keeping policies and procedures updated with changes in regulatory requirements.  Having stale, outdated policies and procedures exposes you to unmanaged risks and the potential for non-compliance findings by your auditors or regulators.

So, it’s important to not only regularly assess your third-party vendors, but regularly assess your vendor management function too.  Let’s look at four common assessments you should be conducting on a routine basis.

Control Assessments – Are the controls you’ve put in place effective and performing as designed? You may be surprised to learn that certain portions of your existing program, while well crafted, do not match your actual business practices – “we think we’re doing X; we’re actually doing Z”.  Reviewing your vendor management function from a control standpoint ensures established policies and procedures are being followed correctly and consistently – across the entire organization.  Testing your controls to identify gaps (before your auditors do) will allow you time to consider (and test!) remediation strategies, update your procedures and even anticipate what your auditors/examiners may find.  An ounce of prevention will save you a lot of headaches down the road.

Efficiency Assessments – Are you working hard and working smart?  Are you spending unnecessary time and resources on activities yielding little results? Looking for opportunities to bring needed changes to processes can save immense amounts of time and frustration, and lead to much better results. Performing a regular review of your questionnaires, procedures and systems can yield real improvements in ROI, as you get to compare best practices, best quality and quantity, best service provider relationships and also avoid autorenewals of contracts you wanted to get out of.

Maturity Assessments – How defined is your program and its practices?  Have new risks emerged that you need to manage? Vendor relationships and risks change constantly, so you can’t ‘set and forget’ your vendor management program.  Maturity assessments allow you to baseline your program against current, best-in-class models and create a prioritized roadmap to strengthen and continually mature your program.

Regulatory Assessments – Does your program comply with all of the latest regulations?  One of the biggest challenges is simply making sure that your practices are solidly based in the regulatory guidance.  Regulations change or, even if they stay the same, regulators annually place an emphasis on certain areas (e.g., cybersecurity and 4th parties are big focus points right now). Performing a regular review of your program against the latest regulations and areas of focus is necessary to ensure your policies and procedures stay compliant.

Investing the appropriate time, talent and resources into regular assessments of your vendor management program is the most cost-effective way to identify and eliminate small problems before they become big ones.  Assessments allow you to confirm which practices are working well, and which ones need improvement.  Think of it as you would your annual physical examination by your doctor.  An ounce of prevention truly is worth a pound of cure. Equally important, your regulators expect to see routine assessments and the related documentation of action steps taken.

Procurement, like any business function, has to continually deliver value. Best-in-class procurement organizations plan and execute well, engage with stakeholders and consistently show that the vendors being selected are providing the best overall value to the company.

That’s why project management is such a critical part of procurement. As procurements increase in size and complexity, there are simply more activities, stakeholders and risks that need tobe identified and managed. Having a procurement Project Manager integrated into the procurement process significantly increases the odds of not only a successful procurement, but also an on-time, on-budget implementation.

There are six important responsibilities the Procurement Project Manager undertakes:

1. Initiating the Project.

When there is a new procurement, a Project Manager should be assigned so they can kick off the procurement project. This includes getting the initial stakeholders together to understand the scope and objectives for the procurement, and to discuss high-level expectations and timelines for the project.

2. Creating the Procurement Plan.

Establishing a comprehensive procurement plan is an important role the Project Manager plays to define expectations and align stakeholders. An effective procurement plan covers not only the process for procuring the goods, technology, or services but also the post-procurement activities required to effectively transition into the business operations. The transition plan may not come until after a vendor/solution is selected, but it’s a critical part of the overall success of the project as that’s where the rubber hits the road.

3. Coordinating Internal Stakeholders.

Large, complex procurements nearly always have many internal stakeholders.
This starts with the Business Owner who initiated the procurement and the personnel who will actually use the product or service, as well as other stakeholders from information technology, information security, compliance, legal, and finance. The PM’s role is to ensure that all relevant stakeholder groups have been identified and that they are engaged at the appropriate times throughout the procurement process.

4. Coordinating Vendors.

In addition to coordinating your internal stakeholders, your vendors need coordination too. Multiple vendors may be involved during the procurement process, and each vendor may have multiple personnel involved. The Project Manager’s role is to ensure each vendor has identified their own project manager who will serve as the single point of contact throughout the procurement and to coordinate with those PMs to schedule meetings/demos, obtain proposals, get questions answered, and facilitate the contracting process.

5. Communicating Responsibilities and Updates.

Keeping all stakeholders on track during the procurement process is a necessity if you want to hit your deadlines. The Project Manager is responsible for determining what information is important to communicate, collecting that information from the appropriate stakeholders, and packaging and distributing it at the right times. Weekly email updates, project status reports, and face-to-face meetings are all forms of communication channels that the Project Manager can use throughout a lengthy procurement project.

6. Supporting Implementation and Transition.

Once the procurement is complete and a contract has been signed with a vendor, the Project Manager plays a critical role in supporting the Business Owner during the implementation of the project and, ultimately, transitioning the software/services into operations. The PM assumes many of the same responsibilities as during the procurement process such as planning, coordination, and communication, but is now focused on the implementation of the solution rather than the selection of the vendor. The PM also provides a bridge between the procurement process and the implementation process, ensuring that there is a continuity of knowledge and expectations throughout the entire cycle.

Depending on the size of your organization, identifying your procurement project manager may (or may not) be easy. If you’re fortunate enough to have a central Project Management Office (“PMO”), or your procurement department has project managers on staff, you’re in good shape. However, if you’re like many mid-sized and smaller organizations, you may need to pull your project manager from the business unit or, for more complex procurements, hire a specialist to run the procurement for you.

Also remember, not every procurement needs a project manager. Assess the scope and complexity of your procurement to identify when you really need one.

The vendor management process consists of a lot of moving parts. Your budget, available resources and level of expertise on the topic can all play a role in determining exactly what your vendor management process looks like.

The good news is that, regardless of your industry, regulations you need to comply with or your organizational structure, you can put your mind at ease by following this simple best practice – Align your vendor management process with the vendor management lifecycle (i.e. the stages of your vendor relationships). Here’s how:

  1. Procurement – Don’t wait for a vendor contract to start managing your vendor relationships. Once a business need is identified and your organization begins the search for vendors/third parties, you should begin planning to manage the selected vendor (especially from a risk perspective). Your vendor management office (VMO) can help to ensure that business requirements have been defined so that the right vendor/solution is ultimately selected.
  2. Risk & Due Diligence – Once you’ve down-selected your prospective vendors (i.e. identified finalists or even a winning vendor), make sure you have a process in place for assessing the inherent risk that exists in the vendor relationship. Based on the inherent “riskiness” of the vendor (specifically, the products/services they will be providing), you then need to perform the appropriate level of (risk-based) due diligence before you enter into a contract with the vendor.
  3. Contracting – Now that you’ve performed assessed inherent risk and performed due diligence, you can confidently enter into a contractual relationship with your selected vendor. It is imperative that you perform your risk/due diligence assessments prior to contracting. This way you can address any residual risks that may remain (after performing due diligence) in the contract with the vendor. The goal of this stage of the vendor management process is to negotiate high-value, low-risk contracts.
  4. Onboarding – You can’t just assume that once a contract is signed with your vendor that everything will fall perfectly into place. You need to have a consistent process in place to ensure that vendors are integrated into your operations in a controlled manner. Vendor onboarding activities include things such as setting up a profile for the vendor in your vendor management system, ensuring that the vendor is set up in your accounts payable system, and assigning an internal stakeholder with ultimate responsibility/accountability for the vendor’s performance and risks associated with the vendor relationship (this role is often referred to as the “Vendor Relationship Owner”).
  5. Ongoing Monitoring – This stage of the vendor management process includes managing costs, performance, risks and compliance requirements throughout the term of the vendor relationship. Ongoing monitoring activities in this stage of the process include performing periodic risk-based due diligence, conducting performance reviews of the vendor and utilizing continuous monitoring solutions to obtain real-time data intelligence about your vendors.
  6. Offboarding – Ending a vendor relationship might sound like an absolute/final part of the process, but it can actually expose your organization to serious risks if not performed in a formal and consistent manner. The vendor termination and offboarding process should ensure that you properly “de-risk” the vendor relationship by doing things such as disabling the vendor’s access to your network/systems, ensuring that data provided to the vendor is returned or destroyed and ensuring that any assets lent to the vendor (i.e. computers) are returned.

Align your vendor management process with this lifecycle approach, and you’ll be effectively managing your vendor relationships in no time!

Building out a business case for Procurement may seem like a daunting, albeit necessary, task in order to expand your team, capabilities, or tools. Whether your organization places strong emphasis on the value of Procurement, or is yet to fully embrace a holistic Procurement program, the right metrics can be an important asset in developing a business case and telling the story of Procurement. Let’s take a look at some of  the important metrics to track when building out a business case for your team or organization.

Spend Under Management

Spend under Management is an important number to track for any Procurement organization, as it can be directly tied to the amount of influence your team can extend, the amount of hard dollar savings you can capture, and an indication of reporting and tracking abilities. A firm grasp on your Spend and budgeted Spend can help better plan and forecast for upcoming years and savings projections. Moreover, if you have the ability to track and monitor the control your organization has, you can actively contribute to the bottom line of the organization and work toward enhancing your position within the organization. In short, Spend under Management is a good place to start when looking at your current program.

Cycle Time

Cycle time is the measure of how long a certain task or activity takes to complete its full life-cycle. An example would be time from Purchase Requisition to Purchase Order, or the time to negotiate a contract. While cycle time won’t directly contribute to your bottom line, it is an important measure of how efficient your team or program is in its current iteration. Additionally, the sooner you execute on a project (e.g. sign a contract, approve a proof of concept, etc.), the sooner you implement savings. Build your business case by presenting your team’s efficiencies, or highlight areas for improvement. As an added bonus, sort or segment your cycle time by supplier, category, spend amount for more granular level metrics – this can come in handy when working on a Supplier Relationship Management program or category planning.

Cost Savings and Avoidance

Most Procurement professionals will agree that cost savings is a major value prop for Procurement, but an often overlooked component is cost avoidance. Savings are the negotiated savings and discounts that appear on the bottom line (important to note, you may want to establish as baseline to measure against your savings), while avoidance are the soft-dollar savings achieved that don’t necessarily appear on any bottom line, at least not without some type of data sorting and manipulation. Measuring your cost avoidance may be tough, so I recommend to highlight the areas for potential added costs and risk when building your business case and call out the types of problems that may arise (delays, product specifications, added costs or services). When your team is mature and can calculate a measurable number for cost avoidance (again, you may want to establish a baseline or a case study with significant delays or problems), this will only contribute to your narrative. Some organizations place significant emphasis on cost avoidance and count these numbers with their savings – this only adds to our realized savings, so count that as a win!

These measurables are only the beginning and you and your team should establish what is most important to you as an organization. If speedy deliveries are crucial for your business and/or supply chain, then certainly track on-time and delayed deliveries. Once you’ve established a firm grasp on these metrics, considering expanding your current data set – look for ways to gather more granular metrics (cost-per-PO/invoice, opportunity costs, etc.). Congrats if you are currently capturing any of these metrics, this shows you have strong reporting capabilities; now it’s time to put those metrics to good use and build a business case to expand your influence within your organization!

This blog originally appeared on the Strategic Sourceror

I have enjoyed the opportunity to write numerous blogs over the last year on the topic of Contract Lifecycle Management (CLM). This blog will focus on the important issue of Contract Lifecycle Management Risk. Many people may overlook this important area of risk but as a I learned from a legal colleague the contractual document must be used to appropriately balance and assign the risk between the two parties in any legally recognized relationship.

When exploring Contract Lifecycle Management Risk, I will assess it across each stage of the Contract Lifecycle including:

  • Requests
  • Authoring/Negotiations/Approvals/Execution
  • Performance & Compliance
  • Renewals & Closeout

Below are more details on the risk associated with each of the Contract Lifecycle stages:

Request

Of course, the contracting process begins when a procurement or other stakeholder is interested in securing a relationship with a new or existing vendor. What is often times overlooked is how risk can be identified and mitigated at the very beginning of the process.

Key risk mitigation factors to consider:

  • Make sure your contracting process aligns with your third-party risk management policy and process
  • Ensure you have the controls in place to begin identifying and mitigating risk before the contracting process gets underway
  • Identify risk ‘deal-breakers’ early in the process so you don’t waste time working on a contract that ultimately doesn’t get executed

As I often say, “Time is the Currency of our Life” so any wasted time does present a risk and cost to your organization.

Authoring/Negotiations/Approvals/Execution

If your team has done their job during the request stage, then this next phase is where you have the ultimate responsibility and influence over how you can mitigate your risk within the contract you author, negotiate, approve and execute.

Key risk mitigation factors to consider:

  • Ensure you have a comprehensive set of contracting standards
  • Once the agreement is signed, it is more difficult to deal with risks that come up during the delivery of the contract if they have not been included in the written contract
    • You need to make sure you agree in writing about how the risks will impact both parties and which party bears specific responsibility for a given risk and the resulting response if indeed it does arise
    • Here is where Service Level Agreements (SLA’s) can be an important addition to every contract.  Establishing clear requirements is critical to minimizing risk
  • Have appropriate approval authorities in place to ensure you have the necessary stakeholders (i.e., Subject Matter Experts) involved throughout this stage
    • This will ensure the agreement that gets executed has effectively addressed and mitigated all of your potential risks
  • Automate the entire Contract Lifecycle Management process by using a Contract Management System (CMS) to streamline these processes
    • This will eliminate the added risk of lost time which will have a negative impact on your speed to market and competitiveness

Performance & Compliance

Once the contract is executed, the important work of managing performance and compliance associated with the vendor and your working relationship begins. Ensuring you have added Service Level Agreements (SLA’s) in your contract will enable you to effectively manage performance and compliance issues between you and the vendor.

Without SLA’s or specific language in the contract detailing the performance and compliance responsibilities of the vendor, you will be at risk for the following

  • The vendor doesn’t deliver the required or expected service in the contract
  • The vendor doesn’t accurately bill you with the contracted pricing
  • The vendor doesn’t provide the quality of service or support required in the contract
  • The vendor doesn’t abide with their compliance requirements in the contract

Many organizations handle this stage in an ad-hoc manner and it is no surprise that these organizations feel like they are ‘fire fighters’ constantly reacting to unforeseen problems vs being program managers proactively managing to legally agreed upon services, pricing and performance.

Renewals & Closeout

This is a stage that can ultimately present significant risk, unnecessary costs and a lost opportunity to renegotiate the terms of a contract. I have heard too many times from prospects and clients that their organization has had contracts auto renew without anyone knowing it. In one case, I heard of a six-figure contract auto renewing and the organization had not even fully received the benefits from the initial term of the agreement.

Key risk mitigation factors to consider:

  • Have notifications and controls in place to ensure you are proactively managing all of your auto renewable contracts
  • Take the opportunity to renegotiate terms and conditions in advance of renewing a contract with particular attention to strengthening you risk posture, SLA’s and related improvements to the contracted relationship
  • When you close out contracts to end a relationship, follow the language in the contract to ensure the vendor’s responsibilities to return all protected data or other confidential information is met. This will ensure you are fully protected against any future misuse

In Conclusion

The risks outlined above can all be effectively mitigated by ensuring you have:

  • Comprehensive contracting standards, approval authorities and controls in place
  • Ensure your contracting standards are fully aligned with your third-party (vendor) risk management and procurement policies
  • A system to automate the full Contract Lifecycle Management
  • Commitment across your organization to consistently engage with your vendors to actively manage the relationship as it is agreed upon in your contract

No matter where you are on your contract lifecycle management journey, here are the Contract Management Services we provide. In addition, we are an authorized consulting partner for Gatekeeper, a best-in-class Contract and Vendor Management system. We are here to help!!

One of the questions I get asked often is “Where does vendor management sit on the organizational chart?” And the response I always give is, “It depends”.

Ideally, vendor management is totally independent of the lines of business – without saying it implicitly, the more recent regulatory guidance like OCC Bulletin 2013-29 and 2020-10 and FDIC financial institution letter 44-2008 certainly urge that, as accountability belongs to the board and senior management. So, much like the compliance function, vendor management should be independent of the lines of business.

Recent surveys have shown that there is a real push toward independence and accountability rather than potentially subject to the whims of the business needs. That’s important, because when action is needed, there must be a sustained response, rather than a wink and a nod. By establishing its independence and direct reporting relationship, vendor management has an equal voice at the table, a vote in committees, and relevancy. Ideally, vendor management is formally chartered and subject to audit requirements – that’s accountability in action.

Practically, however, vendor management often lives within an existing business unit like legal, compliance, risk, procurement or IT. From a compliance perspective, vendor management often actually helps to fulfill some BSA / AML requirements, and support compliance with other regulatory requirements specific to third-party management. So, perhaps the better question is “How do vendor management and compliance work together to be most effective?”

In the best organizations, vendor management and compliance have a hand-in-glove relationship. Compliance establishes the principles and priorities for regulatory compliance, and vendor management aligns its own policies and procedures to support those related to third-party oversight and management. Doing this effectively requires establishing clarity between the roles and responsibilities of the two functions, regular reporting on key compliance measures and a consistent cadence to meetings and communications.

The absence of problems can often be the best indicator of success. Or it can mean the problems are lurking but just haven’t been uncovered yet. So, keeping vendor management on the same playing field as compliance is an absolute requirement in today’s industry. The perils of lapses – whether in the form of enforcement actions, additional regulatory scrutiny, avoidable cybersecurity issues, and reputational harm – are all too costly; addressing them

I’m a credit union, do I really need to be concerned with OCC standards on third party risk management, or FDIC?

The simple answer is, “Yes”.

While the National Credit Union Administration (NCUA) has not issued authoritative new guidance on third party risk management since 2007, you’d better believe they are examining well beyond those standards.

Why is that? Well, for starters, the Consumer Financial Protection Bureau (CFPB) has stated their authority to directly oversee and examine the activities of third party service providers (woe to the NCUA or a credit union who is caught asleep at the wheel if the CFPB finds problems with one of their third parties).

Second, the Federal Financial Institution Examination Council (FFIEC) is the agency charged with setting the level playing field of standards for all exams, including credit unions…. In other words, the regulators compare notes – the NCUA is every bit as much of regulator participating in the FFIEC as the OCC, the FDIC, etc. One of the hot topics is cybersecurity – kind of guessing they aren’t using 2007 standards to regulate 2020 breaches.

So, whether you’re a money center bank or a small credit union, while the degree of expectations may change and regulatory guidance may lag, there is true risk to letting your guard down. If you manage to the most stringent guidance, you’ll always be on the cutting edge from a business practices standpoint and hopefully keep your examiners happy as well.

Not sure your program is up to standards? We help to review and update your documentation.

If you go back just 10 years, the topic of cybersecurity due diligence wasn’t a question on the minds of many companies. But after the infamous Target data breach (which was caused by an HFAC contractor, nonetheless), it became front page news. Fast forward to today’s headlines, and the Solar Winds hack is in headlines everywhere. Some are touting it as “potentially the biggest intrusion in our history,” and it was caused by a third-party vendor.

Fundamentally, cybersecurity needs consideration in nearly all of our vendor relationships. However, one size due diligence does not fit all – you aren’t going to go ask the landscaping company for the same information as your core processor; obviously, a hyperbole, but a salient example… let’s think about a few you may not have considered:

  • your shred company (hey, they roll all of your confidential information out the doors every day or week- what are their underlying info sec policies and hiring procedures?);
  • your landlord (they have afterhours access to your building, unescorted, unsupervised… hmm);
  • your marketing company (can they re-market your customers post-contract? Are they complying with GDPR, CCPA and similar regulations?)

So, the first step is to determine which vendors even require cybersecurity diligence. This is accomplished through your inherent risk assessment process, where you identify the type and scope of data to which the vendor will have access. Then, for those that do require diligence, it should all be risk-based. The more risks they present to your own cybersecurity, the more due diligence you’ll need to do.

Most companies use some type of tiering of their cybersecurity due diligence questionnaires to align the scope of questions with the level of risk. The type of cybersecurity due diligence you perform should always align with the level of risk the third-party vendor presents to your company. Some of the common categories of cyber risk activities to assess can include:

  • Cybersecurity strategy – risk management, organization and governance, policies, standards, audit and compliance
  • Management – asset management, architecture management, controls management, personnel management and third-party vendor management
  • Operational activities – threat management, vulnerability management, security operations, incident response and service restoration
  • Core activities – end user protection, access management, data protection, endpoint security and facility security
  • Cybersecurity incidents – data loss/theft, fraud, disruptive attacks

Beyond that, obvious things like basic searches on ownership, reputation risk (see the Better Business Bureau or the Consumer Financial Protection Bureau), articles of incorporation, and OFAC check of the ownership and executive leaders, simple Google news searches, and financial performance are always a good idea.

Year end is a time most organizations use to review vendors and look for new ways to streamline and mature vendor management activities in the New Year. From contract audits to business reviews to vendor consolidation, there are a lot of things to consider.

So where do you start?

Over the next few weeks I’ll give you my thoughts on the three best places to spend your energy if you really want to drive bottom line results in the New Year. First up – it’s all about building relationships.

Great relationships require ongoing care and feeding to make them successful. Your vendors are no different. Companies that get the most value from their vendors are the ones that recognize the importance of creating a mutually beneficial relationship, then working collaboratively to make it grow and prosper.

Now is a perfect time to review your list of vendors, pick out three that are most important to you (because of size, scope or risk) and schedule a business review with each of them to honestly evaluate the current state of affairs and discuss ways to make the relationship stronger and more mutually beneficial in the New Year. In the business review you should:

  • Discuss what’s working, what’s not and ways you can work together to improve outcomes.
  • Review your contract, evaluate performance to terms, conditions and agreed-upon levels of service (‘SLAs’) and identify issues that need addressing.
  • Share with them any upcoming changes or plans for growth you expect in the New Year, and ask for ideas on how they can help.
  • Get their perspective on trends, best practices and new technologies that you should be exploring in the next 12-24 months.

Remember – a business review is not the same as a lunch meeting. Create a formal setting, develop a thoughtful agenda and carve out an appropriate amount of time to really dig in to the conversation.

Contract Lifecycle Management (CLM) is an essential business process and especially important in working with your vendors and third parties. When considering how to effectively implement and maintain Contract Lifecycle Management, you need to adopt core principles that should be the foundation for your program.

Here are a few principles no program should be without:

  • Create a Central Repository for All of Your Contracts
  • Ensure Your Contracting Standards and Processes Include an Approval Process
  • Implement Technology to Automate Your Contract Lifecyle Management
  • Align and Monitor Your Budget and Expenses at the Contract Level

Below are more details on each of these important principles

Create a Central Repository for All of Your Contracts

Whether you operate in a manual or an automated environment, it is absolutely critical that you maintain a central repository for all of your contracts. One of the key lessons from the Covid-19 pandemic is that organizations that have a more ad hoc approach to how they maintain their contracts are significantly disadvantaged when they are required to quickly review one or all of their contracts.

When agreements are stored in desk drawers, individual emails or a combination of locations, it is almost impossible and extremely time consuming to access important contract clauses & dates that are critical to effectively manage your contracts.

Regardless of how you do it you need to have a streamlined process to store and have access to all of your contracts.

Ensure Your Contracting Standards and Processes Include an Approval Process

Given todays challenged and highly competitive economy, speed to market is more critical than ever but so too is risk mitigation. The days of ad hoc, explosive growth are rightly being replaced with a more proactive approach to growth where organizations are aligning policies, resources and processes to optimize the balance between growth and reasonable controls to support risk mitigation.

One of the critical principles to ensure you have in place to support both of these objectives is having a rock solid, yet streamlined approval process in place. By ensuring you have the right stakeholders aligned throughout the procurement and contracting approval processes, you can ensure you can support your business teams with getting the vendors and services they need while simultaneously addressing any risk factors during the contracting process.

This positions your organization to move quickly, yet responsibly to drive growth.

Implement Technology to Automate Your Contract Lifecyle Management

As highlighted in the principle to create a central repository of you vendors, the need to adopt software and implement a Contract Management System (CMS) is probably one of the most strategic principles to prioritize.

Going into 2021, it is simply not practical to maintain a manual contracting environment. As many organizations are making permanent investments in working in a remote environment with their employees are working from home, implementing a CMS can provide core functionality to automate authoring, execution, storage and renewal reminders to ensure you have ready access to every contract.

Not following this approach makes it nearly impossible to maintain your contracted relationships in an effective manner.

Align and Monitor Your Budget and Expenses at the Contract Level

As I have said in previous blogs, budgeting can’t be a “set it and forget it” business activity. Most importantly, aligning your budgeting and expense monitoring processes at the contract level enables you to manage the performance of your contracts to ensure you are not only receiving the contracted deliverables but both internal and external stakeholders are effectively managing the spending committed to in each contract.

Maintaining and having access to this vital data, enables you manage performance and, where needed, take corrective actions to maintain optimal performance and mitigate risks of underperformance with your contracted vendor and third-party relationships.

In Conclusion

To wrap this up, you need to adopt key principles like the above for Contract Lifecycle Management to be effective and successful. As a critical vendor management activity, Contract Lifecycle Management needs to be aligned with your policy and operational business processes.

No matter where you are on your contract lifecycle management journey, here are the contract management services we provide. https://vendorcentric.com/services/contract-management-services/. We are here to help!!

The roles and functions of Procurement have evolved over the decades, and it is hard to overstate the value of analytics has played in this evolution. We have seen a shift from spreadsheet-driven, manual spend analysis to automated, predictive and prescriptive data analytics. While it may seem like analytics can grant Procurement professionals a magical crystal ball, be wary of relying too heavily on data analytics, especially when those data sources are less than reliable. Let’s take a look at the benefits and pitfalls of analytics within the Procurement function.

AI-driven and automated tools have proven crucial for almost everyone within Procurement. From Category Managers applying predictive analytics to the AP team measuring cycle times to assisting strategic sourcing lock in better payment terms and discounts, when used properly analytics can build trust and confidence within your Procurement organization. But, let’s consider the foundation for predictive and prescriptive analytic models: data sets from multiple sources. How accurate is the data you are plugging into your cloud-enabled or platform-driven analytics tool? How do you verify the validity and authenticity of the data sets? It is no surprise that bad data can lead to bad decision making.

The purpose of these analytical models is to guide our decision making, and if the data we are using isn’t accurate or outdated, the results certainly will vary. Be sure you are vetting and validating your data before you begin to make decisions regarding large contracts or strategic initiatives. This may mean frequent audits or higher accountability on those inputting your data. Save yourself the frustration and hassle associated with “bad data.”

Moreover, if your team is inundated with data or analytic models, you potentially may be causing more harm than good. The same way consumers may feel overwhelmed in a super-store, so might the Category Manager with a variety of dashboard views and filters.

Establish three or four key metrics you wish to report out on and use these small sets to guide thinking or decision making before opening to flood gates. If cycle time is important to your organization, start by measuring your average contract lifecycle or average sourcing event duration to help plan any corrective action. But, spending time digging through different filters and dashboard views isn’t productive and will likely cause resistance from those providing the reporting. Also, understand how different metrics may overlap or work with one another. For example, forecasting and benchmarking are separate metrics you can report on, both help build your market intelligence and equip your team with the tools to be trusted consultative advisors for stakeholders.

While predictive analytics can provide a Procurement team with valuable insights, be careful not to rely too heavily on these insights and mistake predictive for prescriptive models. If you trust your data, then your analytics and reporting capabilities influence strategic decisions, but if you are unsure of the validity of your data sets then it is time to revisit where and how you capture your data – manual inputs, ERP systems, source-to-pay platforms, etc.

Once you are confident you are capturing and vetting all data sets, start small with key metrics and reports before applying any overly corrective actions. These strategic steps can help make the most out of your analytics and reports while avoiding any over-reliance on easy-to-use reporting features.

This article was originally published on the Corcentric Blog

Procurement is such a vital function for every company, small or large. As a company looks to develop and provide key services and grow the business, the procurement process plays a vital role in helping the business acquire the resources and tools needed to deliver exceptional outcomes to their customers.

In this blog, I will share the best Procurement Best Practices for 2021 that we follow and the work we do with our clients. These are some guiding principles you can use as you look at ways to improve and optimize your procurement operations to uncover new efficiencies with clarity of roles & responsibilities for both your internal and vendor stakeholders.

Here are the top procurement best practices which help transform your procurement operations and ensure success:

Document Your Procurement Policies and Procedures

It is important that you have in place a clear and concise policy detailing the rules of the road for your organization along with accompanying documented procedures which provide an efficient and consistent approach to ensure all stakeholders are consistently performing their responsibilities.

Without this, you will most likely experience inconsistent outcomes and have little control or predictability about future performance you are seeking to achieve not to mention you will be open to unmeasured risks that could cause a negative impact on your customers, your growth and your profits.

A few highlights:

• Use clear, concise and simple language that your staff can actually understand
• Create policy statements that specifically address the rule, and procedures that direct the implementation of activities
• Reference forms, templates, checklists and other tools that staff should use
• Identify roles and responsibilities to eliminate confusion
• Assign an owner to maintain and continually refresh your procurement policies, procedures and documents

Ensure Procurement Is Fully Aligned in Your Vendor Lifecycle Management

While procurement is in many cases viewed as a stand-alone function, it is important to approach it as an integral component of your Vendor Lifecycle Management program. Recognizing the vital role procurement can play in your ongoing success, it is important that your procurement process takes into account things like:

• Vendor risk assessments and due diligence to identify inherit risks and remediate them in advance of signing a contract
• Align contracting standards with your procurement and risk management policies ensuring you establish the onboarding, risk, compliance, oversight, performance and offboarding requirements in your contract to create full clarity and accountability with every vendor

Align Procurement with Environmental Sustainability and Supplier Diversity

Given the continued evolution and challenges facing our world today, procurement can’t be misaligned with the overall organizational culture and underlying principles. As most companies today are embracing their role as responsible corporate citizens, ensure that your procurement operations are aligned as an organization and your vendors fit within your corporate principles.

As example, if you have a corporate policy that provides a framework around environmental protections, you need to ensure you clearly incorporate this into all of your procurement documents and solicitations. Having a vendor that operates like it is 1970 when your company is striving to be a role model of environmental responsibility will create disfunction and disruptions that could cause harm to your corporate reputation.

Similarly, when it comes to social responsibility the same issue arises if corporately you are working to embrace social responsibility and equality yet you are working with a vendor population that doesn’t represent the diversity that is present in our broader society.

Embracing supplier diversity is not only the morally right thing to do it also opens your organization up to uncovering innovation and a broader perspective that will fuel your growth and success.

Implement New Tools and Technology

The most important and strategic procurement your company can do is to search the market, purchase and implement a new procurement system to make your procurement operations future-ready. Digital procurement activities limit repetitive and manual aspects of procurement, freeing up your procurement team to focus on strategic initiatives.

As technology continues to evolve, leading companies are looking at digital transformation for procurement operations going into 2021.

In Conclusion

To summarize, these best practices outline a range of critical considerations and practices your company can embrace as you look to move your company forward. The best place to start is by doing a high-level assessment of your current procurement operations and look to identify key areas of weakness or inefficiency that need your attention. Hopefully these best practices give you some things to contemplate and a few ideas of things you can do to prepare your procurement operations for 2021 and beyond.

Whether you need assistance in assessing your current procurement processes or want to explore having components of your procurement process outsourced; Check out our services here. We are to help!!

Reporting, specifically third-party risk management reporting, seems to be one area that challenges many of my clients… and rightfully so! Even figuring out where to start can be difficult. Common questions I hear about reporting include: What data should we track on third parties? What metrics are most meaningful? How do we present the data?

Answering questions like these takes some careful planning and a good understanding of the relationship between metrics and business objectives. Metrics, alone, can only tell us so much. They quantify or summarize information (e.g. number of high-risk vendors, or number of contracts approaching expiration). Metrics paired with measurable business objectives are where indicators come into play.

Indicators help you keep your objectives on track and can inform management (or your Board) so important business decisions can be made. In the world of third-party risk management (TPRM), Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) are commonly used. Let’s take a look at key indicators, specifically at KRIs, and see how you might be able to incorporate them into your TPRM reporting.

Lagging vs Leading Indicators

As mentioned above, indicators are more than just simple metrics; they are metrics that tell a story. They help indicate whether or not certain business goals/objectives are being met. Before we dive into Key Risk Indicators, let’s first take a look at the difference between two terms known as “lagging” and “leading” indicators:

  • Lagging indicators tell you about something that has already occurred. They are used to make reactive business decisions.
    • Example: Your organization has no tolerance for severe third-party issues (like a data breach/security incident). Your business goal is to keep the number of incidents at zero. A lagging indicator may be “number of severe incidents per quarter.” If an incident were to occur with one of your vendors, you’d simply be reporting on it (i.e. “one incident last quarter”).
  • Leading indicators help you predict something before it occurs, and enable you to make proactive business decisions.
    • Example: As part of your ongoing vendor monitoring activities, your organization uses a third-party security monitoring tool to score the security posture of your vendors (i.e. a low score might indicate that vendor has major security vulnerabilities/flaws). A leading indicator may be the “number of vendors with a low-risk score.” If, quarter after quarter, you see that more of your vendors have poor security scores, that may be a predictive indicator that a severe third-party issue could occur (tying things back to our lagging indicator example above).

There is no right or wrong with regard to how my leading or lagging indicators you use. As you can see from the examples above, they can work hand in hand. As a best practice, aim to use a well-balanced mix of leading and lagging indicators in your TPRM reporting.

KPI vs KRI

Now that we understand the difference between leading and lagging indicators, let’s talk about two types of indicators that sound similar but are in fact used for very different purposes in TPRM reporting – KPIs and KRIs.

  • A Key Performance Indicator (KPI) is a way to measure the performance of your vendors (e.g. compliance with contractual SLAs) or even the operational performance of your third-party risk management program (e.g. average number of days to complete due diligence assessments).
  • A Key Risk Indicator (KRI) is a way to measure your organization’s exposure to risk, either in a proactive (leading) or reactive (lagging) way. KRIs help your organization understand how likely, or unlikely, a certain risk event may be.

Using KRIs in Third Party Risk Management Reporting

Just as there is no right or wrong with regard to how many leading/lagging indicators you use, there is no rule of thumb for the proper mix of KPIs and KRIs.

You may find that KPIs and KRIs are geared towards certain audiences. For example, your Business Units and operational staff may be more interested in KPIs (e.g. time it takes to conduct due diligence, # of vendors not in compliance with SLAs, etc.) whereas senior management and executives would likely be more interested in KRIs and potential risk exposure to your organization (e.g. level of residual risk, # overdue risk remediations, etc.).

With so many dimensions of risk that your organization could be exposed to simply by working with vendors and other third-parties, using KPIs will keep you and your stakeholders informed about risk trends. They can even help you take preventative action before risks elevate past your organization’s risk appetite.

As with any type of reporting, starting with the end in mind and working your way backwards is always a good idea. Identify objectives related to risk mitigation, determine which metrics would be helpful in achieving and monitoring progress towards those objectives, and identify the source or data that will allow you to obtain such metrics. As an example:

  • Objective: Reduce the risk of an adverse data security incident with our third parties
  • Metric/KRI: % of Critical third-parties who scored high in our third-party security monitoring tool (i.e. a high score could indicate that your third party has a strong information security posture and the likelihood of a data security incident is low). If the percentage starts to fall, that may be an indicator of an increasing risk of a data security incident.
  • Data Source: Your third-party risk management system

The practice of third-party risk management is about getting the most value from your vendors, but it’s also about reducing the risk those vendors expose your organization to. Use KRIs as a way to track meaningful objectives that can produce early warning signals for your organization.

One of my trusted colleagues, Patrick O’Connor from Gatekeeper, recently showed me a new feature his company was rolling out for their contract lifecycle management software solution.  He explained it as ‘touchless contracting’.  And it got me excited because I believe it’s going to be the next evolution in vendor and contract management software – full data integration into workflow.

Most modern vendor and contract management software solutions support workflow management.  This isn’t new. And many are beginning to integrate external data sources into their solutions from third-party data intelligence platforms like Argos Risk, BitSight and others.

In most cases, when this data is integrated, it is available to view and report on from within the actual system.  For example, the ability to pull up a profile of a vendor from within the system and view their most recent business health score from Argos Risk or latest security rating from BitSight. This is a really good thing as these systems allow you to bring this external data into your vendor and contract management software solution to support point-in-time decision making along with continuous monitoring.

However, there are a few vendor and contract management software solutions that are thinkingbeyond just data integration. They are creating ways for you to see this data at the point in time you need to actually make a decision by integrating it directly into workflow.

In the Gatekeeper example, Patrick walked me through their standard electronic signature (eSign) workflow which sends an email to contract approvers when a contract is ready to sign electronically.  Gatekeeper has had this functionality for a while.  But the piece they added more recently was embedding data directly into the email approval.  In this case, providing a snapshot of the vendor’s business health profile in the actual email.  This came through their integration with Argos Risk, a business health monitoring solution.

What this does is give the contract approver an additional layer of real-time data on the vendor’s business health before executing the contract.  The approver didn’t have to go into the system to find this data.  Didn’t have to run a special report. The data was right there, at the time the decision to execute the agreement was being made.

This is exciting and, in my opinion, the direction that the leading vendor and contract management software providers should (and will) be heading. Full data integration into everyday workflow, making the data ubiquitous in the tools we already use, allowing us to make smart, timely decisions that impact risk and cost and compliance – all in one place.

If your organization is still mired in Excel, Word and other outdated tools, now is the time to upgrade your technology and modernize your third-party risk management. Vendor Centric can help you assess your current technology and workflow, and implement modern processes and software to support your vendor and contract management activities.

When it comes to Vendor Due Diligence, it is important to understand the benefits to your organization.  Before we explore these benefits, let’s start with a quick refresher of what it is and why it is such an important component of successful vendor management program.

Vendor Due Diligence (VDD) is a comprehensive process which includes:

  • Identifying inherent risks
  • Collecting information via due diligence questionnaires
  • Evaluating the potential risks based on the vendor responses & analysis of supporting documentation
  • Remediation of the identified risks to determine how you want to proceed with contracting and the services you will receive from the vendor
  • Continue to monitor risks by implementing financial health & cyber risk monitoring tools to receive alerts based on any negative incident or trends that could lead to a change in the risk associated with a vendor.

You should complete due diligence in advance of executing a contract with any vendor and at a frequency aligned with your vendor risk management policies throughout your relationship with each vendor.

As we look at the benefits of consistently performing vendor due diligence, here are some of the most important:

  • Vendor Due Diligence during procurement process ensures you can identify and mitigate the risks present with a vendor you want to do business with during the contracting process. You can remediate certain risks and require the vendor to take corrective action prior to executing a contract.  For any remaining risk that you are willing to accept, you can include the required contract clauses to effectively balance the risk so the vendor maintains the appropriate accountability for the accepted risk.
  • Vendor Due Diligence can uncover useful information which can enhance your negotiations with the vendor to receive improved pricing or related benefits to offset the risks you have uncovered.
  • Vendor Due Diligence enables you to uncover any information required to ensure your regulatory compliance. If there are specific regulatory requirements, controls or standards you need to adhere to in your work with a vendor; The due diligence process is the way in which you can identify these requirements and hold the vendor accountable for their shared responsibilities under for regulatory compliance.
  • Vendor Due diligence is the primary method you can use with a vendor to ensure the authenticity of their claims with you. It would be nice to live in a world where we could take every verbal claim at face value but if that were the case there would be no need for contracts or lawyers.  With VDD process in place, you can eliminate the unnecessary risks that come from doing business without doing due diligence.
  • Over the course of a relationship, it is possible that unfair and unethical practices could take place which result in a negative impact for your organization. Due diligence helps identify unforeseen possibilities and if all of the other steps are consistently carried out you will be able to proactively address and remediate the issues to mitigate or eliminate the risk.

In Conclusion

To summarize, there are a number of benefits of ensuring your vendor management program includes a risk-based approach to performing Vendor Due Diligence.  As you look forward to 2021 and make plans to improve and strengthen your Vendor Management Program, making sure you have full transparency of the risk associated with your vendors and third parties is essential.  Effective due diligence must include a remediation process to ensure any unacceptable findings in your due diligence are addressed and resolved in a timely manner.

Whether you need assistance in assessing your due diligence practices or want to explore having your due diligence process outsourced; Check out our services here. We are to help!!

Assessing the risk your vendors and other third parties may expose your organization to is a critical step in the third-party management process. In fact, assessing inherent risk drives many other vendor management activities. For example, the level of due diligence that is needed or the type and frequency of ongoing monitoring activities all depend on the vendor’s inherent risk level.

The third-party risk assessment process can seem overwhelming – How many questions do we ask? Who completes the assessment? What risk tiers do we use?

As with many aspects of third-party risk management, there isn’t a one-size-fits all approach. There are, however, some tips you can follow to make sure your risk assessments are performed as accurately and efficiently as possible. Let’s take a look at them:

Understand the difference between “Inherent” and “Residual” risk

Inherent Risk:  The risk that exists in a third-party relationship BEFORE their mitigating factors have been evaluated. It is the risk that exists in the absence of controls (i.e. when you perform a “risk assessment” you are assessing inherent risk).

Residual Risk:  The risk that exists in a third-party relationship AFTER the consideration and evaluation of the Supplier’s mitigating controls. It is the risk that remains after controls are accounted for (i.e. after you’ve had subject matter experts perform the appropriate level of due diligence, you’ll know your resulting residual risk).

Use a standard form

Your risk assessment should not be something that is left to interpretation each time it is completed. Your Vendor Management Office (VMO) should establish a standard risk assessment form that is used each time a risk assessment is completed, and it should assess (at a minimum):

  1. Information security risk – Will your vendor have access to your (or your customer’s) non-public information (NPI)?
  2. Physical security risk – Will your vendor have access to your building/offices?
  3. Reputational risk – Do the services your vendor provides have the ability to cause reputational harm to your organization?
  4. Financial risk – Do you rely on the vendor for revenue generation, or will there be hefty costs if a contract is terminated early?
  5. Operational risk – Do you rely on the vendor to effectively run a critical business function?
  6. Compliance risk – Is the vendor an integral part in your compliance with certain regulations or laws?
  7. Fourth party risk – Will your vendor be using other vendors (i.e. your 4th parties) to provide you with the goods/services you need?

Set standard risk levels

Your inherent risk assessment doesn’t mean much if it doesn’t provide you with standard results. It’s important to configure your third-party risk assessment process so that completed assessments result in a certain, consistent set of risk levels.

It does not matter what you call your risk levels. I’ve seen everything from “Level 1/Level 2/Level 3” to “High/Medium/Low” to “Tier 1/Tier 2/Tier 3.” The important thing is that you have a standard methodology to segment your vendors by their level of inherent risk. This risk level will drive a number of other activities, including the type of due diligence you perform, and how often you perform ongoing monitoring of your third parties.

Automate the process

Excel works if you have a few vendors, but when you have 50 or 200 or upwards of 1,000 vendors you need something that helps to automate the third-party risk assessment process. That’s where vendor management systems come into play. Vendor management systems allow you to create risk assessments that can be completed online, configure scoring (utilizing weighted points or even automatic triggers for certain risk levels) and even set up the appropriate workflows for approvals and other subsequent activities.

Make sure Relationship Managers complete the risk assessment

Someone at your organization “owns” the relationship with the vendor (i.e. the person who is responsible for the deliverables the vendor was hired to provide). This role is sometimes referred to as the ‘Vendor Relationship Manager’ or the ‘Vendor Owner,’ and they should be the ones who complete the risk assessment. You don’t want the risk assessment process to be a “check the box” activity that could be completed by anyone.

In order to ensure you accurately assess risks, it’s important to make sure that the person who knows the vendor best (and is intimately familiar with the services they provide) is the one who completes the assessment. It’s also important to note that it’s absolutely fine for Subject Matter Experts (SMEs) to get involved if the Relationship Manager is not sure about a particular risk category. For instance, a Relationship Manager may need assistance from you Information Security team to figure out what type of access the vendor will have to your organization’s data.

Reassess third party risks on a regular basis

The third-party risk assessment process is not a one-time activity. Risks constantly evolve, and you need to stay ahead of them. While there isn’t a “correct” frequency to reassess your vendors and third-parties, it’s generally accepted that an inherent risk re-assessment schedule would look something like the following:

  • High Risk – Every year
  • Medium Risk – Every two years
  • Low Risk – Every three years

It’s also important to note that a schedule, such as the one above, is not the only time risks should be reassessed. A critical time to reassess risk is when a scope change occurs with your vendor. For example, let’s say a vendor was hired to perform some relatively simple consulting services, but now you need to engage them to perform more complex services that will require you to provide them with access to non-public information (NPI). The risk assessment you performed initially no longer captures the true inherent risk of the vendor.

The risk assessment process may seem complex, but it certainly doesn’t need to be. We’ve helped organizations of all sizes create, re-build or update their third-party risk assessment processes. If you need help, feel free to reach out to us!

Download this free tool to review areas of potential exposure with your vendors, and determine whether those risks can be properly mitigated and managed before it’s too late.

The third-party risk management lifecycle is a common term used to describe the stages of risk you need to manage with your third parties throughout the length of your relationship with them.  Third-parties come with a variety of risks that include reputational, operational, information security and compliance risks, among others.  All of these risks need to be assessed and managed.

Establishing effective third-party risk management is not meant to be a deterrent from working with the vendors, suppliers, agents or other businesses that help make your company run.  It’s actually the opposite.  Effective risk management allows you to work with those third parties that provide the best results (and the least risk) to your organization’s success.

That’s why it’s so important to understand and mitigate risks throughout the third-party risk management lifecycle, which consists of three natural points in the relationship:

  • Pre-Contract – before you enter a formal relationship.
  • Contracting – when you negotiate key terms and provisions, and determine how you will share risk between the parties.
  • Post-Contract – after you enter into the relationship all of the way through termination.

Let’s go a little deeper into each of these three stages.

Stage 1: Pre-Contract Risk Management

The first stage in the third-party risk management lifecycle comes before the relationship even starts; that is, before you enter into a contractual agreement.  There are two critical activities that happen here.

The first activity is the third-party risk assessment, the purpose of which is to identify and understand risks that are naturally inherent in the relationship.  This is done by completing an inherent risk questionnaire that helps to tease-out things like:

  • How critical are the services being proposed by the third party?
  • Will the third-party have access to your sensitive information?
  • Will the third-party have access to your offices or direct interaction with your customers?
  • Will they be using any subcontractors of their own to provide services to you (i.e. your ‘fourth parties’)?

Identifying these inherent third-party risks is critical, as you use this information to conduct risk-based due diligence on them. This, again, is a crucial step to the risk management process as it allows you to dive deeper into the third party’s policies, systems and controls to understand whether any ‘residual risks’ remain that you need to address. If the answer is yes, you then have a decision to make:

  • Are the residual risks too significant to enter into this relationship, or
  • Can the residual risks be mitigated?

If they can be mitigated, then it’s time to move to the second stage of the process.

Stage 2: Contracting

Developing sound contracting principles and provisions is a key component of third-party risk management.  It’s important to understand which risks are being assumed/shared by the parties to the relationship, and strike the right balance in how those risks are distributed. Here are nine provisions that help mitigate third-party risk in your contracts.

  1. Business Continuity and Disaster Recovery – Covers what happens in the event of a service interruption. Should include the right to test a vendor’s business continuity plans.
  2. Data Ownership and Transfer – Identifies who owns the data that is collected and/or stored, and the process to be followed in getting that data back when you want it.
  3. Indemnity and Liability – Allows for relief in the event a vendor does something wrong or fails to perform, and sets the limits around losses incurred as a result of a vendor failure.
  4. Information Security and Privacy – Different from data ownership, it restricts the use of the data by permitting the vendor to use data only as required to perform the services.
  5. Right to Audit – Provides the ability for you to audit the vendor’s operations and records to ensure they are meeting contractual requirements, industry standards and/or compliance with laws and regulations.
  6. Scope of Services – Defines the nature of the services/products, timing, delivery methods and location. You’d be surprised how often these are too vague to hold anyone actually accountable.
  7. Service Level Agreements – Establishes agreed upon expectations for service levels the vendor must meet. These are common in technology and outsourcing contracts, and should address expectations for non-performance or breach, and penalties for both.
  8. Subcontractor Relationships – Requires the identification of 4th parties the vendor may use, and how the vendor is going to monitor their compliance with applicable contractual agreements.
  9. Termination Events – Defines what triggers termination, and the transition activities that must occur to affect an orderly transition.

Business Owners have a tendency to want to rush through contracting.  After all, then need the third party’s goods/services to do their work.  Be careful not to rush through contracting just to meet a business need.  A strong contract is a critical component for managing third-party risk.

Stage 3: Post-Contract Monitoring

The last stage in the third-party risk management lifecycle – the monitoring stage – starts after the contract is signed.  It’s where the real risk begins. Unfortunately, though, it’s oftentimes the one that gets the least amount of focus and attention.

As discussed in my previous blog on 7 Pillars of an Effective Vendor Monitoring Process, COVID-19 has put a spotlight on post-contract risk monitoring as a result of vendors, contractors and other suppliers having to:

  • Reduce or eliminate services due to the need to shift to new lines of business
  • Address new financial pressures resulting from new competitors, permanent loss of market share or difficulty obtaining working capital
  • Address operational issues caused by some of their own key suppliers (your 4th parties) or, in the worst cases, replace them altogether

This is why effective risk monitoring is so important to third-party risk management.  There are four, important activities that should be integrated into the post-contract monitoring process.

Continuous Monitoring:  Used to provide ongoing visibility into the risk posture of key third parties primarily through data collected through business intelligence tools. Continuous monitoring enables you to maintain a current view into risks with your third-parties that may come from changes to their credit ratings, new lawsuits, major layoffs or other events that may impact their overall health.

Point-In-Time Monitoring:  These activities allow you to perform a deep dive into risks on a periodic basis through questionnaires and examination of evidentiary documents such as information security policies, SOC reports and financial statements.

Risk Re-assessments:  Risks can change as third-party relationships grow and evolve.  You must reassess risk on a periodic basis to evaluate what, if anything, has changed and determine whether additional diligence is required or if contractual changes are needed.

Structured Third-Party Offboarding: Used to ensure third-party contracts and relationships are ‘de-risked’ through a formal offboarding process.  This includes things like return/destruction of data, removing access to systems and confirming completeness and accuracy of all deliverables, to name a few.

Putting it All Together

Of course, creating an effective approach to the third-party risk management lifecycle requires adopting a proper framework that you can follow.  This ensures you put the necessary fundamentals in place such as policies, procedures and systems to provide quality and consistency to the risk management function.

In summary, the third-party risk management lifecycle starts before a contract is signed and continues all the way through the termination and offboarding of the relationship.  It’s critical that you create the right systems and controls throughout the lifecycle to effectively identify and mitigate your risks with third parties.

Review areas of potential exposure with your vendors, and determine whether those risks can be properly mitigated and managed before it’s too late. Download this free tool

 

On July 16, 2020, I was lucky enough to co-host a webinar with my colleague Matt Langlois from Gatekeeper. We discussed the importance of Digitizing Your Contract Lifecycle to Recession Proof your Vendor Management Program. One of the key topics we highlighted were Contract Lifecycle Management Best Practices that are core components of an effective program.

In this blog, I have summarized these best practices to highlight the critical activities all companies should include in their Contract Management processes.

These best practices are:

– Automate and Digitize Processes as Much as Possible
– Track and Take Action on Important Contract Dates
– Optimize Spend and Budgets with Strategic, Regular Reporting
– Standardize and Streamline Contract Authoring and Execution
– Conduct Regular Risk and Compliance Reviews
– Understand and Track Key Obligations (KPI’s, SLA’s, Termination Terms, etc.)
– Below are more details on each of these important best practices.

Automate and Digitize Processes as Much as Possible
Many organizations are finally recognizing the importance of digitizing their contracting process by implementing a contract management system (CMS). It is extremely difficult to maintain a full portfolio of contracts in a manual environment.

This was truly highlighted with the onset of the Covid pandemic. All organizations were forced to face the negative business impacts caused by the pandemic across all of their third-party relationships. Those still operating in a manual environment quickly came to realize that not having access to manual files from their remote working locations had no insight into important contract clauses such as force majeure. This put these organizations at unknown risk and created a crisis that organizations with a CMS did not have to face. With a CMS in place, organizations had insight into all of the critical data needed within minutes or hours vs. days or weeks it took organizations in a manual environment.

Track and Take Action on Important Contract Dates

There is no more annoying and unsettling issue to uncover than your organization has had a contract auto-renew without any notice or review of the contract performance before you renewed the agreement.

This is a somewhat common experience in a manual contracting environment as it is left up to human intervention and manual tracking of key termination and renewal terms. With a CMS in place, you will have automated the key dates to notify the appropriate contract stakeholders that expiration and/or renewal date is upcoming and they need to take action.

This allows them to assess the status and performance of the agreement and determine whether you want to renegotiate, renew or let a contract terminate. Not following this approach makes it nearly impossible to maintain your contracted relationships in an effective manner.

Optimize Spend and Budgets with Strategic, Regular Reporting

Budgeting can’t be a “set it and forget it” business activity. For the top performing organizations, maintaining spend and budgetary performance at the contact-level is a well-defined and resourced activity. Having a CMS that integrates with your budgeting and accounting system along with dedicated stakeholders and business processes allows these top performing organizations to manage their budgetary performance at the individual contract and portfolio levels.

With a consistent access to this vital performance data via delivery of automated reporting, you will be able to make proactive decisions and take corrective actions, as needed, to maintain optimal performance and mitigate risks of underperformance with your contracted third-party relationships.

Standardize and Streamline Contract Authoring and Execution

The name of the game when it comes to growth is speed to market. To ensure your organization is positioned to achieve speed to market you need to align you contract authoring and execution process accordingly. First and foremost, digitizing this process is absolutely essential. By implementing a contract management system, you will be able to automate the entire contract authoring and execution process both for your internal and external stakeholders. Without this automation, you will be challenged to support the growth of your organization as you struggle to maintain manual processes.

Conduct Regular Risk and Compliance Reviews

To ensure your organization is proactively monitoring and mitigating the risks associated with your contracts, it is essential that you implement risk and compliance reviews into your process. These reviews will allow you to ensure you have a handle on your current and potential risk exposure based on the terms and conditions in your contracts and current market conditions which may present risk to your organization.

Additionally, you can make sure that the key terms in your contracts meet the compliance standards you and your contracted partners are required to operate within. Make sure you build into your review process the corrective actions and contracting process improvements which may be required to make not only changes to your current contracts but also to your future contracts.

Understand and Track Key Obligations (KPI’s and SLA’s)

As with anything, if you don’t track or measure it how will you know whether you are winning or losing. When it comes to assessing the status of your relationships with the vendors and other third parties you have a contract with, it is essential to establish and measure KPI’s and SLA’s of each agreement.

To ensure you maintain the contracted terms for each relationship and optimize the performance for each contracted relationship, tracking specific service commitments (SLA’s) and other key performance indicators (KPI’s) allows you to maintain full transparency both internally and externally with stakeholders from your vendors. Being fully aligned and having access to critical terms and data from your contracts will produce more successful, productive and less risk in your third-party relationships.

In Conclusion

To wrap this up, the goals of Contract Lifecycle Management align very much with many operational best practice’s organizations need to employ. Effective CLM is an imperative function for any organization committed to excellence and success. If you want to explore this in more detail, here is a recording of our webinar Digitizing Contract Management to Recession Proof Your Vendor Management Program. Enjoy!

No matter where you are on your contract lifecycle management journey, here are the contract management services we provide. We are here to help!!

As organizations continue to adopt a more formalized vendor management program, one of the big questions they face is whether or not they should establish a formal vendor management office.

This is a question that comes up frequently with our clients because starting a vendor management office (VMO) can be quite challenging. The ‘right’ answer really depends on how much risk the organization is exposed to with its vendors, and how committed they are to establishing a formal, disciplined approach to managing that vendor risk.

If you’re looking to mature your vendor management program by establishing a formal vendor management office, here’s a four-step plan you can follow to get yours up and running.

Step #1 — Know the Business

A vendor management office won’t be successful unless it is designed to coordinate and collaborate with other business units. So the first place to start is to spend some time talking to your different business units and understanding how their current vendor relationships are managed. Some of the questions you might ask include:

  • How do you identify the ‘business owner’ of the vendor relationship?
  • What vendor management responsibilities does the business owner typically perform?
  • Who performs vendor risk and performance reviews?
  • Who currently negotiates contracts?
  • Where do you store important documents like contracts, NDAs, attestation agreements, audit reports and insurance certificates?
  • Who reviews and submits invoices?
  • What are your current challenges with vendor relationships?

The best way to answer these and other important questions is to create an interview questionnaire and use it to meet face-to-face with key stakeholders from each line of business. It’s a great opportunity to not only learn more about the unique aspects of their vendor relationships, but also to build rapport and begin setting expectations.

You’ll need buy in from all key stakeholders to make the vendor management office a success. This is a good first step in that process.

Step #2 — Design the Roles & Responsibilities for the Vendor Management Office

The feedback you collect from the business units is important to helping you establish a baseline for how vendors are currently being managed. However, the level of maturity you want from your vendor management program will ultimately drive the design of your vendor management office.

Your ultimate goal should be to right-size the roles and responsibilities of the VMO to best manage the unique activities and vendor risks your organization needs to manage. As a starting point, here are some of the more important vendor management activities you should consider for your VMO.

1. Gathering business and technical requirements
2. Identifying and building a pool of potential vendors
3. Creating and managing solicitations and requests for proposal (RFPs)
4. Executing non-disclosure agreements (NDAs)
5. Evaluating and scoring proposals
6. Performing site reviews and due diligence on finalists
7. Negotiating contractual terms and conditions
8. Creating contract documents
9. Facilitating the contract approval process
10. Onboarding vendors
11. Segmenting vendors
12. Establishing vendor risk profiles
13. Establishing vendor oversight plans
14. Managing contract renewals
15. Performing or managing vendor reviews related to risk, compliance and performance
16. Terminating vendors
17. Maintaining vendor documents
18. Managing vendor profiles
19. Tracking and resolving vendor incidents and problems
20. Performing vendor contract audits
21. Maintaining vendor management systems
22. Maintaining vendor management policy and procedure documentation
23. Providing vendor management training

Keep in mind the functions you commit to may require additional staff depending on the goals of your vendor management program, and the activities you want your VMO to undertake. Among the roles you may consider are a contract administrator, a vendor analyst and a vendor auditor.

Some of the more typical responsibilities for these positions include:

Workflow management related to:

  • Assist with the RFP process
  • Develop vendor profiles
  • Support the Business Owner in reviewing and negotiating contract terms and pricing
  • Coordinating with the Legal Department to ensure vendor contracts are reviewed and proper approvals are obtained on all documents
  • Maintain and update, as needed, company standard blanket contracts
  • Manage select vendors
  • Assist with administering vendor action plans as needed
  • Conduct vendor business reviews
  • Perform other activities as assigned by the Vendor Manager

Vendor Analyst

  • Research, collection, tracking and reporting of vendor service level agreements (SLAs)
  • Maintain information in the vendor management system
  • Track escalated issues and reporting of root cause analysis
  • Manage the archive and cataloging processes for all VMO documents
  • Track agreement renewal dates
  • Assist the team in the collection and analysis of vendor information
  • Perform invoice tracking against purchase orders as directed by the Vendor Manager

Vendor Auditor

  • Perform daily activities related to managing regulatory compliance and performance of the company’s vendors
  • Partner with the Compliance Department to review changes in regulation that may apply to the company’s vendors
  • Maintain an overall vendor scorecard that relates to vendor risk and performance as related to the review analysis
  • Conduct vendor contract audits and performance reviews
  • Conduct due diligence reviews during the vendor onboarding process
  • Conduct vendor risk reviews as directed by company guidelines
  • Perform vendor on-site reviews as directed by the Vendor Manager

Being clear on these roles and responsibilities is critical regardless of the size of your vendor management office. Be sure to get executive buy-in on your design, and also socialize this with some of the key stakeholders you met with in step #1.

Step #3 — Select a Vendor Management System

Another important decision you’ll need to make is how to efficiently manage the workflow of the VMO. In most organizations, vendor activities and documents are spread across a variety of systems, spreadsheets and email accounts. This creates challenges for your vendor management program by making it extremely difficult, if not impossible, to efficiently manage tasks and understand what’s truly happening with your vendor relationships.

Vendor management software helps to organize, automate and provide visibility into the process. Any organization with a formal VMO should also maintain a vendor management system. Some of the things you’ll want to look for include:

Workflow management related to:

  • Vendor profile development
  • Exclusion list screening
  • Competitive solicitation requests for proposals and quotes
  • Due diligence and document collection
  • Contracting and contract management
  • New vendor onboarding
  • Risk assessments
  • Incident tracking
  • Software and asset tracking
  • Vendor offboarding

Storing documents such as:

  • Contracts and contractual amendments
  • NDAs
  • Insurance certificates
  • Vendor certifications
  • Audit reports
  • Attestation agreement
  • Risk and performance review results

Receiving notifications for:

  • Upcoming risk, performance and due diligence reviews
  • Contract renewals and expirations
  • Insurance expirations
  • Vendor certification and attestation renewals

Many vendor management systems are now cloud-based and can be purchased in modules that support one or more aspects of workflow management, document storage and oversight.

Step #4 — Roll Out the VMO

Now that you’ve laid all of the groundwork for maturing your vendor management program with a VMO, it’s time to put everything together. If you’ve been building buy-in along the way then this part is all about execution.

Before you go out to the masses, make sure you first have your VMO house in order. This includes:

  • Updated vendor management policies and procedures
  • Updated forms and templates used to support vendor management activities
  • Functioning vendor management system
  • Frequently asked questions (FAQs) and clear instructions on how to get help

Depending on your company culture, you may wish to do a roadshow with your business units or even hold a VMO open house. This allows you to set the stage and start engaging with your stakeholders early in the process.

It’s also important to provide those same stakeholders with regular updates to share successes, answer common questions and continue building engagement so that all of your hard work results in tremendous success!

Earlier this year, I wrote about the 6 Foundational Elements You Need to Incorporate in Your Vendor Management Program. One of the six foundational elements is a Vendor Management Policy (and related operational procedures). In this article, we’ll focus on some tips related to writing a vendor management policy. These tips can be applied to brand-new policies (if you are just getting your Vendor Management Program up and running), or existing policies that might just need an update here and there.

1) Address these core components – Every organization has a unique approach to writing corporate policies. Some follow a standard policy template (requiring consistent formatting and certain policy components), while other organizations give policy owners/authors the flexibility to write their policy the way they see fit. Regardless of structure or format, make sure your vendor management policy addresses these core components:

  • Roles and Responsibilities – It should be clear who owns the policy (usually the Board, or in the case your organization does not have a Board, executive management). Your policy should also clearly spell out who the key stakeholders are in your vendor management program, and what their specific responsibilities are with regard to managing vendor risks.
  • Criticality vs Risk – Often times, I see organizations using the terms “criticality” and “risk” as synonyms. These terms actually have very different meanings.
    • Criticality refers to how significant a vendor is to your organization’s operations – If your vendor failed or was suddenly not operational, would your organization be able to function, or would there be serious financial impacts?
    • Risk refers to the level of inherent risk a vendor could pose to your organization due to their level of access to information/data, financial impact, access to your building/office, or other categories of risk (as described below).
  • Categories of Risk – What categories of risk does your organization assess at the start of a new vendor relationship (and on an ongoing basis)? Some common categories of risk that should be baked into any vendor management program include: Financial, operational (including information security risk, concentration risk, 4th party risk, etc.), reputational, compliance and legal risks.
  • Vendor Lifecycle – Your Policy should follow a vendor risk management framework that covers the key lifecycle stages of vendor risk management, including:
    • Risk assessments – Assessing the level of inherent risk a vendor poses to your organization, which helps determine the level of pre-contract due diligence needed as well as the type and frequency of ongoing monitoring activities.
    • Due Diligence – Obtaining assurance that a Supplier is able to meet your organization’s strategic, financial or operational needs (through questionnaires, document collection and analysis, etc.). Due diligence should be performed prior to executing a contract with a vendor.
    • Contracting – Drafting, reviewing, negotiating and executing agreements… ensuring that your organization’s standard terms and conditions are addressed and that the appropriate people review the contract prior to execution.
    • Ongoing monitoring – Performing point-in-time monitoring (i.e. assessments) and continuous monitoring (i.e. through the use of business intelligence tools), the type and frequency of which depend on the vendor’s level of inherent risk.
    • Termination/offboarding – Ensuring that your organization puts all vendors through a standard process when their goods or services are no longer needed (i.e. revoke access to systems/building, return or destroy data, process final payments, etc.)
  • Applicable Laws and Regulations – If your organization must comply with particular laws or regulations regarding vendor/third-party management (there are MANY of them nowadays), you should ensure that your vendor management policy specifically references those laws/regulations. As you write (or re-write) your policy, take the time to ensure that the policy addresses all regulatory/legal requirements.

2) Focus on governance (vs procedure) – When writing your policy, it can be tempting to include process-related language in order to define how certain vendor risk management practices are performed at your organization. As a best practice, policy language should be high-level and should simply identify the policy statements regarding your vendor management program). Your program will likely also have a set of procedural documents, where you can spell out all the details of how certain activities are to be carried out.

3) Update other related policies – Your vendor management policy might have various touch points to other corporate policies. For example, many organizations (who have a central procurement department) maintain a separate Procurement Policy. Your organization should also maintain an Information Security Policy. Both of these, and others, will reference vendor relationships. As you update your vendor management policy, make sure to also update other related policies to ensure alignment across all corporate policies.

4) Obtain the appropriate feedback and approval – Policy should not be written in a bubble. Make sure to run your vendor management policy by stakeholders who play a large part in the functioning of your vendor management system. Take the time to obtain and incorporate the appropriate level of feedback to ensure multiple view points are addressed.

Vendor management isn’t just what we do – it’s ALL we do. We’ve helped organizations of all sizes write (or update) their vendor management policies. If you need help, feel free to reach out to us! We’d be happy to provide advice and help improve how your organization manages vendor risks.

 

As we slowly pull into what seems to be a post-COVID scare world, sourcing professionals would benefit from jotting down important procurement and sourcing lessons that were learned. The economic impact was vast. The unique times tested companies, departments, and individuals themselves. Many undoubtedly learned valuable lessons that may be of benefit to reference in the future. Scares like this will happen again, and we all should be better equipped in the future with our “practice run”.

Procurement has gained extensive ground and has officially been accepted as an absolute necessity relatively recently. We were “given a seat at the table”. Skeptical companies now know we in the purchasing and procurement field are a shield against scares like COVID-19. In the coming years, I believe sourcing and procurement departments will grow rapidly. Not only direct materials will be sourced and purchased smarter, but indirect spend will be added to the procurement umbrella, as well. With this growth, will come new challenges and opportunities. Learning from the difficulty of a scare shutting down the economy will benefit us greatly.

I have been taking some notes when challenges arose throughout the last few months. Here are some of the valuable insights I gained. Some were directly related to the procurement field. Some were just brilliant, fast thinking moves that suppliers made to find revenue streams with the cards they were just dealt.

1. Aggressively vet your suppliers and know who they get their supplies from.

Many companies were left empty handed when the global supply chain was disrupted to such an extreme extent. Few planned for the disruption to be so large. Some organizations planned for blips in supply issues, but almost no company was fully prepared. It is our job as Procurement professionals to look to the future and plan for concerns that arise. No one expected a pandemic of this magnitude, but now we know what is possible. Confirm your supplier can weather the storm. Confirm their suppliers can weather the storm. Also, supplier’s financial health and the financial health of their suppliers is important to understand. A large amount of organizations went out of business within weeks of revenue shortages. If margins are that small, or their balance sheet is that unbalanced, issues should be expected.

2. Build strong relationships with your suppliers. Do not always contract with the cheapest pricing.

This is a common mistake I have seen with organizations and purchasing. The appeal to contract strictly based on pricing seems smart at the time but can really backfire. The companies that built long term, trust-driven partnerships were given a higher importance when suppliers were running low on products and services. They also were much more willing to rescue companies who were feeling the tightening of budgets. Mutually beneficial relationships turned out to be mutually beneficial for both parties. How ironic! As an Analyst at a consulting company, I saw this from both sides. The rough times allowed one customer to receive price cuts as the supplier greatly valued the relationship. However, on the alternative side I saw a supplier attempt a drastic price increase. Position yourself for the former and you will find pandemics to be much less stressful on your supply chain.

3. Leadership is everything.

Overall, the biggest lesson I learned is that leadership is the single most important factor in Procurement, or any other field for that matter. Some companies suffered while others had a workforce that remained concentrated and confident. Most took a hit financially, but great leaders stepped up and made the most of a difficult situation. I saw companies that completely shifted their focus and manufactured PPE using existing lines. This brought large amounts of revenue and kept their workforce active. This is quick thinking and shows that those in charge can act rationally under pressure. I saw companies shift a whole department to fulfill an influx of orders. The great part was the department was made up of office workers who typically were responsible for much different tasks. But they were glad to jump in, maintain their job, and help leaders who were helping them.

There were many good examples of leadership throughout this pandemic. However, I experienced a great one as a final example. I was a new employee when the Coronavirus fears began. We quickly closed our offices since we have the opportunity to be effective from home. Immediately, I was fearful because I was barely underway. I did not have a lot of time to prove my value. Luckily, I stumbled into a few projects that were important and I was moving forward. The worry that lay offs would happen was still in the back of my head. Multiple friends had already gotten laid off. Even though you expect an Executive to attempt to instill confidence in the workforce, it often is not the simplest to believe. I believed my executive team and immediate boss this time, though. I was three months in, and something was different. I could feel the honesty. I could feel that the decisions were being made with the team in mind. It was strong leadership and it was the difference maker to me. I was motivated and eager to prove myself to return the dedication to the company. It got me and the company through this frightening time.

What important lessons have you learned throughout the COVID-19 pandemic?

This blog was originally published on Partner Page.

Last month we went into detail about what “vendor due diligence” actually means. This month, we’ll review when (how often) you should be performing due diligence on your vendors.

When people think of vendor due diligence, the procurement process (or vendor down-selecting/finalizing) comes to mind. Yes, it’s important to perform due diligence at the start of a new vendor relationship, but it doesn’t stop there!=

Vendor due diligence should be performed throughout the life of your vendor relationships. It’s the way in which you evaluate your vendor’s financial condition, operational soundness, security/privacy practices, compliance with applicable laws or regulations, and other information in order to spot red flags. Below we’ll break down two main phases of due diligence – initial and ongoing:

Initial Due Diligence
  • Before Vendor Selection: While often overlooked, performing some level of due diligence when you’re identifying prospective vendors (but have not yet selected one) can go a long way. Why would you want to go through the trouble of evaluating a vendor’s proposal if, let’s say, they were identified on a government watchlist? Essentially what you’re aiming to do here is spot “non-starters” right at the beginning – things that might prevent you from working with a vendor. Due diligence activities to consider include:
    • OFAC or other watchlist screening
    • Conflicts of interest evaluation
    • Insurance verification
    • Anything else your organization may consider a “non-starter”
  • Prior to Contracting: This stage in the process is what most people think of regarding vendor due diligence. You’ve identified a finalist (in a competitive situation), or you simply selected a prospective vendor you know you want to work with – Now you need to put them through your organization’s vendor due diligence process to spot potential risks. These could be risks that might prevent you from working with the vendor, or risks that could be managed or remediated. Identifying risks before signing a contract allows you to address those risks contractually (i.e. including additional provisions) and might even give you some leverage over your vendor to have certain risks remediated.
Ongoing Due Diligence
  • When scope changes occur: If you choose to utilize a vendor for additional services (let’s say they currently perform some consulting work for you, but now you’re thinking of outsourcing an entire business function to them), you need to reassess the vendor relationship. Just because you’ve performed a risk assessment and risk-based due diligence on your vendor for one scope of work, doesn’t mean those same assessments apply to any additional work.
  • On a Periodic (and Continuous) Basis: It’s critical that vendor risks don’t go unnoticed. Ongoing monitoring is a core component of the vendor management framework. Depending on a vendor’s criticality and inherent risk, your organization should establish a schedule for performing ongoing due diligence (i.e. Critical or high-risk vendors are reassessed annually, medium-risk vendors are reassessed every other year, etc.). Also, it’s important to note that point-in-time methods of due diligence, such as reviewing results of a vendor due diligence questionnaire, are not the only tools in your arsenal. Business intelligence technology can be utilized to perform real-time continuous monitoring of your vendor relationships, providing you with metrics and indicators on financial condition, corporate health, negative news, etc… You might choose to continuously monitor your critical vendors and other vendors who present a heightened level of risk to your organization.

Due diligence is not a one-and-done activity. But it doesn’t need to be overwhelming either. Make sure your staff understand their roles and responsibilities, ensure your policies/standards/procedures define the type (and frequency) of due diligence activities your organization performs, and utilize technology to help automate due diligence workflows and processes.

Procurement and subaward management under the Uniform Guidance just got a little tougher. On August 13, 2020, the Office of Management and Budget (OMB) released revisions to the Uniform Guidance, which included a number of changes to procurement and subrecipient management requirements.

Most of the revisions are effective November 12, 2020; however, §200.216 (prohibiting contracting for certain telecommunications equipment and services) was effective August 13, 2020 – the day the guidance was released.

Let’s take a look at what’s changed.

Changes Impacting Both Vendor and Subrecipient Management

  1. Prohibition on Certain Telecommunication and Video Surveillance Services or Equipment (§200.216)

OMB revised 2 CFR to align with section 889 of the National Defense Authorization Act (NDAA) for FY 2019.  This new provision prohibits all Federal award recipients from using government funds to enter into contracts (or extend or renew contracts) with entities that use covered telecommunications equipment or services.  This prohibition applies even if the contract is not intended to procure or obtain any equipment, system or service that uses covered telecommunications equipment or services.

As described in section 889 of the NDAA 2019, covered telecommunications equipment or services includes:

  • Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities).
  • For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities).
  • Telecommunications or video surveillance services provided by such entities or using such equipment.
  • Telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of the National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
  1. Never Contract with the Enemy (§200.183)

This new provision prohibits Federal award recipients from entering into contracts with enemies of the United States.  Practically, it applies only to grants and cooperative agreements that exceed $50,000, are performed outside the United States, including U.S. territories, to a person or entity that is actively opposing United States or coalition forces involved in a contingency operation in which members of the Armed Forces are actively engaged in hostilities.

Changes Impacting Procurement Policies and Procedures

  1. New Categorization of Approved Procurement Methods (§200.320)

OMB did not make any changes to the five approved methods of procurement; instead, they grouped the methods into three general categories:

  1. Informal (micro-purchase, small purchase)
  2. Formal (sealed bids, proposals) and
  3. Non-Competitive (sole source)

No big change here.

  1. Increase in Standard Micro-Purchase Threshold to $10,000 (§200.320)

Language was updated to recognize the previously approved increase in the micro-purchase threshold from $3,500 to $10,000.  Micro-purchases can continue to be awarded without soliciting competitive price or rate quotations if the non-Federal entity considers the price to be reasonable.

However, clarifying language was added stating that reasonableness should be based on research, experience, purchase history or other information, and that the determination of reasonableness should be documented in files accordingly.  The guidance also noted that purchase cards can be used for micro-purchases if procedures are documented and approved by the non-Federal entity.

  1. Ability to Increase Micro-Purchase Threshold Beyond $10,000 (§200.320)

A new provision of interest is the ability for non-federal entities with low risk to establish a micro-purchase threshold even higher than $10,000.  You can go up to $50,000 by using a self-certification process; however, you must meet one of the following criteria:

  1. Qualify as a low low-risk auditee for your most recent audit, or
  2. Perform an annual internal institutional risk assessment, or
  • For public institutions, be consistent with state law.

Organizations who want to take an even more aggressive approach can request a micro-purchase threshold above $50,000; however, you must receive approval from your Cognizant Agency to do this.

  1. Increase in Simplified Acquisition Threshold to $250,000 (§200.320)

Language was also updated to recognize the increase of the SAT from $150,000 to $250,000.  Organizations are still responsible for determining an appropriate simplified acquisition threshold for themselves based on internal controls, an evaluation of risk and its documented procurement procedures.  So, if your risk appetite is lower, you can still use a lower threshold so long as it is not prohibited under State, local, or tribal laws or regulations.

  1. Update to Noncompetitive Procurements (§200.320)

There is now a fifth circumstance whereby organizations can sole source a procurement: micro-purchases.  While this logically makes sense, many organizations were confused about whether or not micro-purchases were a form of sole source.  So, OMB connected the dots to confirm that they are.

  1. Domestic Preferences for Procurement (§200.322)

In order to align with the Executive Order to Buy American and Hire American, a new provision was added to encourage Federal award recipients to have a preference for the purchase, acquisition, or use of goods, products, or materials produced in the United States (including but not limited to iron, aluminum, steel, cement, and other manufactured products). The requirements of this section must be included in all subawards including all contracts and purchase orders for work or products under this award.

It is somewhat unclear as to how far these requirements extend with regard to the types of goods and services that may apply; however, the following definitions were provided:

  1. “Produced in the United States” means, for iron and steel products, that all manufacturing processes, from the initial melting stage through the application of coatings, occurred in the United States.
  2. “Manufactured products” means items and construction materials composed in whole or in part of non-ferrous metals such as aluminum; plastics and polymer-based products such as polyvinyl chloride pipe; aggregates such as concrete; glass, including optical fiber; and lumber.

Changes Impacting Subrecipient Management

  1. Additional Data Element Required in Subaward Agreements (§200.332)

OMB now requires that all subaward agreements include the Subaward Budget Period Start and End Date”.

  1. Negotiation of Subrecipient Indirect Cost Rates (§200.332)

OMB added clarifying language around approving indirect cost rates for subrecipients.  Specifically, “if no approved rate exists, the pass-through entity must determine the appropriate rate in collaboration with the subrecipient, which is either:

  1. The negotiated indirect cost rate between the pass-through entity and the subrecipient; which can be based on a prior negotiated rate between a different PTE and the same subrecipient. If basing the rate on a previously negotiated rate, the pass-through entity is not required to collect information justifying this rate, but may elect to do so; or
  2. The de minimis indirect cost rate.

The pass-through entity must not require use of a de minimis indirect cost rate if the subrecipient has a Federally approved rate. Subrecipients can elect to use the cost allocation method to account for indirect costs in accordance with § 200.405(d).

  1. Responsibility for Resolving Audit Findings (§200.332)

Finally, the updated guidance clarified that a pass-through entity is responsible only for resolving audit findings specifically related to the subaward, and not responsible for resolving cross-cutting findings. This is a key clarification, and allowing pass-through entities to only focus on a small subset of potential findings in subrecipient audit reports.

Closing Thoughts

One of the big drivers of all these changes is risk management.  In an effort to maximize the value provided by grant funding, the Federal government is developing a risk-based, data-driven framework that balances compliance requirements with a focus on performance.  In other words, be compliant but focus on those areas of the highest risk.

In order to comply with all of these updates, you will need to update your procurement and subrecipient management policies, procedures, risk assessment forms and contracting templates.  It’s also a good opportunity to take a step back and look at your own risk appetite as it comes to procurement and subaward management, and to refine your approach to be more risk-based as well.

If you need help with this process, our team of specialists can get you fast, cost effective support when you need it.  You can contact me directly at trogers@vendorcentric.com.

 

Fourth-party risk management is a hot topic these days.  Regulators have stepped up their expectations for the identification and oversight of fourth parties, with an emphasis on those that are in your supply chain and are responsible for supporting critical operations and business functions within your organization.
In this post I’ll break down some of the key components of a fourth party risk management function.  And give you some practical ways to both identify and manage your fourth parties.

Who Are 4th Parties?

Simply put, they are the downstream ‘vendors of your vendors’.

Your own vendors enlist the help of subcontractors, suppliers, software providers and other organizations to run their own business.  In most cases, the work that these ‘fourth parties’ do is of little risk to you.  However, things start to get interesting when those fourth parties play a vital role in the services that your third-party vendor provides to you. Here’s an example to illustrate:

  • You hire Vendor A to handle all of your back-office accounting.  In essence, you’ve outsourced your entire accounting function to them.
  • In order to provide those services to you, Vendor A relies on:
    • Two subcontractors (not employees) to handle certain parts of your day-to-day accounting
    • A software company that supplies the cloud-based accounting system they (and you) will be using.
    • An online bill payment company that is going to connect to your accounting system and process all of your electronic (ACH, wire and virtual card) and check payments.

So while your contract is with Vendor A, you are also relying on the performance of two subcontractors, a software company and payment processing company to ensure that your accounting function is performed and that your confidential information is being protected.

That’s a lot of risk tied up into one relationship.  But not every fourth party is created equal.

Which fourth parties should you really care about?

At the end of the day, it’s all about risk.

Trying to track down all of your fourth (and fifth and sixth) parties is overwhelming. Frankly, it’s hard enough maintaining an effective program for your third parties.  Adding 4th parties to the mix can take it to a whole new level unless you take a thoughtful, risk-based approach.

Since most organizations have either a very young vendor management program, or one that may be mature but likely under-resourced, I recommend focusing efforts in two places.

  1. You need to always identify key fourth parties of your mission critical vendors.  If these fourth parties go down, so do important parts of your operations. That can’t happen, so having clarity about who these fourth parties are is highly important.
  2. Second (and only after you’ve done #1 above), do a broader scan of your vendor portfolio to tease out any fourth parties that are common to multiple vendors.  Amazon Web Services is a good example as many software companies host their applications on AWS.  The concern here is not that a fourth-party failure would impact a critical area of operations, but rather the accumulation of small impacts across multiple business units may add up to something that becomes more than just a headache.

Since you don’t have a direct relationship with a fourth party, the best way to identify them is to have a solid process for identifying them during the procurement and due diligence process.  Transparency is critical; you want your vendors to readily share this information rather than hide it; the latter is a giant, red flag and could potentially create a lot of risk exposure to you.

Start the conversation early.  If you go through a competitive bidding process, ask about fourth parties in your request for proposal (RFP).  And of course, after you down select to a finalist, you should have an entire set of due diligence questions around fourth parties.  In addition to identifying the fourth parties your vendor will be using, some important questions you should be asking about each fourth party include:

  • Do you have a current contract with them?
  • Will they perform any part of their services offshore?
  • Will they have access to (your) data?
  • Will they be interacting directly with any (of your) clients, customers, members or employees?
  • In the last 12 months, what type of due diligence have you performed on them?  Were there any significant findings and, if so, what were they and how were they remediated?

These are just some of the questions you can consider asking. But the idea here is to get as much information as you feel you need to understand which fourth parties they are using, what they’ll be doing, what risks are present and how they are being managed.

Monitoring Fourth Party Risk

So now that you know who they are, what are you supposed to do?

In reality, fourth-party risk management is more challenging than managing risk with your third parties.  Namely because you don’t have a direct contractual relationship.  So, the core of your monitoring is going to come from two places: your vendors and external monitoring solutions.

The focus with your vendors should be in understanding how they, themselves, are monitoring your fourth parties.  This includes direct monitoring (i.e. what are they doing to monitor the fourth parties specific to you), and general vendor management (i.e. do they have their own vendor management program and how effective is it).  You can get at these questions through periodic performance reviews as well as through your annual risk and due diligence reassessments.

Another important (and very cost effective way) to monitor fourth parties is to leverage data intelligence and monitoring solutions like Argos Risk (business health) or Bitsight (information security).  These tools provide you great visibility into fourth parties on an ongoing basis, providing data that you can’t or won’t get directly from your vendors.

Putting It All Together

An effective fourth-party risk management function isn’t a stand-alone program; rather, it is a critical component of your vendor management program.  Your vendor management policy should identify fourth party risk as a category of risk to manage, and your standard operating procedures should back fourth-party assessments and monitoring into your standard process.

And remember. Your approach should always be risk-based.  Start with your riskiest fourth-parties (generally those who support your critical vendors), and mature your activities from there.  There will always be room for improvement.

Need Help with Fourth-Party Risk Management?

Our specialists can help you establish a practical, effective fourth party risk function.  Contact us for a free consultation to explore how we can help.

When reviewing your vendor’s information security policy, there are many factors that need to be reviewed and understood. This can seem like a daunting task, but there are key items I look for in any security program.
When evaluating, I first look to see if the organization has an External certification as this could save you lots of time evaluating the seven items below. Most certifications, such as SOC 2, ISO27001, FISMA, CMMC, or others, review these controls and make a determination on them so you do not have to. When looking at a certification make sure you understand the scope of the certification, if it is currently valid and if it covers the organization and not just its external resources, such as host centers.

If the organization does not have external certifications, this is not necessarily a bad thing. It just means you need to understand what controls they have in place and how they are implemented. Controls can be Administrative (policies and procedures), Technical (firewalls, encryption, network segmentation, etc.) or Physical (swipe cards, cameras, etc.) When evaluating vendors, I focus on these seven below.

  1. Formalized policies and procedure – Without a documented and communicated set of rules, the organization will not have a cohesive security program. Understanding from top to bottom of what is expected and how process should be done, is critical for a security program to run smoothly. Acceptable Use Policy and Change Management are some of the key documented processes that should exist in any program.
  2. Access Control and review – How users are granted access to the system is a key administrative and technical control for any system. The biggest things I am concerned with is how privileged users, those with elevated system rights, are granted access, how often they are reviewed and how they are offboarded.
  3. Third Party management – If the organization uses third parties for a large portion of the work, are those vendors required to have the same security controls in place as the prime? Understanding the security roles of all parties across the supply chain is important.
  4. Security around the offering – Depending on what the vendor is offering; you need to understand how they protect that offering. If they provide a SaaS solution or software product, evaluating their secure software development lifecycle (S-SDLC) should be an area of focus. If they are a hosting provider, understanding how they handle secure provisioning of system or platforms is important. How and where is encryption is utilized is another aspect of securing the offering.
  5. Vulnerability Management – A product or service from a vendor has potential vulnerabilities. Software, platforms, and other dynamic systems are constantly changing and needs a defined method for identifying and mitigating vulnerabilities.
  6. Anomaly Processing – This is a broad category and includes log management, incident handling and business continuity. Each of these could be a separate category, but understanding how your vendor deals with these will provide insight into how well they can respond when the unexpected happens.
  7. Awareness and Training – I am a major proponent on training. No matter how well writing your policies are or how strong your technical controls are if the end-user does not understand the purpose of these policies or how the controls work, they become ineffective. The statistics on malware, including ransomware, infecting systems by user’s downloading files or clicking on bad links are upwards of 80%. Regular and effective training needs to be a part of any security program.

These areas are not an inclusive list, but represent the foundation of a good security program. When I evaluate a security program, I look at these first. These provide a level of confidence in the vendor’s overall security program. If these items do not look good to you, then the other aspects of a security program will most likely follow suit. Understanding your vendor’s security posture and how it impacts your organization is key to your overall security program.

If there is one thing the pandemic of 2020 has taught us it is to expect the unexpected and effective risk mitigation tactics are what is needed to successfully navigate your way through this crisis. In an ironic way, Third-Party Risk Management is very much the same. If your organization takes an ad hoc approach to managing your third-party vendors/suppliers, it is likely that many unforeseen risks can create a negative impact on your company.

It only makes sense that you adopt a best-practice approach to third-party risk management and central to this approach is to follow a proven framework, a lifecycle approach to managing these relationships with total confidence.

The Merriam-Webster Dictionary Definition of framework is a basic conceptional structure (as of ideas). They reference the “framework of the U.S. Constitution” as an example. At Vendor Centric, we architected our Vendor Management Framework as the “North Star” of our approach to helping our client create third-party risk management (vendor management) programs.

hird-

To effectively manage your third parties, it is essential that your framework ensures you have controls and key activities at every stage of the relationship including:

• Procurement
• Risk & Due Diligence
• Contracting
• Onboarding
• Contract & Risk Management
• Offboarding

Below are more details on each of these important stages.

Procurement

This is where the process begins and the most important thing you can do is to ensure you select the right vendor and solution for each unique set of business requirements needed to meet your operating mission.

Risk & Due Diligence

Before you enter into a contractual agreement with a selected vendor, it is vital to evaluate and mitigate potential risks before entering into a contract. This is often a stage that is overlooked as speed to market concerns tend to dictate executing contracts quickly to meet the demands of the business.

Contracting

Having legal and risk management professionals involved with business owners from contract authorizing and execution will ensure you have all of the necessary clauses required to effectively balance the risk and detail the responsibilities under the agreement between your company and your third-party.

Onboarding

This is a very critical stage in establishing the operational relationship with your new third-party vendor(s). Here you create the foundation for how you will manage the overall relationship but also begin your third-party risk management journey. Engaging stakeholders and communicating the operational and oversight activities required will ensure you will consistently mitigate risks and ensure compliance while optimizing their performance serving your company.

Contract & Risk Mitigation

One thing many organizations overlook is that doing a great job in contracting doesn’t end when all of the signatures are captured on the agreement. A best practice approach to include your third-party risk management program is having a vendor management system with contract lifecycle management functionality built in or a standalone contract management system. This will ensure you have ready access to the meta data and important clauses within your contracts so you can proactively manage to the agreed upon service levels and budget.

It will also enable all of your ongoing risk mitigation activities. Another best practice is to ensure you include ongoing monitoring tools into your program. Risk is a 24/7 – 365 activity and point in time due diligence is no longer sufficient to effective third-party risk management in 2020 & beyond.

Offboarding

This is an often ignored but critical stage in your third-party risk management framework. With the heightened importance of protecting data and confidential information about your customers and your company’s internal operations, offboarding has to be integrated into your contracts and operational activities.

You should detail your offboarding requirements into your contract and have formal procedures for how you will follow the contracted requirements to ensure offboarding is executed each and every time.

Final Thoughts

In the end, following a third-party risk management framework will help your company bring confidence to your customers, employees, executives, board members and investors that your take seriously the responsibilities to serve their needs and protect their interests. Companies that follow a third-party risk management framework tend to be successful because they are not only are talking the talk but also walking the walk.

Having a framework backed with a policy and formal procedures is like going on a long road trip with an itinerary detailing all of the activities you will do on the trip and a GPS to ensure you can get where you are going in the most efficient way possible. With technology today, you can be alerted to roadblocks and delays along the way much like risk monitoring tools can alert you to new risks and threats occurring with your third-parties.

As you begin your third-party risk management journey or need help assessing your existing third-party management process, here are the third-party risk & due diligence services we provide. We are here to help!!

If you’re in the market for a used car, there are likely some key steps you’ll take before you agree to make a purchase (i.e. go on a test drive, review the CARFAX report, have an independent mechanic inspect the car). If you’re in the market for a home, the same applies – you’ll go on a detailed walk-through, get it appraised, perform a home inspection, etc.). The same should be true for entering into a new vendor relationship. You want to perform the appropriate vendor due diligence to reach a level of comfort that the vendor can be trusted.

Simply put, vendor due diligence is the way in which organizations vet their vendors to spot potential red flags, both before entering into a contractual relationship as well as throughout the course of that relationship.

Here are the core components of what it means to perform vendor due diligence:
1. Identify Inherent Risks

You can’t talk about due diligence without also referencing inherent risk. Your vendors provide all kinds of products and services to you, with each vendor relationship carrying its own level of risk. For example, some of your vendors will have access to your corporate network while others won’t, some will collect your customers’ NPI (non-public information) while others won’t. Knowing which categories of risk your vendor may expose you to (i.e. operational, reputational, financial, etc.) will dictate what type of due diligence needs to be performed.

Helpful Tip – Use a standard method/tool to identify inherent vendor risks. This will allow you to consistently classify inherent risk from vendor to vendor. Here are 8 best practices for performing inherent risk assessments.

2. Collect Information

Before you send that 300-question due diligence questionnaire to your vendor, take a moment to figure out if all of those questions actually apply to the vendor relationship you are assessing. Chances are, you may be asking your vendor questions that don’t need to be asked, contributing to vendor fatigue and adding to the length of time it takes to complete the due diligence process.

Going back to #1 above, the inherent risk assessment process should have highlighted which categories of risk your vendor may expose you to. Knowing this will allow you to “scope” your due diligence questionnaire so that you only ask your vendor to provide the relevant documentation and answer applicable questions.

Helpful Tip – Scoping could mean that your organization maintains several due diligence questionnaires (DDQ) that cover specific topics (i.e. an Information Security DDQ or a Business Continuity DDQ), sending only the relevant questionnaires when they apply. Or, scoping could mean the incorporation of technology, such as a vendor management system, which can automatically ask your vendor the applicable questions based on their inherent risk rating.

Also know that the “question and answer” format (i.e. due diligence questionnaire) is not the only way to collect information about your vendors during the vendor due diligence process. While the self-reported information obtained through the use of a DDQ is helpful, you should also utilize third-party intelligence tools that search for negative news, ascertain financial and corporate health, or verify that vendors are not on any sanctions lists (such as OFAC).

3. Evaluate the Impact of Potential Risks

Obtaining information and documents from your vendors during the due diligence process is only half the battle. Next, you need to see what the information/documents are saying! Vendor due diligence should not be a check-the-box exercise. In order to ensure that risks are adequately being assessed, the right people with the appropriate expertise need to be involved in the review process – “trust but verify.”

This is where your organization utilizes its subject matter experts (SMEs) to make educated decisions about risk. Perhaps the vendor’s responses to IT and data security due diligence question are always sent to your information security team for review, or the vendor’s financial statements are always sent to someone with a background in reviewing balance sheets/cash flow statements.

Since the vendor due diligence review process can often be time-consuming, some organizations even choose to hire a third-party to perform outsourced due diligence review services.

4. Determine How to Proceed

You’ve gone through the due diligence process and have learned that the new vendor you are evaluating does not encrypt data at rest. Due to the type of confidential information your organization will be providing the vendor during the course of the business relationship, this is a risk that can’t be ignored. What do you do?

Questions like this will come up all the time during the vendor due diligence process, so it’s a good idea to have a standard approach for responding to identified risks. When you need to determine the best way to proceed, take the following into consideration:

  • Remediate – The risk has been identified, but it can be removed through proper remediation. For example, let’s say your vendor does not provide security awareness training to its employees – your remediation plan may state that your relationship will proceed under the assumption that the vendor provides security awareness training to its employees within three months.
  • Mitigate with controls – The risk exists, but they are managed through the appropriate controls. For example, a vendor’s infrastructure might not allow them to securely store your data, so you may establish internal controls (access privileges/data provisioning) limiting the type of data the vendor has access to.
  • Accept the risks – The risk may be below your organization’s risk appetite, and you may choose to accept the risk but ensure proper ongoing monitoring is performed.
  • Find an alternate vendor – The risk may outweigh the benefit of working with a particular vendor, and you may choose to simply pursue an alternate vendor.
5. Continue Monitoring

Oftentimes when people think of “vendor due diligence,” the procurement process (or vendor down-selecting/finalizing) comes to mind. Yes, it’s important to perform due diligence at the start of a new vendor relationship, but it doesn’t stop there.

Performing point-in-time due diligence – such as reviewing answers to a due diligence questionnaire – are necessary, but risks are constantly evolving. Your relationship with vendors (and the level of risk they expose you to) can change overtime as well. It’s important to perform some level of ongoing monitoring, the frequency of which is often dictated by the vendor’s level of inherent risk and criticality to your organization, to stay in front of risks before they impact you.

For example, a few months after you evaluated a vendor’s due diligence questionnaire, your third-party intelligence tool alerts you that the same vendor is marching towards insolvency. Without proper ongoing monitoring, you would have been left in the dark.

Vendor due diligence can be a daunting task, but that shouldn’t stop you from performing it! If you need someone to review your due diligence process to identify areas of improvement, take over some of the due diligence tasks for you, or even just be a sounding board to ask questions about the due diligence process, Vendor Centric is here to help.

On June 1, 2020, the DOJ published an updated version of its guidance on the Evaluation of Corporate Compliance Programs, and enhanced third party management was a topic of focus. The updated guidance was meant to “reflect additions based on our own experience and important feedback from the business and compliance communities.” The June 2020 update builds on themes highlighted in its previous update (April 2019) while remaining focused on three fundamental questions that provide structure to the analysis:
  • “Is the corporation’s compliance program well designed?”
  • “Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively?”
  • “Does the corporation’s compliance program work in practice?”

While the revisions created by the June 2020 update are not extensive, they do reflect the DOJ’s continued emphasis on adopting a practical and dynamic approach to evaluating the effectiveness of a company’s compliance program – an integral component of which is the management of vendors and other third parties.

While the guidance continues to emphasize that “A well-designed compliance program should apply risk-based due diligence to its third-party relationships,” there were several updates that either directly or indirectly impacted third party management.
Here are my Top 5 updates that have a high relevance to third party management programs, along with my recommendations on what areas to assess to identify potential gaps and close them when they exist.

1. Document Vendor Justification
The guidance added new language directing prosecutors to “assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners.” The requirement for companies to know the business rationale for needing the third party is new to the guidance.

A simple way to address this is to incorporate a “business justification” step in your planning and procurement process, allowing you to document your rationale. While this may not be practical for every type of vendor (i.e. the local caterer), it’s a must have for at least your critical and high-risk third-party relationships.

2. Address Risks Throughout the Vendor Management Lifecycle
Language was added to the guidance asking prosecutors to evaluate “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” This appears to get at the problem of poor third-party risk monitoring, which is rampant in many third-party management programs.

Review your vendor management program to ensure it encompasses management and oversight of vendor risks through all stages of the lifecycle. This includes planning, procurement, risk assessments, due diligence, contracting, onboarding, monitoring and finally termination.

3. Resource the Compliance Program to be Effective
The updated guidance revised the second overarching question from “Is the program being implemented effectively?” to asking instead whether the program is “adequately resourced and empowered to function effectively.” This change suggests that the DOJ is concerned that compliance functions are not being given adequate resources, and that compliance officers are not sufficiently empowered within their organizations.

Vendor risk management and compliance programs are notorious for being under resourced. Unfortunately, a lack of resources won’t be an acceptable reason for non-compliance under a DOJ review. To ensure your resources are adequate, you should start by identifying all of the stakeholders involved in vendor management and ensuring you have established clear roles for all of them. RACI charts are a great tool to use in this process. From there, you can determine if you have any resource gaps and, if so, create a plan to fill them through additional staff, outsourcing or some combination of both.

4. Continuously Mature and Refine Activities
The guidance states that, once a program is established, it must be periodically updated and refined or there is the risk that prosecutors will deem it a “paper” program.

Your vendor management program should include an ongoing review and update of the program to keep it fresh and continually evolve the effectiveness of policies and procedures. These updates to existing policies and procedures should be made in accordance with the company’s periodic risk assessments, and should be based on lessons learned. A best practice is to create a maturity roadmap for your program to continually refine and strengthen your vendor risk management practices, and to drive more value from your vendor relationships too.

5. Establish Adequate Systems and Reporting
There is a new sub-section in the guidance that queries whether compliance and control personnel have access to data “to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?” It also asks whether “any impediments exist that limit access to relevant sources of data,” and if so, “what is the company doing to address the impediments?”

This reinforces the need for a central vendor management system that is used as the central, source of truth for data on vendors and other types of third parties. Data on vendor justification, risk assessments, due diligence, contracting and monitoring activities should all be captured in one system to allow for proper reporting and the effective testing of compliance with policies, controls and transactions.

With its latest update, DOJ continues to raise the bar on what it expects from companies’ compliance programs. The DOJ’s Brian Benczkowski said the revised version of the guidance “reflects additions based on our own experience and important feedback from the business and compliance communities.”

A key portion of those additions is more focus on third-party risk, and how the compliance program identifies and deals with it. Now is a great time to take a step back to look at your own vendor management program and identify any compliance gaps you may need to fill.

If you need a hand in assessing your current vendor management program, Vendor Centric can help. Contact me at trogers@vendorcentric.com to schedule a free consultation.

A very critical component of effective vendor management is to ensure you have a full Contract Lifecycle Management Process. The challenges companies face in managing the risk’s associated of working with their vendors and other third parties make it absolutely necessary that organizations embrace effective Contract Lifecycle Management.

So, what are the goals of the Contract Lifecycle Management?  Before we visit this, lets define Contract Lifecycle Management.  CLM is the management of an organization’s contracts from initiation, to authoring, negotiation through execution and then ongoing performance & compliance management to contract renewals or expiration.  As you can see, this is a lengthy process with many moving parts so without an effective and disciplined approach in place it is easy for risk factors to go unchecked and problems to arise.  Below is an image representing CLM from our partners at Gatekeeper.

The goals of the Contract Lifecycle Management are ensuring you address the following:

  • Speed to Market
  • Internal Controls
  • Risk Mitigation
  • Performance and Compliance Management
  • Continuity Planning

Below are more details on each of these important goals.

Speed to Market

Most companies exist in a very competitive and challenging domestic and global marketplace.  Being able to support innovation and deliver on your mission in a timely manner is essential to your continued success.  One of the most effective ways to ensure your speed to market is aligned to operate efficiently is to put in place contract authoring, negotiation and execution processes that remove barriers to getting new business relationships with vendors in place quickly.

Internal Controls

It is vital to ensuring your contracts reflect your organization’s best interest, mitigate risk and ensure regulatory compliance, you need to have CLM processes that include all relevant internal stakeholders with the reviews and controls in place to ensure the appropriate subject matter experts our involved at each stage of CLM.  From due diligence, to business terms to legal consultation having these important CLM controls in place lead to effective contracting, risk mitigation and ongoing performance management.

Risk Mitigation

To ensure you mitigate and balance the risk in your contracted relationships, having an optimized CLM process is an important place to start.  Having legal and risk management professionals involved with business owners from pre-contract due diligence to contract authorizing and execution ensures you will have all of the necessary clauses required to clearly detail your and the other parties’ responsibilities under the agreement.  Risk management is spans across the entire relationship with a vendor and effective CLM is one of the primary tools you have to mitigate risk.

Performance and Compliance Management

One of the primary benefits of effective contract lifecycle management is having service level agreements detailing the required performance and delivery of service in the contract.  Ensuring these clauses and supporting language are in place will go a long way to managing effective and productive relationships with vendors.

Additionally, you can address regulatory compliance requirements within your contracts and ensure the work you and your vendors are doing meets the compliance standards you are required to operate within.

Continuity Planning

An effective CLM process will support continuity planning with your vendors.  Having the right balance of renewal and termination language built into your contracts provides your organization the mechanism and flexibility needed to hold your vendors accountable while enabling you to renew or exit relationships based on the current market forces you encounter.

As example, the extreme circumstances created by our current pandemic have forced organizations to review their existing contracts to see what their options are to deal with service disruptions and failures occurring with their vendors.  How many of us had heard of force majeure before Covid 19?

A force majeure clause is a contractual provision which excuses one or both parties’ performance obligations when circumstances arise which are beyond the parties’ control and make performance of the contract impractical or impossible.  This is just one of the many important things effective contracting can do for your organization.

To wrap this up, the goals of Contract Lifecycle Management align very much with many operational best practice’s organizations need to employ.  Effective CLM is an imperative function for any organization committed to excellence and success.

As you begin your contract lifecycle management journey or need help assessing your existing contracting process, here are the contract management services we provide. We are here to help!

Earlier this year, I wrote about the core foundational elements you need to incorporate into your vendor management program. This time, we’ll dive a bit deeper into one of those elements – the third-party risk management system. Just like there are certain foundational elements of a successful vendor management program, the system you use to manage your program must also contain certain key features.

As a recap, the six foundational elements of a vendor management program are:

  1. Governance & Oversight – Provides vision, direction and accountability for the vendor management function.
  2. People, Skills and Training – Ensures the right level of vendor management resources, subject matter expertise and stakeholder knowledge.
  3. Third-Party Profiles – Organizes data and documents so you have clear profiles of your third-party relationships.
  4. Policies & Standards – Establishes the scope and guidelines for the program, and defines key roles & responsibilities.
  5. Operating Procedures – Defines the day-to-day activities stakeholders will undertake to execute the program.
  6. Systems – Centralizes information, facilitates workflow, provides reporting and ensures an audit trail of activities.
Now, let’s dive into the 7 essential elements of third-party risk management systems.
  1. Vendor Inventory and Profiles – Your third-party risk management system isn’t only used to facilitate risk-based activities – It should also serve as the system that houses your organization’s complete vendor inventory (and profiles for each of those vendors). A vendor profile should contain more than just a name. Here are some key components of a complete vendor profile:
  • The vendor’s full legal name, and alternate/DBA names, their primary address and key contacts
  • Documentation that should be kept on-file with the vendor, such as SOC reports or insurance certificates
  • A list of contracts your organization has entered into with the vendor, including whether or not the contract is active or inactive
  • A list of issues related to the vendor, including performance issues or issues uncovered during due diligence or ongoing monitoring
  • Information about how much your organization spends with the vendor. This could be at a contract-level, or simply at the vendor level
  1. Automation of Risk-Based Classification – There should be a workflow-based process for assessing new vendors (or existing vendors when a change in scope occurs), and scoring logic to calculate an inherent risk level, therefore helping you determine what level of risk-based due diligence to perform on your vendors. Your system should also allow for approvals of risk assessments should certain internal stakeholders need to review assessments.
  2. Vendor Engagement – It should be easy for your vendors to provide you information and documentation. It should also be easy for you to know what to ask for. Your system should be able to handle the facilitation of risk-based due diligence assessments based on the vendor’s inherent risk level, and should have logic built in to allow for proper scoping. For example, if your vendor will not have access to any of your organization’s non-public information (NPI), there is no need to send them due diligence questions related to how they store, access or process your information.
  3. Employee Engagement – When your internal staff need to request a new vendor, or a change in scope to an existing vendor, the third-party risk management system should be the place requests are made. Staff should have access to an employee-only portal that allows for submission of requests, and for the appropriate workflows to be triggered (i.e. the Vendor Management Office may review new requests and launch the necessary assessments).
  4. Continuous Monitoring – Initial, point-in-time, due diligence is not enough these days. Your system should be able to facilitate your organization’s ongoing monitoring approach to managing your vendor relationships. This could mean workflows around the launch, collection and review of vendor performance reviews (completed by your staff on some level of frequency based on the vendor’s risk level). It could also mean integrating with other third-party intelligence tools (such as our partner Argos Risk) to incorporate real-time monitoring of your vendor relationships.
  5. System Integration – Along with being able to communicate with third-party intelligence tools as mentioned above, your system should also be able to seamlessly integrate with other operational tools used by your organization, and pull in (or send) relevant information to/from each. For example, you may want to integrate your third-party risk management system with your AP system to pull in spend data. You might want to connect your system to your organization’s GRC (governance, risk and compliance) system to push vendor-related issues into your organization’s risk register.
  6. Reporting – Your system should make it easy to report on vendor management activities, allowing for the easy collection of data used in reporting to senior management, committees or your board. It should also allow for ad hoc reporting in case staff need to obtain information specific to their needs (for example, a list of active vendors in their department). There should also be role-based dashboards that make it easy for each user to see only the most relevant information.

Finding the right third-party risk management system can seem overwhelming, but it doesn’t need to be. Hopefully these pointers, and our list of software providers, help you find a system that is right-sized for your organization.

The COVID-19 pandemic has rocked many organizational foundations, and while few could have predicted a disruption of this magnitude, we are now living in a post-pandemic market. Emergency response planning will be a major focus in supply chain risk and Procurement risk management.
How should Procurement course-correct for this “new normal,” while avoiding the urge to overcorrect when addressing new supply chain risks resulting from global disruptions?

1. Segment Your Spend (from a different perspective)

Spend segmentation and analysis are standard Procurement concepts, but this crisis has taught us a few important lessons on how we segment and categorize spend. Sorting into critical, preferred, or strategic suppliers may not be enough anymore.

A critical supplier is a supplier who supports or supplies your core business, and now we must take a harder look at these suppliers who are essential to our supply chain and our daily operations.  A short exercise would be to segment all current suppliers who are “mission-critical,or if they were to cease operations for a day, month, year, how would this affect your operations – for many this should already be common practice. Establish tiers or levels for the criticality of these suppliers and review your relationship with these vital suppliers – now might be the time to consolidate or expand on your relationship. Once you have established your most critical suppliers, incorporate the strategies below to unlock the true value of these relationships.

2. Emergency (or Pandemic) Response

Emergency Response Plans has long been pillars of Risk Management procedures, but few organizations had a pandemic counted among the contingencies. While we don’t advocate for an overly reactive approach, planning ahead for the unforeseen can sometimes be a matter of luck or incredible foresight. But, don’t let that discourage your efforts. Now is the time to review any Emergency Response Plans you currently have and when onboarding any new suppliers, be sure to review theirs – this can become a standard onboarding practices for all suppliers, not just critical or strategic suppliers. Should you receive any pushback on this practice, this may be a red flag that a supplier is not prepared or has inadequate Emergency Response Plans.

3. Focus efforts on implementation

Recent research is showing a shift is top supplier risks and supply chain risk management concerns, with implementation and speed of implementation taking center stage. COVID-19 is forcing many organizations to focus efforts on implementation procedures. Now is the time to reconsider a supplier’s ability to properly implement and the speed at which they can perform. Crises like this should cause a re-evaluation of our supply chains and suppliers, forcing many of us to onboard new suppliers. Pay attention to the pace at which a supplier on-boards and ramps up – this may be an indication of how prepared they are for worst-case scenarios.

4. Build Better Relationships

Now, more than ever, we are seeing the importance of communication, especially the importance of communication with our suppliers. Supply chains are dealing with confusion surrounding shipping, particularly around imports and exports, so it is critical you have open communication with your suppliers to better understand any gaps in the supply chain and help to remediate when and where you can. Strong communication between you and your suppliers will help enable transparency, and limit any surprises that might be a result of broken supply chains – this could mean planning for a delay rather than reacting to a delay.

5. Plan for Post-COVID

Undoubtedly, our collective focus is on the disruptions of COVID-19 and the effects it has had on our supply chains, but it is important to plan for what’s next. Prepare to return to “normal” operations as we see operations begin to pick back up, but, also continue to function in our current “new normal.” The steps and actions we take as a result of the disruption of COVID should become an integral part of our Risk Management. We are planning for the unknown as best as we can – and that means learning from our experiences during this current unprecedented disruption.

Check out Corcentric’s website for more information about Supply Chain Risk Management.

An effective vendor monitoring process is a critical component of business continuity planning. This requires not only identifying who your key vendors are, but also ensuring you have an effective process in place to assess and evaluate their overall health and ongoing viability.

Vendor monitoring has always been a necessary component of a vendor management program, but its importance has been put in the spotlight due to the COVID-19 pandemic. Companies are concerned about both short and long-term effects the pandemic might have on their key vendors. While the impact to some vendors was immediate, the long-term impact to many companies won’t be known for months (possibly years) to come.  Many vendors have had to:

  • Reduce or eliminate services due to the need to shift to new lines of business
  • Address new financial pressures resulting from new competitors, permanent loss of market share or difficulty obtaining working capital
  • Address operational issues caused by some of their own key suppliers (your 4th parties) or, in the worst cases, replace them altogether

In order to manage business continuity with your most important vendors,  you need to have a solid vendor monitoring process in place and, when issues arise, a documented plan for how you are going to remediate them.  Here are seven pillars of a well-designed vendor monitoring process framework.

  1. Identify which vendors require monitoring. These should always include your critical and high-risk vendors, but can include lower risk (but other important) relationships as well.
  2. Define the indicators you want to monitor. They should include both quantitative indicators (numerical data that can be objectively captured and measured) and qualitative indicators (anecdotal observations and other contextual information).

Learn more about the importance of using both qualitative and quantitative indicators in this 90 second excerpt from our webinar “Monitoring Stability of Key Vendors During and After the Pandemic”.

  1. Organize your data sources. Monitoring information can be captured in a variety of ways including questionnaires, policy and procedure documents, SOC and audit reports, surveys and third-party data intelligence tools, to name a few. Make sure you have the necessary data sources to feed up into the types of indicators you want to track.
  2. Clarify roles & responsibilities. While the person that owns the vendor relationship should be primarily responsible for monitoring their vendors, many other subject matter experts are involved in the process.  Be sure to clarify who will do what and when.
  3. Line up your subject matter experts. Speaking of subject matter experts, these are the folks with the specialized skills you’ll need to support certain aspects of monitoring.  They frequently include experts from information security, business continuity, compliance, IT and legal.
  4. Establish escalation procedures. When issues come up during the vendor monitoring process (which they always do), it’s important to know which need to be escalated and what options you have for resolving them. This can include expanding your due diligence, updating contingency plans or even modifying (or terminating) the contract.  Your framework should define the types of issues requiring escalation and the procedures you can follow.
  5. Leveraging technology. Lastly, the vendor monitoring process is way easier when you leverage technology. This includes your vendor management system and continuous monitoring solutions that give you access to external data sources.

A good vendor monitoring process strengthens your overall vendor management program.  It is also one of your best tools for getting out in front of small problems before they become big ones.

Vendor’s corporate health has never been more important than now.  With the crushing blow of the global pandemic, all companies are facing supply chain challenges to ensure the viability of their vendors ability to meet contracted service requirements.  The world of existing on annual “point in time” due diligence is gone forever.

Enter a new era of continuous monitoring as a critical component of the due diligence process.  Mixing questionnaire based assessments and ongoing monitoring tools like that of our partner, Argos Risk, a leading provider of corporate health monitoring solutions, is the new norm the industry is adapting to.   We are actively helping our clients to migrate their programs to include data intelligence monitoring tools.  This ensures you have the most current actionable intelligence to proactively mitigate risk and optimize performance of your vendors.

When looking a assessing your vendor to mitigate risk,  your vendor’s corporate health is a vital component along with InfoSec and regulatory compliance.  As the old adage goes, “A day is a week, a week is a month and a month is a year”, the corporate health of a vendor can change in a day, a week or a month so just completing one annual assessment puts your company at undue risk of vendor disruptions and failures.

Here are 3 Key Performance Indicators of Corporate Health that all vendor management programs should include:

1. Credit and Financial Viability

 Ongoing monitoring of critical financial health metrics like:

  • Credit information such as high credit offered, avg credit offered, # of trade experiences with slow/short pay
  • Likelihood of consistent payment
  • Estimated days beyond terms
  • Industry days beyond terms (Comparative metric to see how your vendor is performing vs their industry
2. Material Event Alerts

Receiving daily alerts about the material events that have occurred with your vendors such as:

  • Public filings like lawsuits, liens or judgements
  • Regulatory compliance checks like OFAC and FinCen
  • Events like mergers/acquisitions, corporate layoffs, sale of assets or FEMA notices
3. Geographical Risk Factors

Monitoring individual vendors and your entire vendor portfolio for important risk factors like:

  • Regional Population levels
  • Regional Unemployment rates
  • Regional Personal Income
  • Regional Natural Disasters 

Adding this important corporate health monitoring to your due diligence process would be very time consuming and challenging to implement and maintain if you were to attempt to do it yourself.  That is why the emergence of new web-based data intelligence tools, like our technology partner, Argos Risk

One of our technology partners, Argos Risk, has created a very cost-effective and streamlined solution that incorporates some very important things to consider when selecting a corporate health monitoring solution such as:

32 Million+ Businesses Actively Monitored

 Access to information for publicly traded, privately held and over 20 million SMB’s.

Daily Monitoring of Material Events

Automated daily alerts on material events that can negatively impact the corporate health and viability of your vendors.

AR Surveillance™ DASHBOARD

The central hub for monitored companies.

  • Easily monitor your third-party portfolio
  • Access your third-party relationships with color-coded risk scores
  • Stay informed of material events with daily alerts
  • Daily updates provide the equivalent of 365 credit reports each year
  • Quadrant Risk Analysis provides a visual overview of your portfolio risk

 Individual Company Report

  • Key Metrics related to a company’s overall viability
  • 180-day trending information in key financial performance metrics
  • Public Information on judgments, liens, suits and CFPB Complaints
  • Validated vendor diversity information including minority and woman owned indicators
  • Company demographic information

 Geographic Risk Factors for use in your Business Continuity Planning

  • Unemployment
  • Population
  • Gross Metro Product
  • Bankruptcies
  • Weather
  • Natural Disasters

As you look to mature your due diligence process and consider adding corporate health monitoring, here are the third-party risk and due diligence services  we can offer you,  https://vendorcentric.com/services/third-party-risk-management/.  We are here to help!!

Companies have offered flexible schedules and have allowed employees to work from home (to varying degrees) for years. The trend to work from home has been on the rise over the past decade, but the recent threat of COVID-19 has forced many companies to move completely to a remote workforce. This raises all sorts of logistical and security issues, especially for companies that didn’t previously have formal Work from Home (WFH) policies in place.

How will this shift to remote work impact your business? Specifically, how might it change the way your organization manages its third-party vendor relationships? Let’s take a look at some common risks you should be aware of, and how you might want to consider updating your organization’s Vendor Management Program to be prepared for this organizational and cultural change.
Vendor risks to be aware of

This list of potential risks associated with remote work is not by any means exhaustive. It’s also important to note that these risks were applicable before the outbreak of COVID-19, but they are certainly front and center now that the vast majority of businesses are requiring their employees to work from home for the foreseeable future.

  1. Blurred lines between personal & corporate use of devices – Were your vendor’s remote workers prepared for the sudden shift to working from home? Or, were they unable to bring corporate devices home with them (i.e. a stationary desktop) and are now forced to user personal devices to conduct business? The introduction of personal devices could cause some trouble for IT teams (various types/versions of operating systems used by employees, inconsistent security patches, no way to control devices, etc.)
  2.  Collection and/or storage of non-public information (NPI) – Are you vendor’s remote workers collecting NPI through secure means, or has the shift to working from home tempted them to collect NPI in other ways (i.e. through the use of personal cell phones or other devices, through unsecure email correspondence, etc.)?
  3. Access to corporate network (or lack of access) – Are the proper security protocols in place to allow for remote connection to the company network? Is the appropriate infrastructure in place to even provide remote access to the corporate network, or are employees left without a connection?
  4. Lack of Policies and Training – Does your vendor have a formal work from home policy for their remote workers to follow? Has security awareness training been provided to staff, especially with the rise of email phishing scams being a major source of concern?
  5. Impact on service levels – Will a sudden shift to remote work impact any service level agreements (SLAs) or other performance metrics? Do remote workers have acceptable home internet connections, devices and ancillary equipment (i.e. headsets for clear audio, camera to allow for video meetings, etc.) to continue conducting business without any disruptions?
  6. Unsecure home (or public) internet – Do your vendor’s remote workers have strong passwords for their internet routers? Are home networks using the proper encryption? Is the firmware of home routers up to date?
What does this mean for your vendor management program?

As the number of companies enforcing work from home policies continues to increase in the near-term, and since the shift to a fully (or partial) remote workforce may be a trend that’s here to stay even after COVID-19 is eradicated, here are some ideas you might want to consider with regard to how your business manages its third-party vendor relationships.

  • Send an emergency questionnaire – If you didn’t previously ask your vendors about their remote work practices during your due diligence or ongoing monitoring process, now would be a good time to do so. To start, you might want to consider focusing only on your organization’s most critical vendor relationships.
  • Prepare business continuity plans with your most critical vendors – If your Vendor Management Program doesn’t require it already, it is a good idea to have business continuity/contingency plans in place with your vendors. As a best practice, your organization should focus on developing business continuity plans with your most critical vendors.
  • Update due diligence questionnaires – Coordinate with internal stakeholders, particularly information security and business continuity staff, to ensure that the right questions are being asked on your vendor due diligence questionnaires. Be sure to ask about your vendor’s network (and how remote workers access it), policies/procedures on remote working, security awareness training, and impacts of remote work on day-to-day performance and business continuity.
  • Incorporate remote work into your inherent risk assessment – When conducting vendor risk assessments, consider asking about remote work. Is a vendor with a 100% remote workforce inherently riskier than a vendor who does not allow remote work?
  • Look into ongoing monitoring software – Point in time monitoring (such as periodic due diligence assessments) are certainly useful, but the information collected becomes stale. If you only assess your vendors every year, or every other year, what about the time in between assessments? Software solutions, such as the platform offered by our partner Argos Risk, provide continuous, timely and comprehensive third-party risk intelligence.

In this new era of working from home, make sure you think about the risks that remote work may expose your organization to, as well as the appropriate updates or additions you might need to make to your Vendor Management Program.

From buyers to suppliers, everyone knows that the Request for Proposal (RFP) process is… less than ideal. At the same time, they’re often central to the procurement process, so sales teams everywhere should be prepared to put their best foot forward when responding.

I’ve run plenty of sourcing initiatives that included an RFP and have seen responses range from good to bad to “why on earth would you submit this?” levels of ugly. In this article, I want to point out some of the bigger issues I see that keep otherwise best-in-class suppliers from winning these events.

A Short List of Big Problems with RFPs
“But wait,” I hear you say, “if these suppliers are best-in-class, wouldn’t losing the RFP show how terrible the process is?” Potentially true. Critics of RFPs are quick to point out that the process,

  • Kills differentiation. Responses are all geared towards the same direct questions, and the elements of your business that are unique may not stand out in this environment.
  • Commoditizes all offerings. Everything gets boiled down to cost, at the expense of everything outside of price that makes a supplier valuable.
  • Assumes buyers have ‘all the answers.’ RFPs rarely accommodate outside-the-box thinking with their rigid form. Buyers construct an event with a solution in mind, even though better solutions may exist.

These are symptoms of a poorly built RFP (a topic I’ve discussed elsewhere and most certainly will again many times). However, many projects are (a) on a tight timeline and (b) need to include potential partners that an organization has little or no experience working with. In these situations, RFPs are still a great way to get to know the market and what it offers.

Besides, these faults can’t be the only reasons for losing these bids: Other bidders face these same challenges when submitting bids – and find ways to succeed in spite of them. So how can we improve our success rates?

Tips to Responding to RFPs

I’ve worked with buyers and suppliers across dozens of spend categories to craft RFPs and analyze resulting bids. There are a few things that always stick out to me as best practices and red flags alike.

  1. First and foremost, understand the rules of the game. What are the buyer’s supplier selection criteria? Who will be evaluating your response? Beyond the bid submission, will there be any onsite presentations or site visits to firm up your response or your understanding of the scope? What are the milestone phases and what are their deadlines? You should have the answers to all of these questions before you begin.
  2. Incumbents, don’t assume your relationship speaks for itself. I’ve seen too many responses that boil down to “you already know this about us, you don’t need us to answer.” Your client-side stakeholder knows plenty about the value you bring. But what about that stakeholder’s boss, or that stakeholder’s colleagues at other facilities that don’t use you, or those in the company your customer just acquired? Respond as if decision makers don’t know you – if an opportunity for expansion exists, there will be some that don’t.
  3. Don’t make assumptions or let questions go unasked. When I see responses to questionnaires or pricing proposals that read “it depends,” or “TBD,” or provide an excessively wide pricing range, I only have one question: Why didn’t the bidder seek clarification before submitting? A good RFP will include time within the process for suppliers to ask questions and get answers – Use this time to your advantage. Not only will it result in a more targeted proposal, but it will set you apart from your competitors who filled their responses with non-answers.
  4. If your offerings go beyond the RFP scope, then so should your response. Remember that an RFP response is a buyer’s way of getting to know the market and their options. Respond to the RFP according to the guidelines built into it, but if your product or service goes beyond scope, mention this in your response and include supplementary documents that speak to this.
  5. Be direct in your response (advertising agencies, I’m looking at you). It’s great when companies are excited about their offerings and proud of their history. That enthusiasm carries across responses and suggests a good partner. That said, don’t make buyers wade through multiple paragraphs to find the single sentence that answers a question. Answer directly, upfront, right off the bat. If you have more to say, either include after your direct response, or reference a supplementary document that delves more deeply.
  6. Respond using the documents and format requested. If I’m running an RFP that spans 30 facilities across the continental US and dozens of suppliers, the last thing I want to do is hand edit uniquely designed response so they fits into my process. Hell, I’ve had bidders provide images of text responses in lieu of the requested bid doc. This creates a huge challenge in a large event – do everything possible to reduce the tactical work so that we can all focus on higher-level strategy.
    gmai
  7. Follow through with what you promise. If the SOW doesn’t align with your goals or offerings, that’s fine – but say so upfront rather than committing to participate and ghosting on the process midway through. There might be a time when that stakeholder has a scope that fits with you perfectly… only now you’ve burned a bridge and lost an opportunity. I source the same categories with different clients at different times, and may end up reaching out to a provider with multiple opportunities. Consider also that buyers may leave the organization you support today and go to a new company that could also use your services. In either case, don’t give anyone reasons to omit you from an opportunity before it begins.
    These aren’t the only seven keys to a great RFP submission, but they’re issues I see crop up pretty often. Considering if any are at play with your own submissions is a good starting point to building a better response.

Rant Over, Carry On
To circle back, I readily admit that an RFP isn’t the perfect tool for all sourcing occasions. However, it takes two to tango – an organization’s failure to select the best possible supplier may be due in part to a faulty RFP, but could also be due to a faulty submission.

Despite being an imperfect process, the RFP hasn’t fallen by the wayside yet. There are plenty of opportunities to win new business through them… as long as you don’t let your submission get in the way of your success.

Planning for business continuity with critical vendors has been an area of focus for many third-party risk management professionals as of late.  And rightly so.  A trio of health, economic and geo-political events have created massive strains on supply chains and increasing concerns about cyber-attacks.  And as companies shore up their own business continuity plans, they must consider the impact critical vendors have on those plans.

Ensuring business continuity with your critical vendors requires not only responding to (and potentially recovering from) a continuity event, but also ensuring you have the right plan, controls and oversight in place to ensure stability for the long haul.

Here are 19 best practices to manage business continuity with your critical vendors.

Response Activities

These are the immediate activities you undertake to assess risks with your vendors when a continuity event has occurred. 

  1. Identify your critical vendors. These should have already been identified through your own business continuity planning.
  2. Review their contractual provisions to refresh your understanding of service level agreements, payment terms, potential legal risks and, in case needed, termination provisions.
  3. Send due diligence questionnaires (or conduct interviews) to understand how their business is being impacted by the event, and how near term (and mid-term) impacts to their company may impact your operations.
  4. For certain vendors you should dive deeper into their business continuity and disaster recovery plans – especially for those performing outsourced functions or supporting core systems and technologies. Understand whether their plan is comprehensive enough to ensure stability of your products/services, and whether they have implemented the plan.
  5. If the vendor has access to your systems or data, assess their approach to work from home and the security protocols they have implemented for data protection.
  6. Assess your own business continuity plans to ensure you have addressed how you will handle continuity in each operational area that you rely on critical vendors.
  7. Establish a communication plan with your internal vendor relationship managers, and key contacts at your vendors, to ensure consistent and open communication. Make sure you identify the who, what and how often.
Recovery Activities

Recovery includes all of the steps you need to take to address risks and/or operational problems with your vendors from the response phase.  Consider the following activities when you identify a critical vendor that is under distress.

  1. Integrate secondary vendors into the operational activity to reduce the risk and increase the speed at which you can pivot if needed.
  2. Evaluate your ability to insource certain functions, at least for the short term, and establish plans when feasible.
  3. Consider on-site visits to get a first-hand look into the vendor’s operations.
  4. Enhance your continuous monitoring activities to track information about the vendor’s corporate health and/or cybersecurity practices.
  5. Modify contractual provisions to address exposure beyond your risk tolerance.
  6. In worst-case scenarios, terminate the agreement and transition to a new vendor.
Prevention Activities

Prevention focuses on taking steps to lessen the chance (in the future) that you will have continuity issues with your critical vendors, and ensuring you have the right mitigation strategies in place to lessen the impact when an incident does happen.  Some of the important prevention activities include:

  1. Consolidate and eliminate risky vendors from your supply base.
  2. Build out alternative supplier capabilities where needed.
  3. Create/update contingency plans for critical vendors, including plans for insourcing when feasible.
  4. Establish and/or strengthen vendor risk monitoring tools to be more predictive in monitoring the health and cybersecurity of your high-risk vendors.
  5. Audit your vendor contracts to identify gaps when compared to your own standard contractual provisions, and amend existing contracts to comply with the contractual standards.
  6. Review your vendor management system to ensure it is accurate and complete with the vendor information, contracts and assessment tools you need -are at your fingertips – regardless of where you are working from.
One additional note.

As you think about business continuity with your vendors, you should plan as if you are going to have multiple ‘response’ phases. Or even better, ensure you have a really good continuous monitoring and communication process in place that becomes part of your regular vendor management process.

Using a systematic approach to manage business continuity with critical vendors is the best way to ensure consistency in vendor management activities both now and into the future.  If you’re looking for additional information on business continuity standards, here’s a link to an article on ISO 22301 which is a recognized international standard for business continuity management systems.

 

Now more than ever, managing risks is top of mind – especially those risks related to your vendor relationships. The risks that your vendors bring to your organization should be assessed, mitigated and managed as part of the regular function of your vendor management program. However, during uncertain times such as those we are in today, technology – specifically vendor management systems – can help you efficiently locate key vendor-related information right when you needed it most.

The COVID-19 pandemic is forcing organizations of all sizes, across all industries, to make changes to the way business is conducted. While your organization is altering its operations, it’s important to realize that your vendors are also likely doing the very same thing. This means that you need to be thinking about how the services provided by your third-party vendors (or the potential disruption of those services) could impact the day-to-day operations of your organization. While you may have hundreds (or even thousands) of vendors, you likely only rely on a portion of them for truly mission-critical services. For example, the software vendor you use to manage all of your customer and project information is more critical to your operations than the janitorial services company. It’s these critical vendor relationships that you really want to focus on. Some key vendor risk-related activities that organizations should be performing on an ongoing basis, but especially now, include:

  • identifying the most mission-critical vendors;
  • collecting, assessing and documenting the critical vendor’s business continuity plans;
  • logging and managing issues that need to be remediated; and
  • preparing internal contingency plans for critical vendors

Let’s take a look at these activities in more detail, and see how a vendor management system could support them.

Identifying Critical Vendors

Your organization may utilize the services of 10, 100 or 1,000 vendors. Each of those vendor relationships carries with it an inherent level of risk. Inherent risk is the level of risk that exists simply as a characteristic of the type of work the vendor performs. For example, a vendor who manages all of your organization’s network servers and has access to personal/confidential customer information is inherently riskier than the landscaping vendor who cuts the lawn every other week.

By using a vendor management system, internal Business Owners (those people who own the relationship with the vendor) can complete an online questionnaire where inherent risk is assessed. This is called an inherent risk assessment, and they usually contain under ten (10) questions that address the key areas of risk that are most important to your organization. Criticality, while related to but separate from inherent risk, can also be assessed through the use of such a questionnaire. Once responses from Business Owners are collected, you’ll have a record of the vendors who are critical to your operations, and those who are inherently high-risk. Reports can then be run to easily identify these segments of vendors.

Performing Due Diligence

Based on the vendors criticality and/or inherent risk level, you’ll want to perform the appropriate level of due diligence on the vendor before entering into a contract with them. Through the use of due diligence questionnaires, you can ask your vendors a series of questions that will allow you to assess their controls related to the risk you are most concerned about. With regard to critical vendors, something you’ll want to collect is a Business Continuity Plan (or pandemic plan).

Through the use of a vendor management system, you’ll not only be able to automate the process of collecting such plans, but you can also set up the appropriate workflow to have the necessary stakeholders and subject matter experts review them. Your system will also allow you to keep a historical record of your vendor’s responses to the due diligence questionnaire, and more importantly, you’ll be able to populate your vendor’s profile with an up-to-date inventory of key documents (such as their Business Continuity Plan).

Remediating Risk Issues

After you’ve collected and assessed your vendor’s response to your due diligence questionnaire, you may identify certain gaps in their controls that you are not comfortable with. If your organization is willing to accept the risk (rather than pursue an alternate vendor), a good practice is to log this gap in controls as a remediation item. A vendor management system will allow you to assign the remediation item to the appropriate stakeholder, set due dates to ensure the issue gets resolved and keep a historical record of exactly how it was resolved.

Documenting Contingency Plans

Now more than ever, making sure you have Contingency Plans for your critical vendors is paramount. Similar to the way in which a vendor management system can automate the collection of your vendor’s responses to a due diligence questionnaire, it can also be used to collect Contingency Plans that your internal Business Owners are responsible for creating. With the appropriate input from your risk management and business continuity stakeholders, you can establish an online for that asks the appropriate questions related to contingency planning, and your Business Owners can simply submit their answers.

One of our software partners, VendorRisk, provides a vendor management solution that is able to perform all of the key activities I’ve covered in this article. From maintaining an accurate inventory of your vendors, to being able to easily segment critical from non-critical vendor relationships, to utilizing online forms to collect the data that matters most… a vendor management system such as VendorRisk will allow you to effectively manage risk during uncertain times.

We are all aware of the issues that occur when there are supply chain disruptions. It has impacted countries, battles and companies throughout history. Not getting supplies or services when you need them stops progress.

When times are good and things are running smoothly, it’s really easy to ignore your supply chain.  But when things turn bad, and you can’t get the products or services you need when you need them, you realize how important it is to plan for supply chain disruptions when they do occur. This is really highlighted when things become personal.

One current example is the toilet paper situation that’s been going on during the COVID-19 crisis. There is toilet paper out there, but it is not packaged for the average consumer. The commercial side of toilet paper production has the product we need, but not in the form we need. Most households do not have the large dispensers that we see at airports or the office. Also, toilet paper for commercial use is shipped in such large quantities, it is not feasible for consumers to buy a gross of toilet paper rolls at a time.

Last week, the Secretary of Agriculture spoke at the White House. In his statements, he reassured the public that America had food and a good supply chain. He also mentioned that the demand for commercially packaged foods was down since restaurants and other large food service areas like schools are closed. This also means that any stockpiles of supplies in this area are not in the form consumers could easily use. Not every household can use a one-gallon can of green beans for dinner. But again, consumers who are now at home are not able to get the food that they need because it is not distributed in consumer-sized packaging nor is it available in grocery stores.

While none of us could have predicted we’d need to modify our ‘personal supply chains’ to deal with these types of disruptions, companies certainly can. And should.

Every organization relies on vendors, suppliers and other third parties to meet their business goals. Yet, for many organizations, the only time they focus on these third parties is when something goes wrong.  It’s critical to have a handle on vendor and supplier relationships every day of the year, not just during a pandemic. This requires having critical vendor information at your fingertips such as key contacts, terms of contracts and information about your vendors own pandemic plans.

It also includes knowing how they maintain important controls over their systems and, perhaps more importantly, your data. Hackers have been incredibly active during the pandemic. Yet most of the security standards out there like SOC, ISO, and NIST have organizations look at their vendors at least once a year. That may not be good enough for some of your riskier vendors, especially in the new paradigm we find ourselves in now.

In situations like we have today, you may need to evaluate your due diligence on a more regular basis. This can be in the form of a full review, or just in a monthly confirmation that Service Level Agreements (SLA) are being met. If SLA’s or other contractual obligations are not met, then it is important to raise that fact. If the vendor is having issues meeting SLA’s during the good times, how can you expect them to meet them during the anomalies such as our current crisis. Businesses need to ensure they are continuously managing their vendor and supplier relationships so they can be responsive when supply chain disruptions do occur. Only then can we effectively assess and manage the risks a vendor may pose.

 

Business continuity management has been a major focus of every company during the COVID-19 pandemic. Having fast access to the right data has been critical to making informed, timely decisions.

Unfortunately, many companies are getting a reality check as they find it difficult to locate and report on important information about their critical vendors; that is, those who support key areas of operations, technology and infrastructure. They are finding it time-consuming and sometimes challenging to answer questions like:

  • Who are our critical vendors and which areas of our operations do they support?
  • Where are our contracts with those vendors and what exposure do we have?
  • Does the vendor have sensitive data we need to worry about?
  • Do these vendors have business continuity plans? When was the last time we evaluated them?
  • Do we have contingency plans of our own? What is our fallback if the vendor can’t perform?

Centralizing key data on your vendors and contracts is no longer a nice-to-have.  It’s a must.  Now is the perfect time to organize and review vendor data to ensure it’s both accurate and complete.  If you don’t have time for a full data scrub, here are seven categories of information about your vendors that I recommend you focus.

  1. Vendor Profiles. Review and update the inventory of your active vendors, and ensure you have at least basic profiles for all key vendors. This includes name, addresses, website, EIN, parent company (if applicable) and primary locations servicing your company.  Knowing where your vendors operate has never been more important for business continuity planning than during this pandemic.
  2. Key Contacts. While this seems basic, many companies are having big problems with finding the right contacts at their vendors.  The biggest problems have been with old information (i.e. the contact person has changed), or limited information (i.e. they only have the salesperson when they need someone from IT or operations.)  Make sure you have current information for all of your key contacts.
  3. Service Categories and Descriptions. Many vendors provide multiple services through multiple contracts.  Make sure your vendor database identifies all of the services provided by each vendor, preferably tagged by common ‘IT’, ‘Telecommunications’, ‘Call Center’.  This will make it easy for you to quickly find vendors, run reports and manage risks and operational issues on a category-by-category basis.
  4. Contractual Documents and Profiles. If you still have vendor contracts scattered across different databases, folders and file cabinets, now is the time to clean them up.  Your contractual documents need to be in one, central system so they can be accessed quickly from anywhere.  Further, you need to maintain profiles for each of your contracts so you can quickly run reports on data such as termination provisions, breach notifications and service level agreements.
  5. Critical Vendors. The pandemic has highlighted the importance of being able to quickly identify and perform outreach to your most critical vendors.  These vendors should be tagged in your vendor management system so you can quickly identify them to evaluate operational risks and business continuity.  These are also the vendors you should be monitoring continuously.
  6. Contingency Plans Knowing who your critical vendors are is important, but having contingency plans in place for each of them is what you really need when things go south.  Ensure each of your critical vendors has a contingency plan, and that those plans are reviewed at least annually and stored in the system with the vendor’s record.
  7. Vendors with Access to Nonpublic Information. Crises bring out the worst in people, and this pandemic is no different.  With millions of employees now working remotely, hackers are taking advantage of the situation.  Data security doesn’t take a break during a pandemic.  Make sure you know which vendors have access to your data so you can provide the appropriate due diligence and oversight to ensure it stays protected.

This pandemic has, among many things, highlighted the need for effective business continuity management.  And your critical vendors are fundamental to that function.  Now is the perfect time to ensure review and update your vendor and contract management system to ensure you have complete and accurate information at your fingertips when you need it. If your board, internal audit department or regulators haven’t already asked you for data like this – they soon will.

Regardless of whether you are trying to establish a new Vendor Management Program (VMP), or mature an existing one, you may be asking yourself questions like “what is the best structure for a VMP,” “is there simply a ‘blueprint’ we can use” or “what system should we implement to manage our third-party relationships?” Questions like these are common, and they are important to ask. While there isn’t a “one-size-fits-all” VMP, there are some key foundational elements that should be incorporated into vendor management programs of any size.

As a helpful analogy, think of the construction of a new home. Before you begin making any decisions regarding the style of the doors or the color of the carpet, you need to make sure that the foundation of your home is safe and sound. The same goes for a Vendor Management Program. Before you begin identifying what fields should be included on procurement forms or what the approval workflow should be for risk reviews, you need to make sure these six foundational components are in order:

  1. Governance – The team needs a leader! Having proper governance of your program provides vision, direction and accountability for the vendor management function. Governance is not only about making sure that someone owns the VMP, it’s also about incorporating the correct stakeholders. For example, your organization’s governance structure may include a Vendor Management Committee that your Vendor Management office (VMO) reports to.
  2. People, Skills and Training – Without the correct stakeholders, the job can’t get done. Ensure that you have the right level of vendor management resources, subject matter expertise and stakeholder knowledge. As an example, if through your vendor due diligence process you collect third-party documentation, such as a SOC 2 Type 2 report, you need to make sure someone on your team has the appropriate expertise to review a such a report.
  3. Policies and Standards – This is where things start to come together. Your Third-Party Management policies & standards establish the scope and guidelines for the program, and define key roles & responsibilities. For example, with regard to “scope,” your policy should identify if there are any specific types of third-party relationships that may not follow your standard vendor management policies (e.g. when paying state/local taxes, you would not consider your state’s Office of the Comptroller an “in-scope” vendor).
  4. Operating Procedures – Make sure that your staff understand what needs to be done on a day-to-day basis in order to execute the program. Your procedures should define everything from what form to use when selecting new vendors to who approves due diligence reviews to what your ongoing third-party monitoring process entails. Think of these as your step-by-step guide for making sure the vendor management program functions properly.
  5. Third-Party Profiles – Organization is the key here. Before figuring out exactly what system you may need, the most important thing is to identify what specific data points you will require for your third-party profiles, and what documents you’ll need to collect and store for each third-party.
  6. Vendor Management Systems – Systems that can be used to manage your third-party vendor relationships are available in varying levels of capability, complexity and price in today’s marketplace. While the exact system you select will depend on a number of requirements, the foundational components you should consider include the system’s ability to 1) centralize information, 2) facilitate automated workflows, 3) provide robust reporting and 4) ensure an audit trail of activities. (At Vendor Centric, we work with software partners to provide best-in-class solutions to our clients – check out our software and data intelligence tools). 

If you need help establishing a new VMP, maturing an existing program (or even something in between) just let us know! We’ve helped organizations of all sizes design and implement right-sized vendor management programs so they can manage their third-parties with confidence!

 

If you operate a financial services company which works with customers in New York, you should be aware of the NYDFS Cybersecurity Regulation Part 500 which initially went into effect on March 1, 2017.  In our world, Section 500.11 for Third-Party Service Provider Oversight, went into effect on March 1, 2019.  We have worked with a number of financial services companies to help them prepare for and maintain their compliance with this critically important regulation.

I recently had the great fortune to sit in on a webinar featuring Maria T. Vullo, the former Superintendent of the NYDFS and principal author of the regulation.  I found her tone and comments so refreshing as she shared some great insights about the development and core tenants of the regulation but more importantly some practical, best practice recommendations for compliance.  As I sat in with full attention over the hour she spoke, I was happy to discover that our interpretation and work we have done with our clients aligned perfectly with what she outlined in her comments.

Here is a brief recap of the import things to consider with the entire regulation but specifically Section 500.11, for Third-Party Service Providers:

  • The regulation obligates all “covered entities” (financial institutions) subject to the regulation to ensure cybersecurity compliance of their third-party vendors.
  • Every “covered entity” must have written policy and procedures detailing their Cybersecurity Program to include oversight of third parties to ensure they are meeting cybersecurity requirements stemming from any system access to protected company and customer data.
  • The “covered entity” must perform annual risk assessment and appropriate due diligence to ensure the vendor has adequate policies and controls in place to mitigate and detect, respond and recover from a cybersecurity event, if it occurs.
  • The written and documented policy must be approved by the Board or a Senior Officer.
  • Ensure this is a company-wide process engaging all stakeholders that work with third parties and that regular training is provided to stay up to date with latest risks.
  • Stay up to date on key events in your vendor population like mergers and acquisitions and reassess risks associated with cybersecurity policies and factors like legacy systems as their can be material changes.

These are just some highlights from the webinar and I would certainly encourage you to do more research on this important regulation.  One of the last and most important takeaways I wanted to share was her comment that “Work done is meaningless if it is not documented.”  In other words, don’t allow this to be an ad hoc, one-time activity where there is not a formal policy and ongoing oversight activities being documented at every step of the way.  Happy to answer any additional questions that may arise from reading this.

Risk assessments are a critical step to vetting vendors and other third parties, and to provide ongoing monitoring of relationships to identify changes to your risk exposure.  A proper risk assessment gives you a clear understanding of the inherent risk posed by each vendor relationship.  It also enables you to perform risk-based due diligence on the vendor’s policies, processes and controls so that you can get a final picture of the residual risk you’ll be accepting with that vendor relationship.

In a nutshell, you have to get the vendor risk assessment right to get the due diligence right.  Period.  So with that in mind, here are eight best practices you should always include in your vendor risk assessment process.

8 Best Practices for Vendor Risk Assessments

  1. Be Clear on the Risks You are Assessing. Your vendor risk assessment questionnaire should align directly with the risks you are managing through your third-party risk management program.  Risk assessment questions should cover key risks related to operations, information, financial transactions, strategy, reputation and regulations.
  2. Make Relationship Owners Primarily Responsible. The people that negotiate the contracts and work with the vendors every day are the ones that understand the relationship the best. They should be the ones responsible for capturing data and answering the risk assessment questions. However…
  3. Get Subject Matter Experts Involved. Relationship Owners rarely have all of the subject matter expertise needed to assess all inherent risks. Subject Matter Experts (SMEs) need to be brought into the risk assessment process when appropriate.  Are you exchanging data?  Get the CISO involved.  Will the vendor be processing financial transactions?  Make sure to involve the finance team.  Pull in the right people at the right times.
  4. Have the VMO Coordinate the Process. You need to ensure there is consistency in your risk assessment process, and that all stakeholders are coordinated. Don’t leave this to the Relationship Owners.  They want the process to be as speedy as possible, which may mean they’re willing to overlook some risks just to move things through the process. The Vendor Management Office (VMO) should be coordinating all stakeholders and ensuring a timely, quality risk assessment process.
  5. Make Sure Someone Reads the Draft Contract. This sounds basic, but I can tell you from experience stuff gets missed. I hear a lot of “We aren’t sharing any confidential information” only to read the contract and see an entire clause about data sharing.  I always recommend to have someone independent -like the VMO – be responsible for reading the contract to ensure all of the inherent risks have been identified.
  6. Ask about Fourth Parties. Just like you, your vendors have their own vendors (i.e. fourth parties).  And some of those fourth parties are critical to the services you’ll be receiving from your vendor.  Make sure to understand who those fourth parties are, and identify the risks they bring to your relationship.
  7. Automate the Process. The easier you make the vendor risk assessment process, the more compliance you will get. There are literally dozens of risk assessment tools on the marketplace.  If you aren’t using one already, you should be.
  8. Don’t Stop After the Contract is Signed. Many companies view the vendor risk assessment process as one-and-done.  Once you’ve vetted a vendor during the initial contracting process, you are good to go.  That couldn’t be further from the truth.  Relationships with vendors change over time, so you need to ensure you re-assess risk periodically over the duration of your relationship.  Look for triggers that could lead to a change in your relationship such as contract modifications, module additions (for software) or new types of data you may be exposing to the vendor or their software.

 

The vendor risk assessment is a crucial part of your vendor management program.  Implementing these best practices will ensure yours is operating at peak performance.

 

You can’t go more than a few days or so without seeing news on the internet about a cybersecurity breach. And often times when you actually read the story you discover that the breach occurred with a vendor or third-party for the company that is impacted.

While there are many other risks that your company needs to be concerned with, there is nothing more important than ensuring you have established the necessary controls to be aware of and actively manage the risk associated with third-party vendors that you are linking systems and sharing protected customer data. Given the significance of this, here are 3 tips to improve your third-party cybersecurity program.

#1 – Assess and Update Your Third-Party (Vendor Management) Policy

With all of the rapid changes to the threats coming from the cyber landscape, it is a useful exercise to conduct an annual or bi-annual assessment of your third-party (vendor management) policy. You should review your risk assessment, due diligence, contracting, onboarding, ongoing oversight and offboarding policies ensuring your policy aligns with your Information Security Plan and all cybersecurity regulations you must adhere to.

By reviewing and updating your policies you will be better prepared to ensure compliance and mitigate these risks across the entire life-cycle of working with your third parties.

#2 – Streamline and Improve Your Due-Diligence Process

One of the important things you can work on is to implement a risk-based due diligence process. This means that you are risk rating or risk tiering all of your third parties and creating due diligence questionnaires and procedures based on each of your risk tiers. In other words, “One size doesn’t fit all.

Of course, you want to make sure your due diligence process aligns with your updated policy, regulations and your companies current risk appetite. We are beginning to recommend to all of our clients that they seriously consider adding a cyber risk monitoring tool like Cyber GRX, Risk Recon, Security Scorecard or Bitsight to augment your point in time due diligence with ongoing monitoring and alerts. This ensures you are taking a comprehensive and proactive approach to your third-party cyber security risk management.

#3 – Review and Update Your Contracts with Your Vendors and Third Parties

The last tip is to ensure you have your information security and legal stakeholders review and provide any updated language to your contracts that align with your Information Security Plan, regulations and risk appetite. It is a necessity to have clarity around protecting data and requirements in the event there is a breach.

It is also important to outline your requirements for offboarding your third parties to ensure there is legally binding agreement for how you handle data and system access upon termination of a contracted relationship.

Conclusions

By taking a common sense and risk-based approach to addressing your third-party cybersecurity risk management, you will help your vendors/third parties meet your requirements and mitigate this risk throughout every stage of the lifecycle of managing these very important relationships. It is critically important to have this fully addressed in your policies and ensure you have the appropriate controls and contract protections in place to mitigate this risk.

You can no longer do this on an ad hoc basis as this is definitely an area that will only pose more threats to your company in the future. Don’t fall prey to a “It won’t happen to us” mindset. Prepare, protect and hopefully prevent but in the event a breach does occur ensure your company and your third parties have the response mechanisms in place to minimize the negative impacts to your company, your customers and all of your stakeholders.

One of your third-party vendor relationships is coming to a close. Regardless of whether the agreement you had with the vendor naturally expired (i.e. was not renewed), or was terminated early (due to breach of contract or some other contractual reason), the time has now come to say goodbye.

How prepared are you for what comes next? Oftentimes, organizations put more structure and formality on the front-end of their third-party management process (i.e. sourcing & procurement, risk & due diligence, contracting, etc…) but they don’t give enough attention to the importance of having well-defined offboarding procedures.

Here are six important tips to consider when a vendor relationship is ending.

1. Access to systems and information

Vendors are often given varying levels of access to systems throughout the duration of their contract (i.e. VPNs, network backbones, telecommunication systems, direct access to internal systems, etc…) in order to deliver the goods/services they were hired to provide. Keep a detailed log of all the systems/information your vendors have access to (and which personnel specifically have access). This type of log should be referenced during the offboarding process to ensure all identified access points to your company’s information are terminated/revoked.

2.Physical access to buildings

The nature of the work a vendor performs for your company may require that they have on-site access to your offices and/or buildings. Similar to the tip provided above about a vendor’s access to systems & information, it’s important to keep a log of the personnel who have access to your premisses, and also how they have access (i.e. key fob, building key, access codes, etc.). Once their contract expires and on-site access is no longer required, activities you should consider include 1) ensuring the vendor returns any building keyfobs and/or badges, 2) notifying pertinent staff (i.e. receptionists, security personnel, etc.) that the vendor no longer has on-site access and/or 3) updating internal systems related to building access.

3.Return of equipment/property

In cases where a vendor was lent equipment/property to perform their contractual obligations (i.e. laptop, tablet, compter peripherals, etc.), a process should be in place to ensure all equipment/property is accounted for and returned. Software (or self-generated logs) can be utilized to document, tag and identify issued, returned and missing equipment. Software/logs should also document the condition of the equipment after return and/or missing parts.

4. Contract deliverables

As with the other tips in this article, documentation is key! The path from contract start to contract completion often deviates from the terms stiputed in the original agreement. This can be due to scope changes, unplanned delays or other unforeseen circumstances. It’s imperative that, during the length of the vendor relationship, any contract deviations (specifically those that impact contract deliverables) are documented in writing. Nothing should be left to memory recollection.During the offboarding process, you should ensure that all goods or services the vendor was contracted to provide were actually delivered.

5. Final payments

During the off-boarding process, it is vital to ensure that all vendor invoices have been settled. This often goes hand in hand with Tip #4 (Contract Deliverables), since it is not uncommon for payments to be tied to milestones or deiverables (i.e. the vendor is paid once certain deliverables are received and approved).

6. Updates to the vendor profile

A best practice for any third-party risk management program is the utilization of a vendor management system. These types of systems come in all shapes and sizes (and with varying levels of functionality), but at their core is the ability to create a Vendor Profile (i.e. what is the vendor’s legal name, who are your primary points of contact, what active contracts do you have with the vendor, etc.). When a vendor relationship ends, it’s critical to ensure that the vendor’s profile is updated accordingly. Following this simple tip will allow you to keep an accurate inventory of your third-party relationships.

We all know that a business can’t operate in a vacuum. You have to collaborate with vendors, clients, suppliers, specialists, and plenty of other third-party partners. As a natural result, these organizations provide critical services and have access to data about your company and your customers. You need to manage the exposure risk that those third parties carry.

This is where continuous third party monitoring comes in. In the body that makes up your third party risk management program, continuous monitoring is the eyes and ears—constantly evaluating critical information to help you make wise decisions.

What is Continuous Third-Party Monitoring?

Continuous third-party monitoring is exactly what it sounds like. You identify key risks you need to monitor and manage with your third parties and track them continuously—often in real time. Continuous monitoring gives you visibility into the ongoing risk posture of your third parties, allowing you to identify risks and vulnerabilities as soon as they happen—sometimes even earlier. Some of the risks that are natural to include in a continuous monitoring program include:

· Operational integrity
· Data security operations
· Data security environment
· Fourth parties

It’s important to keep in mind that continuous third-party monitoring is not a replacement point-in-time due diligence. Rather, it’s complementary. It’s always important to do a deep dive with your third-parties using a due diligence questionnaire before you enter into a contract, and on a periodic basis thereafter based on the inherent risk they present. High risk third parties are typically assessed annually, while moderate and lower risk less frequently.

Continuous Monitoring Benefits and Goals

A well-designed continuous monitoring program provides a close to real-time picture of the risk posture of your key third parties. It allows you to move from reactive (months an event occurs) to proactive (days or weeks). Continuous monitoring also allows you to see trends that can help you predict when something bad may happen before it happens.

Market surveys of companies that use continuous third-party monitoring show that those companies report improvements in risk management due to their ability to:

· See trends in financial health
· Be alerted to negative news or litigation as it is happening
· Reduce the amount of time required for security event identification.
· Compare security postures.
· Screen vendors more effectively based on real-time risk.
· Prioritize remediation activities.

5 Key Questions to Help Shape Your Third-Party Continuous Monitoring Program

When you think about implementing a third-party continuous monitoring program, it’s important to be clear on your focus and start with your end goals in mind. And always take a risk-based approach to building out your program. Since every company’s risk appetite is different, you need to define which vendors and risks meet the requirements for continuous monitoring. Here are five key questions you’ll need to answer to start shaping out your program.

1. Which categories of vendors (and other third / fourth parties) require monitoring and why?
2. What are the key risks you need to manage for each of those categories of vendors?
3. What type of monitoring data will be most helpful to you in managing those risks?
4. What third-party monitoring software is best equipped to provide you this data?
5. How in your company is going to be responsible for reviewing the results?
6. What are you going to do when you identify an actual problem with a key vendor?

Integrating a third-party continuous monitoring program into your existing TPRM program is critical to managing risks in world where those risks can change daily. If you need help establishing your program, Vendor Centric can help. Contact us today to get a free, tailored initial consultation.

RiskRecon gets acquired by Mastercard. CyberGRX gets $40 million in Series D funding bringing their total equity financing to $100 million. Security Scorecard raised $50 million in Series D funding and doubled their customer base in 2019, now having more than 1,000 global customers. Panorays raises $15 million in Series A funding.

These are just a few of the headlines from 2019, with many of them coming in just the last 30 days. I am sure we will continue to see more invest and growth in 2020. As the old saying goes “Follow the Money.” If we follow the money it paints a clear picture that Third-Party Data Monitoring Tools, to mitigate the residual risks of working with third-party vendors, have arrived and will be a core component of best-practice based vendor/third-party risk management programs for years to come.

Gone are the days of doing one due diligence questionnaire per year with a vendor and hoping that nothing goes wrong until the next questionnaire is due to be filled out. Hope is not a strategy!!

With data privacy and cybersecurity risk driving significant new regulatory compliance combined with the growth in reliance on working with third-party vendors, companies face the daunting task of how to most economically manage and mitigate the risks associated with these third parties.

It is not an accident that we are seeing all of these headlines about the money flowing into these third-party data monitoring companies. If you live by the proverb “where there is a will, there is a way” you can understand that the emergence of these new technology companies comes in direct response to the massive growth in third-party risk that companies of all sizes and in all industries are facing.

As you look to develop or assess & improve a third-party risk management program in 2020, make sure to give serious consideration to these cyber risk and corporate health data monitoring tools. By integrating these tools into your program, you’ll ensure you are actively monitoring and mitigating the residual risk associated with working with your third parties.

Give serious thought to adding one or more third-party data monitoring tools in 2020 to support a more continuous approach to mitigating risks and managing your third-party relationships. The good news is that costs associated with these types of tools are expected to become more commoditized as the category for these types of companies continues to grow and mature.

As we enter 2020, the current pace of regulatory change is unprecedented. Governments the world over are implementing new regulations and in the United States there are a range of new regulations from federal and state authorities which all seem to have a requirement related to third-party oversight.

Of course, these new regulations are being driven by the increased data privacy and cyber risk which all companies, no matter how big or small, are facing today. Complicating the matter more is the reality that companies no longer can just focus on their internal risks but also the risks from your third parties and your fourth parties (the larger ecosystem of the vendors of your vendors).

That’s why most companies are turning to third-party risk management experts and technology providers to help them implement policies, programs and tools to mitigate these risks and ensure compliance.

Let’s take a look at 6 of the hottest topics we’re seeing in the market in the hope that it will help you enter 2020 with your eyes wide-open ready to optimize your third-party risk management program.

1. Taking fourth-party risk seriously

You’re probably working with a growing number of third-parties. In the modern business world, it’s all but inevitable. However, are your third parties also working with their own third parties? If so, that’s a fourth party and you need to worry about their activities and the risks posed as well.

These days, fourth party risk mitigation is something every company should implement. As such, it’s important to ensure your third-parties have a comprehensive approach to managing the risk with their vendors, your fourth parties and risks they might present.

2. Third-party concentration risk

If you’re overly reliant on a particular third party, it’s going to increase your risks. Investors diversify their portfolios in order to reduce risk. Likewise, it’s often best to diffuse your risks among a number of third parties. Identify which vendors and which risks would have the most impact on your company’s core operations and ensure you mitigate that risk with continuity plans and additional vendors providing similar or duplicative products or services.

3. Continuous risk monitoring

The days of only doing due-diligence on an annual or bi-annual basis just doesn’t work any longer. Quarterly or annual updates on risk-related issues is not enough. Instead, risk management needs to be a continuous and on-going process. There is an emerging sector of data intelligence and monitoring tools which should be integrated into every third-party management program to ensure you have a comprehensive and real-time approach to mitigating risk with your third and fourth parties.

4. Vendor management automation

Increasingly, companies are using automation to manage and provide oversight throughout the full lifecycle of their relationship with their vendors. Doing so reduces risks and with automation, many tedious manual tasks are streamlined and, if possible, eliminated by leveraging the system. This ensures your employees can focus more on their oversight responsibilities and rely on reminders and other workflow improvements to do their jobs more effectively which results in improved risk mitigation.

The banking industry was a pioneer in automation, which allowed many banks to greatly increase productivity while reducing risks. Now, other industries are following suit. Industries heavily impacted by regulations, such as the insurance industry, healthcare, utilities, and companies that collect a lot of data, have been especially aggressive in adopting vendor risk management automation.

Fortunately, there are a number of great vendor management automation tools available.

5. Modernizing contractual standards

The contracts of yesteryear are often no longer enough given the current regulatory environment. For example, new data privacy regulations mean that old contracts don’t provide enough protection and oversight when it comes to managing data. Contractual gaps could increase your exposure to 3rd and 4th party risks.

Consider data breaches. In many states, companies are required to notify authorities and consumers in the event of a data breach. Yet what if a 3rd or 4th party is responsible for a data breach? Have you outlined in your contracts that they must notify you (so you can then notify relevant parties)?

If not, outside contractors may fail to report the data breach, but you could ultimately be held responsible. That’s why it’s best to audit contracts and to modify them when and where necessary. It’s smart to start with your highest risk vendors and work your way down.

6. Insurance

Finally, one of the most important tools in your third-party risk toolkit is insurance. Like auditing and updating your contractual standards and existing agreements, you should also work with your insurance risk consultants to review and update your coverage requirements with your third parties to ensure that the growing risk from those relationships is effectively mitigated in their insurance coverage on your behalf.

It is also highly recommended to do a thorough review of your direct insurance coverages to ensure you have the comprehensive protection you need. One of the emerging areas of coverage is Cyber Insurance so make sure to include that in your planning process.

The Year Ahead

While these topics weave together as a cautionary tale, our team at Vendor Centric enters 2020 with a great deal of excitement and passion for what lies ahead. We know that this work is not easy but hope that these hot topics help you as you develop your plans, priorities and budgets. We are always here to help but know that with the right approach and resources we can all engage in effective third-party risk management.

Happy Holidays and have a very Blessed 2020!!

Third-Party Risk Never Sleeps

As you consider the evolution of managing the risk associated with your third-party vendors, you can go back in a time machine where many business relationships started with a hand-shake.

If we go back to these earliest days of doing business, things were at a much different pace and the farmers, traders and business owners could have never imagined our high-tech world and the risks we are experiencing in 2019.

Some of the most challenging risks relate to data privacy and cybersecurity. With third parties having access to your most sensitive data (PII) and many having their systems linked into one or more of your critical business systems, you need to ensure your third parties have the required security and controls in place to mitigate these risks.

There are still many companies that don’t have a formal due diligence process for their third-party vendors. Not only should you complete a risk and due diligence assessment before you sign a contract with a new vendor, you need to reassess these vendors at a frequency that aligns with the risk appetite of your company.

For high risk vendors with access to your systems and protected customer data, you should be reassessing them at a minimum on an annual basis if not more frequently.

Risk Monitoring and Data Intelligence Services

There is an emerging best practice in the third-party risk management sector to implement ongoing risk monitoring and data intelligence services. These solutions provide continual monitoring of critical risks to notify you with updates about risk factors and news about your third parties to enable you to actively manage these risks. This has been aided by the emergence of a new category of technology and data intelligence solutions specifically created to address continual monitoring and mitigation of third-party risk. Below is a summary of the different categories of these solutions:

Cyber Risk Monitoring

Tools and services deployed to perform point in time and continual monitoring of a third-party’s digital systems and ecosystem to identify companies of any security threats, vulnerabilities or lack of controls about the cyber risks associated with their third parties.

Financial Health Risk Monitoring

Subscription services and one-time reports which provide real time updates about the financial health and risk factors of third-party vendors.

Restricted Party Sanctions Screening

Tools and services which can automate the screening of sanctions lists like OFAC, SAM and over 600 restricted party lists from government institutions world-wide.

Business Verification & Background Checks

Subscription services and one-time reports to verify businesses legal registration and background checks on employees and third-party contractors.

License and Certification Verification

Subscription services and one-time reports to verify professional licenses and certifications for employees and third-party contractors.

Ongoing Due Diligence of Third Parties

As you create a plan for due diligence of third parties, both before you execute a contract with them and at a frequency that aligns with your company’s risk appetite, consider integrating one or more of these monitoring and data intelligence solutions. By adding this to your third-party risk management program you will ensure you have made a thorough investment in the risk mitigation practices to best prepare and protect your company from third-party risks.

Whether you agree with the cause and effects of climate change or not, there is no doubt that organizations across the world play a large role in our environment and society. The idea of “Social Responsibility” has become more and more prevalent and impossible for consumers to ignore.

As it relates to a corporation, Social Responsibility implies that a corporation has a duty to act in the best interest of their environment or society. Examples include reducing their carbon footprints, improving labor policies by embracing fair trade, and changing certain corporate policies to benefit the environment.

The four types of Corporate Social Responsibility fall into these categories:

  1. Environmental
  2. Ethical business practices
  3. Direct philanthropic giving
  4. Economic responsibilities

In this post, learn how your organization’s Procurement department can accelerate the impact of your corporate social responsibilities

1.Get creative with your tactics!

When most people think sustainability, they think directly sourcing sustainable goods or products. But what if this isn’t possible? What if your organization simply doesn’t make enough purchases to have a measurable impact on the environment?

Well, one of the methods companies are turning to is looking at indirect methods of reducing their environmental impacts. A few examples are only ordering products that can be delivered using electric vehicles. Or, contract with a facilities management company who uses energy-efficient and electric power tools and/or mowers. Perhaps your cleaning crew can switch to environmentally friendly cleaning products. The combination of these efforts truly makes a large impact.

2. Understand your sources

The introduction of blockchain allows for procurement organizations to effectively manage and track the origin of the products and materials they purchase. This directly contributes to the impact of ethical business practices rating. For example, purchasing raw materials such as wood or steel from a country for very cheap may seem harmless on the surface. However, if the source harms the local population or environment, then that could reflect poorly on the business’s social responsibility. If that wood purchase contributes to massive deforestation and habitat destruction, many people and communities could face harsh results.

For those that don’t know, to define blockchain: “originally blockchain, a growing list of records, called blocks, that are linked using cryptography. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. By design, a blockchain is resistant to modification of the data.”

Lumachain is a company focused on making strides in this area. Learn more here.

3. Give to causes that support your mission

One of the growing behavioral epidemics amongst teens is car theft and vandalism. This has always been a problem, but the crime has started to grow at an alarming rate. By nature, this is a great opportunity for insurance companies to get involved. When a child steals a car or spray
paints a building, more than often, insurance companies will see some losses when they must replace or repair the property. But how would they tackle this issue?

Once again, creativity and looking at the root cause could contribute to the solution. Insurance companies that invest in youth programs that help educate and improve youth opportunities understand the larger impacts that these problems have to their bottom line, and more importantly, society.

Organizations should take a holistic view on society and determine philanthropic methods of influencing change as it relates to their own mission.

4. Economic responsibilities

Economic responsibility relates to growing the business in a sustainable and responsible manner. Typical examples of this are manufacturing companies that incorporate recycled materials.

Governmental policies are often introduced to make significant changes to business practices. For example, straws and single-use plastics have been banned in some cities. To combat this policy and remain responsible, some companies have adopted biodegradable straws or metal reusable straws. Both get the job done while contributing to the bottom line of growing profits and remaining competitive.

This is another opportunity for innovation and creativity. Not all companies have the opportunity or need to change materials that are crucial to their process. Some changes are direct sources of what is being sold. For example, harvesting caviar often involves slicing the fish open to remove the delicacy. Obviously, the fish does not live using these methods. Through innovation, some companies have developed a no-kill method to harvest caviar, leading to a sustainable and economically responsible process.

Get creative

The human race will forever be a society of innovators and problem-solvers. No matter the issue, we can find a solution. Not all problems can be solved through better procurement practices, but there is no doubt that the sourcing organization of your company can play a key strategic role in contributing to your social responsibility goals.

This blog originally appeared on the Strategic Sourceror

I’ve reviewed and negotiated a lot of vendor contracts and have found that the best ones are clear, complete and mutually beneficial. However, most contract documents are originated by the vendor and are written specifically to protect their interests.

Starting with a vendor’s standard contract is fine, but it doesn’t mean the language is written in stone. It’s extremely important that your interests are reflected in the contract, and the approprite language is incorporated throughout to ensure it benefits and protects all parties.

Outlined below are nine contractual provisions you want to get right. You’ll not only start your vendor relationship off on the right foot, but you may also sleep a little better at night.

1. Term and Termination

The term of your contract is always negotiable. Many vendors will offer better pricing with a longer term, but that also means you’ll be locked into that relationship for a while. This can be a good thing with proven vendors, but is always a risk with a new vendor relationship.

In your contract be sure to define the term but, more importantly, be very specific about how the contract can be terminated and the penalties, if any, for early termination. You don’t want any surprises down the road if you do need to get out of a contract.

2. Definitions

Some vendors use a lot of jargon, oftentimes specific to their industry or company. Some of this jargon can affect the interpretation of important clauses in your contract. Make sure your contract clearly defines all key terms and ambiguous language, especially as it relates to products, pricing and services.

3. Scope of Products, Services and Support

These clauses can oftentimes be grey areas, and can lead to conflicting expectations and additional costs. Ensure language is specific to the products and services covered under the contract, and to the level of support the vendor will provide. This is especially important if your contracted pricing is on only a core list of products and services; be sure to document exactly what is ‘on’ and ‘off’ contract. Also, be sure to include service level expectations (and potential penalties) if the vendor provides mission critical products or services.

4. Pricing

The pricing section is simply the documentation of your business negotiations, and should reflect everything that you’ve agreed to in those negotiations including:

  • Pricing of ‘on-contract’ products/services and, if applicable, ‘off-contract’ products/services
  • Length of time the pricing will remain in effect
  • Protocol for pricing adjustments
  • Required minimums to receive contracted pricing, if any
  • Handling of special or project pricing, if applicable

5. Ordering, Delivery, Invoicing and Payment

This section (or sections) should define expectations of how you buy, receive and pay for the goods or services with the vendor. While there is typically not much here to negotiate, it is important to document expectations. Here are a few things to consider:

  • Some vendors provide contracted pricing only if you order online or through a local branch. Be sure to define this if it is applicable.
  • If the vendor has retail locations and has agreed to provide contracted pricing for purchases made at those locations, document that as well.
  • Document any agreements you’ve made with regard to timeliness of delivery (i.e. next day, etc) and cost of delivery (i.e. free delivery if more than $XX). The same holds true for out-of-pocket expenses for professional service contracts.
  • Document the frequency and format of invoices, especially if you have multiple locations.
  • Document the form of payment accepted by the vendor if required to receive contracted pricing. For example, some vendors will honor special pricing when paid by credit card while others will not.

6. Account Management and Reporting

If you are going through the process of contracting with a vendor it likely means this is a high cost or high importance area of operations. If that’s the case, make sure your contract is specific with regard to how your account will be managed and the level of reporting that is available to you. Key items to consider include:

  • Will you have a dedicated account manager or will you be a ‘house account’?
  • Will your vendor provide you with regular business reviews to help with ongoing cost management, and to identify ways to better leverage their products and resources?
  • What type of spend reports will be available to you and how can you access those reports?

7. Title, Risk of Loss and Warranty

This can be the most important component of the contract, especially if the contract is for services for the development of a system, product or involves the collection of data. In this section you want to be very clear on who owns the work product and/or data associated with the contract. In the vast majority of cases, YOU want to own the product and the data. Be sure to get your legal counsel involved in approving this section of the contract.

8. Data Privacy and Protection

If you are sharing confidential or senstive information with a vendor, this will be a critical clause in your contract.  Data protection is a huge topic. International regulations like the General Data Protection Regulation (GDPR) and domestic regulations like the California Consumer Privacy Act (CCPA) are getting big headlines and requiring companies to make some major updates to their standard contractual provisions.

Some of the vendors that may have access to your sensitive data include software providers, temp agencies/contractors and consultants.  Think about anyone that may have access to data both electronically and on paper.  When you work with these types of vendors, be sure to establish clear requirements for access, handling and destruction (when the contract is over) of your sensitive data.  Also be sure to include breach notification requirements, as many states have established requirements for you to provide notification of a breach when one happens.

9. Cover Yourself (Legal)

Every vendor contract will include a section of stuff that no one wants to read, but is as important as every other section of the contract. If your organization uses standard language for ‘the legal stuff’, use it when you can. Chances are your vendors will have their own language, and you may need to negotiate some of these sections. If you don’t have standard language, get your legal counsel involved. Here are the key areas you will likely want to be sure to cover (in no particular order).

  • Confidentiality
  • Counterparts
  • Force majeure
  • Governing law
  • Indemnification
  • Insurance
  • Limitations of liabilities
  • Modifications
  • Notices
  • Relationship between parties
  • Responsibility for compliance with laws
  • Severability
  • Successors and assigns
  • Survival
  • Transferability and assignment
  • Use of marks and press
  • Waiver

Always remember – solid pricing is only one component of a great contract. Be sure to address all nine components to keep your risk low and create something of real value for you and your organization.

Note: This post was originally published in January 2017 and has been updated to reflect new insights on handling data privacy in contracts.

Tom is Founder & CEO of Vendor Centric. Connect with Tom on LinkedIn or drop him a note at trogers@vendorcentric.com.

One of the questions I get asked frequently is “who qualifies as a third-party?” It’s a great question because the third party ecosystem encompasses a lot more than just suppliers.

A third-party is any company or individual with which or whom you have entered into a business relationship to:

  • Provide goods and services for your own use
  • Perform outsourced functions on your behalf
  • Provide access to markets, products and other types of services

Companies often have more third parties than they realize. Depending on the industry you’re in, examples of third parties can include:

  • Consultants and independent contractors
  • Subcontractors
  • Temporary agencies
  • HR and payroll companies
  • IT hardware, services and support
  • Accountants and auditors
  • Lawyers
  • Banks
  • Credit card processors
  • Agents and brokers
  • Software and software hosting companies
  • Printers
  • Fulfillment and mail houses
  • Parts manufacturers

Managing Risks with Third Parties

Identifying your third parties is important. But what’s even more critical is identifying and managing your risks with them.

Third-party risk management is the process whereby an organization monitors and manages the potential exposure to problems, harm or loss that arise from interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. In other words, you don’t need to have a contract with a vendor for them to have risks that need to be managed.

Five-Step Process for Assessing Third-Party Risk

There are a variety of risks that you need to assess and manage with your third parties. Here’s a five step process for identifying and managing yours.

  1. Identify and classify the third parties with whom you work
  2. Understand your risk exposure
  3. Identify gaps in policies and controls
  4. Prioritize activities to close gaps
  5. Establish process for ongoing risk monitoring

If you need help getting your arms around your third-party risks, we’re here to help.

New Regulations for Insurers

Insurance companies collect and maintain significant amounts of sensitive, nonpublic information. Not surprisingly, they are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. In response, the National Association of Insurance Commissioners (NAIC) adopted a Data Security Model Law in November 2017. The Model Law is intended to provide a benchmark for any cybersecurity program.

The requirements in the Model Law track some familiar data security frameworks, such as the HIPAA Security Rule. It also has many similarities to the New York State Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500). Licensees are not subject to the Model Law unless the state where that licensee is licensed adopts a version of the Model Law. To date, the following nine (9) states have adopted a version of the NAIC Model Law (with other states talking about adoption in the future):

  1. Alabama
  2. Connecticut
  3. Delaware
  4. Michigan
  5. Mississippi
  6. New Hampshire
  7. New York (NYDFS, not NAIC)
  8. Ohio
  9. South Carolina

What This Means to Licensed Insurance Companies

If your insurance company (underwriters, brokers and agents) is licensed in one or more of the states which have enacted these regulations, you are required to comply with the requirements. It is important to have a discussion with stakeholders from Compliance, Risk and IT at a minimum to explore where you are in the process of establishing your cyber program and complying with the NYDFS and NAIC Model Law.

This can include determining if you need to:

  • Establish your cyber program or third-party management program
  • Assess the program you already have in place to determine if it is in compliance
  • Perform an audit of activities to confirm that policies and procedures are being followed and adequately documented, on audit.
  • Identify ongoing support and resource requirements for Chief Information Security Officer (CISO) or Vendor Management Office (VMO).

This is not just an exercise of putting a policy in place and checking this off of a compliance checklist as there are ongoing risk management and operational activities which need to be certified on an annual basis to the state’s insurance commissioner.

If you have not already done so, you should complete a thorough internal review process with all key stakeholders including your CISO. It is certainly advised that you should share findings of this review with your Board and keep them apprised of the status of your preparation. Lastly, it is also a good practice to consult with external subject matter experts to ensure you have insights from people that have worked with these regulations previously and understand what other insurance companies (your peers) are doing to prepare for these regulations.

The positive outcome of all of these emerging regulatory actions is that your organization will have no choice but to ensure you have in place the people, policies and processes required to mitigate your information security risk.

Category Management (CM) can make an otherwise complex and disordered supplier network into a consolidated one that’s easy to navigate. CM is an initiative worth pursuing if you are looking to strategically manage your spend categories and see that your supplier relationships remain high-value in the long term.

In Part I of this series on Category Management, we discussed what exactly category management is and how it applies to procurement. As a quick refresher, procurement teams use category management to separate each product the company produces into individual categories and see that each product category is treated as its own business unit and sourced appropriately.

Today, we will discuss how a procurement team should introduce a Category Management program to their company’s supply chain management processes. Because of CM’s company-specific structure, there is no universal approach. Each category management initiative will be designed based on the nature of the company, what they are producing, what they are buying, and so on. Here is a rough overview of what steps you should take to implement your unique CM program.

Phase 1: Training

Because of CM’s complexity, providing training for employees will prove necessary for introducing the program effectively. Understanding the definition of CM will not be enough; your employees will need to understand the ins-and-outs of the method to apply it to the company. There are online training options that provide engaging and interactive modules to help your employees become acquainted with the information and equipped to carry out the CM method.

Phase 2: Initiation

Next, announce your plans to every internal party that is involved. Make your objectives clear and instruct each team member on how their efforts will serve these goals. Stakeholders will want to know what changes are being made and why. You will also want to establish a new communication plan for you and your cross-functional team. Remember, consistency and clarity are key.

Phase 3: Analysis

Your team should conduct a thorough data analysis to determine the financial impact of each spend category. How you conduct this research will be heavily dependent on the programs that your company utilizes. You might want to consider getting an analyst to normalize the data before you begin if you are using multiple ERPs. This is an important step to identifying which spending categories will provide the most strategic opportunity

Phase 4: Strategy Creation

The next step is designing your unique category management system. After your team has a good understanding of your spending habits, you can decide how you would like to split up product categories and figure out which are of the most immediate importance. In this phase, you’ll also want to decide the roles of the team members. You can organize category managers by unit level, have centralized category managers, or establish a hybrid of the two. Another option is outsourcing the full CM process to a consulting firm. Alternatively, you can handle some categories internally and delegate especially tricky categories to a third party using a flex system.

Phase 5: Implementation

It’s time to take action. Put all the hard prep work to use and implement your CM strategy. Because you are just getting started, it’s a good idea to keep a particularly close watch on the CM processes as they go into place. This will allow you to see the processes that are or are not working and quickly make adjustments as necessary.

Phase 6: Continuous Improvement

Last but not least, be sure that you evaluate how your CM initiative is progressing. Did you realize cost savings in the categories you predicted you would? Did you segment the product categories correctly or should the categorization method be altered? Even if everything was executed correctly, the supply market fluctuates and your CM design may need to be modified to align with stakeholder needs. It’s always smart to keep a continuous overview of how your category management process is performing.

These stages represent a tentative model, but they do not necessarily need to be accomplished sequentially. Your company might need to skip a phase, run two phases simultaneously, or have one of them operating throughout the entirety of the process. The task of deciding how to carry out the CM process is up to you and your cross-functional team. This blog originally appeared on the Strategic Sourceror

The size and scope of third-party management programs are different from one company to the next. And when it comes to structure, some companies maintain a central vendor management office, while others establish a general framework for their program and push out responsibilities across the organization.
Regardless of how you’ve decided to set up your vendor management function, it’s critical to know who’s responsible for what. RACI charts are a great tool for helping you with that process.
What is a RACI Chart?

A RACI chart (or matrix or diagram) is a visual way to identify the roles of stakeholders involved in a task or a process. RACI is an acronym that stands for Responsible, Accountable, Consulted and Informed. The four letters help to memorize the different roles that people must fill to ensure the proper completion of a process or task.

(R) Responsible: This is the person who is in charge of completing the task. They are responsible for getting the work done or making the decision. It can sometimes be more than one person, but good practice is to minimize the amount of people involved.

(A) Accountable: This is the person who has overall accountability for ensuring the task is completed, and ensuring it’s done on time and with quality. Ideally, this should be one person rather than a group to avoid confusion in terms of who actually owns the task. Oftentimes, this can be the person who is also responsible.

(C) Consulted: These are the other stakeholders who have to be consulted first before the work is done. Usually these are experts who have deeper knowledge or experience about the subject matter. The reason why you want your team member to consult with experts first is obvious: you want to limit the risk of failure.

(I) Informed: These are stakeholders who have to be informed about the progress and/or completion of the task. Maybe they are waiting for input so that they can proceed with their own work. Or maybe they just need to know what’s happening. Keeping everyone in the loop and sending out continuous updates is always important.

Using RACI Charts to Support Third-Party Management

Many stakeholders are involved in the process of finding and managing third parties. While the Business Owner (i.e. the person that owns the relationship with the vendor) is always central to the process, other stakeholders can include representatives from technology, information security, legal, compliance, procurement and even risk. Using a RACI Chart to clarify the roles and responsibilities of these folks is extremely helpful.

To illustrate, here is a RACI for a simple risk assessment and due diligence process for a prospective technology vendor. This is just an example as roles and responsibilities are going to differ for each organization.

RACI

We recommend that all of our clients incorporate some form of RACI Chart in their third-party management procedural documents. And while a RACI Chart is pretty simple to complete, the hard part is oftentimes getting agreement between stakeholders.

If you could use a hand aligning third-party management stakeholders in your company, let’s schedule a time to talk.

A third-party management program (TPMP) is a valuable business function within any organization. As your TPMP grows and matures, you’ll soon realize that all sorts of data about your vendors will need to be captured, digested and reported on. From procurement to contracting to ongoing oversight, the TPMP needs to be able to effectively use reports to help make business decisions regarding your third-party relationships.

Here are four key reports your third-party management program could use to keep your senior staff informed, and to help show the value of a well-running TPMP.

1. Schedule of Vendors with Access to Nonpublic Information (NPI)

During the early stages of your relationship with a new vendor (or even when you are exploring the possibility of additional work with an vendor), it is important to understand what type of information your vendor will have access to, and what they will do with that information.

An up-front risk assessment process would usually be where this type of knowledge about your vendor relationship is gathered, and centrally stored. Vendors would then be “tagged” to help the TPMP identify which vendors have access to NPI, and which do not. In the event of a data breach, or even just to keep your CISO or Enterprise Risk Management team aware of potential risks, running this type of report becomes an easy task.

2. Value of Contracts Approaching Expiration/Renewal

Knowing when your contracts are set to expire or renew is a critical component of third-party and contract management. However, contract expiration/renewal dates alone do not tell the whole story. Being able to tie a specific dollar value to each contract adds another layer of information that can help your TPMP and Executives make decisions when contracts are nearing the end of their term.

This is not to say that the larger the value of the contract, the more important the contract is to your organization. Contracts with larger dollar values may, however, require more resources to manage and negotiate… and is the type of insight your Executive team would love to know.

3. Schedule of Vendors with Incidents

For your organization’s riskier and more strategic vendors, your TPMP should be tracking incidents that impact performance (i.e. system outage, data breach, late deliverable, etc.). As Business Owners oversee the day-to-day management of your vendor contracts, and especially when performing periodic performance reviews, it is valuable to know if and when incidents have occurred.

As work is being provided under your vendor contracts, this type of report can also keep your senior staff well-informed about the overall health of your vendor performance.

4. Risks Averted (and Savings Realized) by the TPMP

Running reports to help facilitate smooth operations is great, but you also want to be able to use reports to prove the value of your TPMP to Senior staff. One of the ways a mature third-party management program can help do this is by performing contract reviews, often times for your organization’s more strategic vendors.

A contract review could help you identify if there are any gaps in your vendor agreements (i.e. are all of your organization’s required contractual provisions addressed in the vendor contract?). A contract review may also prompt an invoice audit, whereby your Business Owners (in coordination with the TPMP) ensure that the invoices provided by your vendors align with the contracted pricing and invoicing schedules. The results of your reviews and audits can be reported up to the appropriate stakeholders in your organization.

It should be noted that after an agreement has already been signed, updating terms & conditions may not be as easy of a task as it would have been prior to execution. However, with proper negotiation and transparency, it’s worth the effort to identify contractual gaps.

The list of reports above is by no means exhaustive. There are all sorts of KPI’s and reports that a third-party management office can use to help manage your organization’s vendor relationships. It will ultimately depend on where your TPMP sits within your organization, what type of system you are using to manage your vendors, and how many resources you have

This blog comes to us from Megan Ray Nichols of Schooled by Science.

When it comes to improving sustainability and optimizing operations, procurement channels are some of the first places to focus on. After all, the supply chain not only accounts for most costs and sources of inefficiency, but produces more emissions than internal operations typically do.

It’s not just about external parties and processes, however. Inefficiencies can come from within, too. Achieving a transformational change, for the better, means maintaining proper operations across the board, from fostering supplier-buyer relationships to cultivating employee compliance.

But in practice, sustainability is not easy to do. After all, monitoring, communicating and collaborating with hundreds or thousands of suppliers at a time is no small feat. Luckily, there are some things that leaders and managers can do to keep their procurement operations on the right track.

Here are some actionable, effective practices for implementing a more sustainable procurement process.

1. Evaluate Your Existing Setup

More than likely, your business has been involved with its suppliers and partners for many years. Before jumping ship for more efficient and eco-friendly partners, evaluate your existing setup. It may be better to swap merely one or two suppliers at a time, starting small. Besides, the teams you already work with may have green initiatives in place or programs that are actively developing. It’s always a good idea to communicate your plans for improved sustainability, even just to see if anyone else is on board.

Establish a decision framework for choosing new suppliers to work with. When issuing RFPs, be sure to negotiate environmentally sound and resource-efficient practices with potential suppliers. Also, it’s important to secure the most energy-efficient and green products available at the same or lower price than alternatives — something that should always be included in agreements.

2. Define a Code of Conduct and Collaboration Requirements

Collaborating with eco-friendly suppliers and partners is always a plus, but what does that mean? What does it look like for your business, products and practices?

Before diving down the rabbit hole, it’s important to establish a code of conduct and series of requirements that can apply to all potential and existing suppliers. Make it clear about what you’re looking for and what their responsibilities will be. What behaviors do you expect to see, how do you want waste handled and what about emissions? Are there limits or boundaries to said restrictions?

A good idea to honor this is by incorporating ISO standards and becoming certified. The new ISO 20400 explicitly deals with sustainable procurement practices, making it an ideal match for most businesses.

3. Educate and Build Awareness

Establish a team dedicated to corporate social responsibility and sustainability, and employ their help with optimizing the business. More importantly, that team should also invest time educating and spreading awareness about eco-friendly initiatives with suppliers, for both existing and potential prospects.

An alternative for small to medium-sized businesses that don’t have the manpower to create a dedicated team, would be to sponsor online training programs and seminars. By sharing these programs with suppliers, managers can better communicate what they are looking for and what that means for the relationship.

4. Reward and Respond

As you do with employees for conventional operations, it’s important to evaluate and respond accordingly to your supplier’s progress and achievements. Establish a series of audit mechanisms to grade their commitment to sustainability and reward good behavior. Offer incentives to help encourage greater levels of commitment. Those incentives don’t necessarily have to be monetary, but they should value your partner(s) time.

5. Optimize Communication

All this talk about evaluating suppliers and prospects isn’t going to do any good if there are no open channels of communication and collaboration. It’s important to implement a streamlined method of communication across all involved parties, not just internally.

Are there ways to highlight an active process and suggest improvements? What real-time and maintenance opportunities are available to your management team? If something goes wrong, how long until the appropriate contacts are notified?

Once that line of communication is open, it’s just as important to keep it consistent and effective. You and your team must be able to communicate with any partners — not just to evaluate but to help improve collaborative processes, too.

6. Align Core Business Strategies

The adage says to practice what you preach, and that’s true here. Ensure your employees and your operations adhere to sustainable and eco-friendly requirements. If it’s not a priority for your team, then any suppliers and partners you work with are going to follow that example.

That’s why you want to lead by example. Send a strong message to your partners that sustainability is ingrained in your core business practices. It’s not just a movement or an afterthought. It’s a way of life. When they see just how serious you and your constituents are, they’ll make it a priority for doing business with you, as they should.

Sustainable Procurement Starts From Within
While it’s certainly true that suppliers can cause real problems when it comes to sustainability and corporate social responsibility, they are not the sole reason why things go wrong. Green initiatives and improved sustainability start from within, as part of a core business strategy.

These best practices send a clear message that it’s important to establish relevant practices at a foundational level. The best place to start is by educating and training employees, managers and partners as to what they can do to contribute and maintain sustainability. Then it’s on to more actionable strategies, such as incorporating green initiatives internally, collaborating with eco-friendly suppliers and continuing to evaluate the total footprint of your business.

I recently participated in an Exit Readiness podcast that two of my colleague’s host. You can find the podcast here if you want to give it a listen. I have to say this provided me an opportunity to explore the importance of third-party risk management and the wide-reaching implications which are uncovered when you are considering buying or selling a business.

Of course, there are the core areas of business valuation that all companies focus their attention on like:

  • Does the company have unique intellectual property and product/services to support sustainable revenue growth?
  • Does the company have an experienced and effective leadership team?
  • Does the company have disciplined operations and financial management controls in place?
  • Does the company have a solid human resources team in place to ensure they are attracting and maintaining an investment in human capital necessary for the company to grow and succeed?

As you would expect, there are a great deal of resources dedicated to the areas of revenue production (sales), expense management (finance) and people management (human resources). The question we help companies grapple with is “how do they control and mitigate the risks associated with working with third-party vendors, suppliers and consultants?” While many companies may be investing an equal amount of capital in relationships with these third parties, most companies are still not making a formal investment in third-party risk management.

Third-party risk management is the process where an organization monitors and manages interactions with all external parties they have a relationship with which may include both contractual and non-contractual parties. These relationships include all vendors, suppliers, consultants, subcontractors, agents, brokers and other service providers.

This is a process which includes establishing the risk appetite for an organization which is the level of risk that the organization is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings.

It is important for owner’s planning to exit a business as they look to optimize their value and be a low a risk investment decision for a prospective purchaser. As a purchaser begins to complete a due diligence process to understand the real value of each business they are considering purchasing, along with all of the standard reports they would expect to be provided; They are also provided executive summaries and detailed reports about the risk exposure of the entire third-party population. This will demonstrate to the purchaser:

  • The company has a disciplined, risk-based process for working with their third parties to ensure ongoing oversight and risk mitigation activities are in place, and
  • Includes effective contract management, optimal cost management, regulatory compliance, data privacy, cyber protections, performance metrics and ongoing third-party oversight

This demonstrates an investment in innovation and oversight which are the underpinnings of a well-run organization. If all other factors are close or equal, this could be a differentiator to get optimal value for a company and secure a successful exit.

It is as equally important for owner’s considering purchasing a business as they are looking to achieve an optimal purchase price with confidence of the future revenue, growth and stability of the business. It is almost a mirror image of what was just outlined above for those selling a company. Imagine if the prospective seller was able to provide the purchaser with executive summaries and detailed reports about the risk exposure of their entire third-party population. This will demonstrate that they are a well-run business you can have confidence in as they have made a solid investment to ensure there are no surprises coming from their third-party partners.

To learn more about what is included in a third-party risk management program please reference our recent article on the topic.

So, whether you are considering buying or selling a business think about the importance of mitigating the risk with your third-party vendors and how it will impact the value of your company and the successful exit or purchase you are planning to make.

The Statement of Work (or SOW) is one of the most important documents you will develop during your relationship with a third-party vendor. Its impact is broad – affecting the scope of work that will be performed, the overall schedule of your project, the amount you pay (and the timing those payments are made) and many other critical aspects of a vendor engagement.

When preparing a SOW (regardless of whether you’re using one of your organization’s pre-approved SOW templates or a vendor’s template) there are certain questions you should always ask to ensure details are documented and assumptions are removed. But first, let’s review the difference between two terms that often get confused – “Statement of Work” and “Scope of Work.”

Statement of Work vs Scope of Work

The Scope of Work is actually just a section that can be found within a Statement of Work. The Statement of Work defines the overall objective of your project, and also defines details about schedule/timeline, costs, deliverables, acceptance criteria and much more. The Scope of Work focuses on defining the details of how the project objectives/goals will be achieved, and describes (in detail) the exact work that will be performed.

It’s also worth noting that in many cases, the SOW would have been developed during the solicitation process. Well defined SOWs within a Request for Proposal (RFP) or Request for Quotation (RFQ) are critical to ensuring the success of your project. Not only will a high qualify SOW within a solicitation ensure the vendor understands exactly what they are required to provide, but it can also reduce your exposure to third-party risk. Check out one of our related blog posts on that topic.

Here are some common sections that can be found within a Statement of Work:

  • Project overview/objective
  • Scope of Work
  • Deliverables
  • Acceptance Criteria
  • Compensation/Payment
  • Timeline/Schedule
  • Resources and Location of Services
  • Contractual terms and conditions (Note – In many cases the SOW is governed by a Master Services Agreement, or MSA. The MSA will contain all the contractual terms & conditions that govern the relationship between you and the third-party, and the SOW will be incorporated into the MSA by reference).

Questions to Consider

While all Statements of Work are different (i.e. a SOW for consulting services will be different than a SOW for the implementation of a new enterprise-wide system), there are some common questions you should ask while developing your SOW.

(note that the categories and lists of questions below is by no means exhaustive)

Description of Goods/Services to be Provided

  • What product or services is being provided? If it’s not clearly documented, assume that it won’t be provided.
  • Have you distinguished between the “must haves” and the “nice to haves?”
  • Have you received input from all stakeholders to ensure that functional and technical requirements/specifications are properly documented?
  • If any assumptions were used to develop the scope, have they been documented?
  • Have all deliverables been listed, along with their schedule of completion?
  • If changes to the services are required, has a Change Procedure been defined?

Schedule and Timeline

  • Has an estimated project schedule been documented?
  • Have project milestones been defined?
  • Are payments tied to completion of project milestones?

Data Handling

  • Will the vendor have access to any of your organization’s non-public/confidential information during this project? If so:
    Have the appropriate stakeholders provided their input on cyber/confidentiality requirements the vendor must fulfil if nonpublic data is to be shared?
  • Are the appropriate confidentiality clauses included in your MSA or SOW?
  • How much data will the vendor have access to?

Resources

  • Will the vendor be using any subcontractors to perform the work under the SOW?
  • Who (both on your side and on the vendor’s side) is responsible for the overall success of the project?
  • Have you verified the qualifications of all project team members?
  • Have all certifications been listed that the vendor must meet?
  • Where will services be provided (on-site, remote, etc)?

Costs

  • Will the project be fixed fee or time and materials (T&M)?
  • Will there be incentives for good performance?
  • How will travel and project expenses be reimbursed?
  • When are payments made?

Delivery and Acceptance Criteria

  • If equipment, software or other products are to be delivered, have you defined when ownership is transferred from the vendor to your organization?
  • Will the vendor be required to provide any post-delivery set up/installation?
  • What are the completion criteria you will use to determine when certain milestones are deemed “complete?”
  • Is there a procedure in place to define how deliverables will be tested/evaluated to ensure they are acceptable?
  • Does your project require a formal “sign-off” to verify acceptance of the entire project? (note – this is important if a warranty period begins after project completion)

All SOWs are going to be different, but the questions above should assist you in developing a detailed document that defines the work and/or products to be provided by your third-party vendor. Remember, if it is not clearly defined in the SOW, assume that it won’t be provided!

I hope you found this article helpful. Should you have any questions or if you would like to learn more about third-party risk management in general, reach out to us.

Creating a well-written Request for Proposal (“RFP”) takes a lot of time and effort. And while it can be tempting to rush through the RFP writing process, don’t do it.

A good RFP (and associated evaluation process) will not only help you identify the right vendor and solution, it will also allow you to flush out potential third-party risks and remediation issues before you enter into a contract. Your RFP will:

  • Ensure clarity around requirements of what you need, and expectations between you and the vendor
  • Improve the accuracy and completeness of proposals and statements of work
  • Tease-out issues and potential risks early on in the process
  • Make it easier for you to evaluate vendors and solutions by ensuring you have the relevant information you need and make an apples-to-apples evaluation

In most cases, you’re doing RFPs when you have more complex, costly and/or mission-critical services or solutions you need to buy. The biggest risk you have with these types of procurements is that the third-party vendor doesn’t deliver. A poorly written RFP dramatically increases this risk. Some of the reasons why can include, among other things:

  • incomplete or inaccurate technical or functional requirements,
  • unreasonable delivery timelines,
  • unclear roles and responsibilities,
  • and vague or inconsistent evaluation factors.
Get one of these wrong in your RFP and you’re likely to have a problem. Get all of them wrong and you’re at high risk for a major vendor failure.

Some people think that the longer the RFP the better. That’s a bad approach. It’s not about the quantity, but the quality. I actually recommend shorter RFPs that are substantive yet concise, and easy for the vendor to understand. Regardless of the size of your RFP, there are eight sections it should contain.

  1. Executive overview – frames the purpose and objectives for the procurement.
  2. Company background – provides the vendor with context about your organization.
  3. Functional, technical and business requirements – details everything that the vendor and/or solution needs to do.
  4. Pricing information – defines all components and your preferred pricing structure (i.e. fixed fee, cost reimbursable, etc).
  5. Deliverables and timelines – outlines what you expect to be produced and by when.
  6. Responsibilities of both parties – clarifies the role your team will play and what you expect of the vendor.
  7. Evaluation process and key factors – establishes how you’ll evaluate proposals and what factors are most important to you.
  8. Guidelines for proposal submission – makes it easier for you to compare apples-to-apples.
One other piece of advice: share your standard terms and conditions up front along with your RFP. Doing so:
  • allows you to communicate your risk mitigating terms and conditions early on so you can identify any potential deal breakers before you get too far down the road;
  • gives you leverage in the contract negotiation process; and
  • peeds up the contracting process when/if you get there.

Stop sleeping on your RFP. It is a critical tool for reducing risk with your third parties before you enter that contract and it’s too late.

In Rethinking Vendors, the eBook I wrote back in 2012, I called out companies for treating their vendors as costs rather strategic resources. I said then – and say even louder today – that when organizations surround themselves with the right vendors, and establish the necessary systems and culture to support those vendor relationships, they realize operational and competitive advantages that they simply can’t achieve on their own. Period.

One of the best examples of a company that gets the value of vendor relationships is Zappos. The online shoe and clothing retailer was founded in 1999 and then sold to Amazon 10 years later in a deal worth roughly $1.2 billion at the time. Zappos has been hugely successful. If you’ve bought a pair of shoes online in the last few years, chances are at least one pair was from them.

Tony Hsieh, the CEO of Zappos since it was founded, talks a lot about the company’s approach to vendors in his book Delivering Happiness: A Path to Profits, Passion and Purpose. In the book, he talks explicitly about the value of vendor relationships, how Zappos works tirelessly to make them true partners in the business, and how these partnerships have been a significant contributor to Zappos’ success.

Here is a great quote from the book from Fred Mossler, Zappos former VP of Merchandising (and one of the original Zappos employees), on how the company views their vendor relationships:

“The typical industry approach is to treat vendors like the enemy. Show them no respect, don’t return their phone calls, make them wait for scheduled appointments, and make them buy meals. Scream at them, blame them, abuse them…anything to get as much as possible and squeeze out every last dime.

It’s a wonder people don’t realize that business doesn’t have to be done this way. Ultimately, each party is out for the same thing: to take care of the customers, grow the business, and be profitable. In the long run, it doesn’t behoove either party if there’s only one winner.

If vendors can’t make a profit, they don’t have the money to invest in research and development, which in turn means that the products they bring to the market are less inspiring to customers, which in turn detriments the retailer’s business because customers aren’t inspired to buy.

We wanted Zappos to be different by creating collaborative relationships in which both parties share the risks, as well as the rewards. We found it much easier to create alliances when partners align themselves to the same vision and commit to accountability, knowing we’ll all benefit from achieving our goals.

Not only does this approach get both sides pulling in the same direction, it creates an environment and culture where people are inspired to get up every day, passionate for what they do. It creates empowerment and control of the business, as well as a sense of pride and ownership. It makes people want to do more because they know their contributions mean something.”

Zappos has harnessed the power of a more deliberate, strategic approach to its vendor relationships, and its results have been nothing less than phenomenal. With the right people, processes and systems in place, you can too!

This blog is mostly an excerpt from our eBook, Rethinking Vendors. Click here to download your own free copy.

Procurement teams have never had better visibility into supplier relationships or deeper access to spend at a granular level. Thanks to hardworking data analysts everywhere, we have more data-driven insights than ever before. With all this, you’d think Procurement would excel at building and hitting organizational goals – yet we aren’t seeing this happen. Where’s the disconnect?

If you don’t have an answer, you aren’t alone. Plenty of business leaders wonder why their companies miss established goals or why critical objectives fail to deliver even when those goals are hit. The root of these problems is often a foundational misunderstanding about metrics, KPIs, and how to use them to track performance.

Metrics vs KPIs

First, we need to differentiate metrics and KPIs. While they’re often used interchangeably, these two terms are distinct in how they should be used. We know a KPI is a measurement against a business objective, but how does this differ from a metric? Why is the difference important?

  • Metrics are, to be blunt, dumb numbers. They are the simple quantification of a specific set of activities, devoid of any external context or nuance. Metrics are everywhere – anything you can tie to a measurement can be a metric, whether an evaluation is valuable or not.
  • Key performance indicators are context-dependent. When we earmark something as a KPI, we’re applying the context of specific business objectives. KPIs are just as objective as any other metric, yet they allow us to draw inferences that speak to the greater whole of our organization through the lens of a specific goal.

The difference between the two is intent, and comes down to the “key” in “key performance indicator.” Any organization can track many thousands of metrics, but effectively tracking against specific goals required narrow, thoughtful focus.

Valuable KPIs for Procurement

The number of suppliers we work with is a simple example of a metric. We can track the rise and fall of our supplier relationships over time; perhaps we’ve decreased our supplier count over the last 12 months – what does this tell us? By itself, nothing. There is no “good” or “bad” number of supplier relationships, because we need a contextual lens to view this metric through. For example:

  • If our goal is cost reduction, this decrease could be good. Supplier consolidation provides negotiation leverage when going out to market and streamlines administrative processes.
  • If our goal is risk reduction, this decrease could be bad. Supply chain disruption is most damaging when organizations rely on a sole source for mission critical materials or logistics partners to get them where they need to go.

Looking at supplier count as a metric alone doesn’t help us understand how well we’re doing for either goal. So, what will? Tracking spend under management and supplier availability are two viable options. Dozens of other metrics could serve as KPIs here, too. Which we choose to track ultimately depends on our organizational strengths, weaknesses, and objectives.

Meaningful KPIs (and a Couple Duds)

So, which KPIs are meaningful to Procurement? See below for a non-exhaustive list of a few I propose every Procurement organization should be tracking.

Procurement Effectiveness

If our goal is to drive company efficiencies then we as a team must also be efficient. “Cost savings” may appear to be a valuable KPI, but I consider it a simple vanity metric. Why? Because cost savings only speaks to our end game – none of the activity leading to it, and certainly none of the other opportunities left on the table when pursuing it. Instead, we should focus on:

  • Procurement ROI: Beyond savings achieved (cost reduction or cost avoidance), what is the internal cost of maintaining Procurement initiatives?
  • Spend Under Management: How many supplier relationships does Procurement touch directly and actively? How does this track between direct and indirect spend? Between spend categories?

Contract/Pricing Compliance

Negotiating a great deal doesn’t count for much if suppliers don’t abide by it after execution. The percentage of suppliers under contract is another vanity metric and Procurement should establish KPIs that track suppliers against commitments:

  • LPP vs. Contract Price: Do invoices match stated pricing in your agreements? What percentage of spend deviates from contract pricing?
  • Average Delivery/Lead Time: How many supplier deliveries are on-time according to SLAs? What is the average number of days late among worst offenders?

Policy & Process Adherence

Don’t just keep an eye on suppliers. Make sure internal purchase habits follow SOP as well.

  • On- vs. Off-Contract Purchases: How much spend goes to rogue, off-contract purchases that could be driven to on-contract items? What is the cost differential between these off- and on-contract buys?
  • Purchase/PO Cycle Time: How much time elapses between a purchase request and a PO? Until the PO is issued to a supplier?

Avoid Reading Tea Leaves

When we lose sight of KPIs and pour over every metric that looks even remotely important, we stop actively tracking against our goals. At that point, we might as well resort to reading tea leaves when building forecasts. In the end, the number of KPIs we track compared to all of the metrics available to us serves as a KPI on its own (call it the “red herring ratio”).

Consider your high-level goals for the next 12 months and think about all the metrics you collect each day:

  • How many actually measure progress?
  • How many are vanity measurements that say little (but look good)?
  • How many are actually unrelated to your goals?

On April 30, 2019, the U.S. Department of Justice (“DOJ”), Criminal Division, released updated guidance to DOJ prosecutors on how to assess corporate compliance programs when conducting an investigation, in making charging decisions, and in negotiating resolutions.

The pronouncement, Evaluation of Corporate Compliance Programs updates earlier guidance that DOJ’s Fraud Section issued in February 2017. This guidance emphasizes DOJ’s laser focus on compliance programs, requiring companies under investigation to carefully evaluate, test, and likely upgrade their programs well before the investigation is over.

The updated Evaluation document has been restructured around the three “fundamental questions” from the Justice Manual that DOJ prosecutors should assess:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

Under these three categories, the updated Evaluation groups 12 topics and sample questions that DOJ considers relevant in evaluating a corporate compliance program. One of the 12 topics is Third Party Management.

Under the DOJ guidance for third-party management, organizations are “expected to apply risk-based due diligence to third-party relationships.” While the guidance notes that the degree of due diligence may vary based on the size and nature of the company or the transaction, it goes on to say that “prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

In other words, DOJ prosecutors expect that a well-designed and compliant third-party management program will:

The guidance goes on to further outline expectations around third-party due diligence practices, which are grouped into four categories.

1. Risk-Based and Integrated Processes

  • How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company?
  • How has this process been integrated into the relevant procurement and vendor management process?

2. Appropriate Controls

  • How does the company ensure there is an appropriate business rationale for the use of third parties?
  • If the third parties were involved in the underlying misconduct, what was the business rationale for using those third parties?
  • What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed and that compensation is commensurate with the services rendered?

3. Management of Relationships

  • How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks?
  • How does the company monitor its third parties?
  • Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past?
  • How does the company train its third-party relationship managers about compliance risks and how to manage them?
  • How does the company incentivize compliance and ethical behaviors by third parties?

4. Real Actions and Consequences

  • Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed?
  • Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date?
  • If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved?
  • Has a similar third-party been suspended, terminated or audited as a result of compliance issues?

So here’s what this all means. If something goes bad with one of your third parties, and the prosecutors come knocking, you better have a well-designed and substantive third-party management program in place. Simply checking the boxes won’t cut it. Prosecutors are looking at how you manage risk and compliance across the entire lifecycle of your third-party relationship that includes procurement, due diligence, contracting and ongoing third-party relationship management. They also expect your staff to be trained on how to do these things properly.

The bottom line here is don’t skimp on third-party management. You might feel like you are saving now, but you’ll only pay big later. 

Most people may not know what SMWBE is. It is the acronym for Small, Minority and Woman-Owned Business Enterprise. More than that, it represents a significant opportunity for all companies to optimize costs, unleash innovation and make a real impact on our economy by tapping into underutilized talent which exists all around us. And in today’s world, there are other very talented pools of emerging diverse businesses such as Veteran Owned Businesses (VOB) and Service-Disabled Veteran Owned Small Businesses (SDVOSB).

It is very easy for companies to do business with large vendors or suppliers of the particular product or service they require. Quite honestly, no one is going to get fired for taking the “straight and narrow” or “safe path” to procurement. However, in today’s operating climate, risks abound. Optimizing costs is imperative, and innovation is a necessity to stay ahead of the competition. Now more than ever before, it is a smart move to balance your third-party/supplier portfolio with a healthy mix of these diverse businesses.

Your company will benefit in many ways from tapping into very experienced, entrepreneurial talent that is driven by passion to compete and deliver exceptional outcomes for their clients. And, of course, this is quite often coupled with very competitive pricing and value-added customer service.

This is not to say that you can achieve these benefits by simply closing your eyes and pointing to a diverse business on your computer screen. You do still need to impart a risk-based approach to procurement to ensure you follow the same risk assessment and due diligence processes you would for working with larger, more established third-party suppliers. The difference is that you will frequently uncover innovative solutions and service offerings, supported by people who have significant levels of past experience either working at larger companies or in many cases people coming from the military.

These smaller, entrepreneurial companies bring many of the same capabilities of their larger competitors, but you get the extra benefit of insights gleamed from a more diverse population of suppliers. With this also often comes a company that is more likely to provide very competitive pricing as they look to establish and grow their business. As you tap into the wider-perspective of supplier diversity, you will uncover strategic and tactical benefits for your company.

Don’t wait for regulatory compliance to be the sole reason your organization finally embraces supplier diversity because it could be too late. It is likely your competitors are already working on it, and they can be unleashing the growth and profitability achieved by embracing a real supplier diversity program.

Paul is the Director of Business Development & Client Success for Vendor Centric, a consulting firm that specializes in procurement and third-party management. Connect with Paul on LinkedIn or drop him a note at pschrantz@vendorcentric.com.

Professionals within Procurement recognize that their business unit has the potential to drive the business forward with a game-changing impact. Sometimes, however, their peers in other areas feel differently.

IT, Finance, Marketing, and executive leadership aren’t always likely to take Procurement at its word. Reminding them that Procurement can (and does) make an impact wont’ inspire them to collaborate with the business unit or place their confidence in it. That’s why Procurement needs to make a more compelling argument and support it with accurate, persuasive data.

Dashboards tell a story, but data reports delivered directly to stakeholders can do much more. Presented effectively, they could inspire stakeholders to look at Procurement through a new lens and join the function in writing the story’s next chapter.

Want to make an impact and foster a new sense of collaboration? Check out these best (and worst) practices for reporting on Procurement’s efforts.

Do:Be Prepared to Support Your Findings

Any good presentation will lead to a spirited discussion. Without stoking a conflict, Procurement should come ready to address push-back from stakeholders. After all, Procurement probably wouldn’t have to deliver a presentation if everyone was already a believer. Addressing concerns and questions with honest answers will build the trust and mutual investment Procurement needs to meet its strategic objectives.

Procurement professionals love to talk about building contingency plans and considering every possible risk factor. This isn’t just something to do before embarking on a sourcing initiative. The function should take the same precautions before reporting on its performance.

Don’t: Overdo It

There’s a big difference between eye-catching and eyesore. With all the tools out there, it can become tempting to fill a presentation with all manner of colors and effects. Resist this urge. Presentations like these might be fun to design, but they’re almost always a nightmare to sit though. Instead of retaining details on Procurement’s success, your audience will find themselves averting their gaze or looking at the clock.

Take the same approach to your data. Too many numbers can be just as bad as too many bells and whistles. IF you’re doubtful of the impact a chart or graph will make, leave it out. Unsure? Conduct a test presentation with a few colleagues to make sure your report has the desired effect.

Do: Speak Your Audience’s Language

It’s no secret that Procurement has gotten a bad rap over the years. The function has long had to contend with a reputation for taking a ‘my way or the highway’ approach and pursuing cost savings at all costs. These misconceptions often come down to misaligned priorities. While Procurement’s ears might perk up at the word ‘savings,’ someone from a unit like Marketing is unlikely to feel so enthused.

Before compiling a report, Procurement should make an effort to learn which metrics are most likely to engage and inspire its audience. It’s never enough to just point to data. Procurement needs to deliver its findings or results in a way that makes other stakeholders eager to join them as partners. Ironically, this will likely mean tossing out some of the metrics Procurement likes most.

Don’t: Expect too Much

In a perfect world, Procurement’s data would speak for itself. Professionals would rely on simple charts and enjoy the privilege of instant recognition from its audience. We don’t live in that world. Sometimes, more complex representations are unavoidable and audiences won’t quickly connect the dots.

Procurement can’t afford to leave stakeholders to draw conclusions on their own. Without insulting anyone’s intelligence, come prepared to some explaining (maybe more than you’d like to). Always try to reach the perfect balance between showing and telling.

The adoption of technology to better manage vendors and third-party risk is growing. A simple search for ‘vendor management software’ on Capterra brings back 135 results. Just two years ago that number was closer to 90.

The growth in software solutions to help manage vendors and other third parties isn’t surprising. Third-parties play important, strategic roles in most organizations of any size. And they bring a ton of risk. In Deloitte’s 2019 Third Party Governance and Risk Management Survey, 83% of respondents said their organizations experienced a third-part incident in the last three years.

A similar 2018 study by Opus & Ponemon Institute reported that 59% of companies experienced a third-6% of them said that they effectively mitigate third-party risks.

Managing risk (along with costs, compliance and performance) is clearly driving this growth in vendor management software. However, not all platforms are created equal. While a few have been developed from the ground up as a “true vendor management system,” many applications are actually add-on modules to other types of platforms.

At Vendor Centric, we’ve done a lot of research into the market for vendor management software. Let’s take a look at five of the most common types of systems that offer solid functionality for managing vendors and other third-parties.

  • True” Vendor Management Systems. If you want to manage the entire lifecycle of your relationship with vendors and other third parties, this is the right type of system for you. These applications were designed from the ground up specifically to manage the end-to-end relationship. The vendor’s record serves as the ‘hub’ for the system, with all functionality such as contract management, risk assessment and due diligence associated back to the main vendor record. In our experience, these systems give you the best visibility into all aspects of your third-party relationships.
  • Contract Management Systems. If managing contract workflow is your goal, then a contract management system might be the best fit. The contract serves as the ‘hub’ in these systems, and workflow for developing, negotiating, signing and managing the contractual document what they are good at. Contracts are a big part of third-party management, but they aren’t the only thing. These systems can be a bit light in supporting other aspects of vendor management such as risk, due diligence and performance.
  • Enterprise Risk Management Systems. Do you already have an enterprise risk management (ERM) system? Is risk management what you care most about with your third parties? If you answered yes to both, then you should consider using your existing ERM system. Most mature ERM products have third-party management functionality built into the core system, or offer it as an add-on module. So it can be an economical solution. However, I generally do not recommend using an ERM system for third-party management if you don’t already have one in place. They are limited to focusing solely on risk – with a big emphasis on data security risk – and oftentimes don’t support key functionality for managing contracts, costs and compliance. So before you go with one of these, be really sure that third-party risk management is truly your main objective.
  • Procurement Systems. Procurement software developers have really stepped up their game when it comes to vendor management. While these systems are best at supporting sourcing, procurement and payment processes, they’ve added solid functionality (via add on modules) for vendor, contract and risk management. So if you want to streamline your more transactional procurement activities along with your vendor management activities, there are some solid options.
  • Workflow Management Systems. Lastly, if you want to manage just about any type of workflow you can think of, and have the control to design it your own way, then a workflow management system is an option. These systems are designed to manage any type of workflow, which means that you can create processes to manage vendors, contracts, risk, due diligence, procurement…pretty much anything. However, they come with a lot of customization and can take a long time to implement. And your processes stay static versus other systems that continually improve functionality. Yes you can build whatever you want, but that comes with a price. Proceed with caution.

There are other systems – like CRMs and accounting – that promote themselves as having vendor management functionality. But most are limited in terms of what they can do, and there is a lot of customization required to them true vendor management.

So which type is right for you? Well, that really depends on a few things:

  • Objectives. Do you want to manage the end-to-end vendor relationship, or is risk management the only thing you care about? The breadth and scope of your vendor management function will help drive you towards the right type of system.
  • Costs. How much are you willing to spend? The more functionality you want, the more it’s going to cost you.
  • Resources. Do you have dedicated people to manage the system, or is this going to be added to someone’s existing job description. The fewer your resources, the less complicated you need your system to be.
  • Existing Systems. What systems do you already have in place? Do you already have a system that might have a solid add-on module that gets you 85% of what you need? Looking internally first might be a good place to start.
  • Integrations. Is it important to ‘talk’ to other applications? If yes, then you want to focus on systems that make that process easy for you.

The choices can be overwhelming. If you’re looking for a new system, Vendor Centric can help you find the right one and ensure it is implemented efficiently and cost effectively. Contact me at trogers@vendorcentric.com to discuss how we can help.

The procurement process has a lot of moving parts. From creating well-defined requirements to finding qualified vendors to performing methodical evaluations (and everything else in between!), there’s a lot that happens before you ultimately select a winning vendor.

During the back and forth communication that occurs between your organization’s primary contact/project lead and the prospective vendors who are competing for your business you will be sharing information about your organization. Some of that information may even be sensitive, confidential or not available to anyone outside of your organization… and can be in the form of paper or digital documents or information (collectively, “nonpublic information”).

Some common examples of information exchanges that can take place during the procurement process include:
  • Including nonpublic information within your RFP, when necessary, in order to provide the appropriate background knowledge to prospective vendors. This helps vendors understand your requirements and create a more accurate statement of work for you to consider.
  • Receiving proprietary/nonpublic information from your vendors when they respond to your solicitation.
  • Providing a prospective vendor with nonpublic information, in the form of data, in order to demonstrate software capabilities (Best Practice: We always recommend providing dummy data to prospective vendors. Also, your organization’s privacy/data sharing policies may not even allow for live data to be shared with third-parties).

Are you taking the appropriate steps to ensure your organization’s nonpublic information (and any nonpublic information you receive from vendors) is being protected? A Nondisclosure Agreement (NDA) is a contracting tool that helps you do so. Here are six best practices on using NDAs:

1. One-Way vs Mutual – One-way NDAs are used when you will be disclosing information to your prospective vendor but they will not be disclosing anything to you. Mutual NDAs are used when both parties (you AND the vendor) will be sharing nonpublic information with each other. In most cases during the procurement process, a mutual NDA will be the best fit.

2. Timing of Execution – Even though you may be simply evaluating potential vendors, and may not ever make it to the contracting 2. stage with them, it’s important that nonpublic information is protected before it is shared. Always execute an NDA prior to sharing any type of nonpublic information. That may even mean getting NDAs signed before issuing an RFP.

3. Using a Template – Having a standard NDA template creates consistency and efficiency in the process. It’s important to note that your Legal department should be involved in the development of your NDA template to ensure all of the important terms, conditions and definitions surrounding confidentiality were included. Also, if a vendor insists on using their own NDA template rather than yours, make sure your legal department takes a good look at it as well.

4. Knowing Your Policies – Before you disclose any type of information to third parties, you should be very familiar with your organization’s information classification and handling policies, and any other relevant policies (i.e. Information Security, document retention, etc.)

5. Testing Your Vendors – Your vendor’s willingness to execute an NDA may be a good sign of how easy (or difficult) it could be to work with them. It could also be a warning sign. For example, if a vendor is hesitant to sign an NDA or simply refuses to do so, that may be a red flag that they don’t take information security seriously and you should reconsider working with them.

6. Working with Existing Vendors– If you are going to be using an existing vendor for additional work, and that work requires you to share nonpublic information, make sure you have a Master Services Agreement (MSA) with that vendor that defines your relationship and that the MSA contains the appropriate confidentiality provisions. If not, it doesn’t matter that you already work with the vendor… You should execute an NDA or amend your MSA with the appropriate confidentiality provisions before procuring any additional services.

NDAs allow you have confidence that data shared between you and prospective vendors is protected, and can hopefully lead to a more open and transparent relationship which is ultimately better for business. If you have any questions about the procurement process or third-party management in general, be sure to contact us! We’d be happy to help.

Note – The details within this blog post are not to be interpreted as legal advice.

One of the biggest factors impacting Procurement Excellence today is a very overburdened and limited resource – Time! When we think of time, in most cases, the first thing that comes to mind is an overwhelming feeling of not having enough of this very precious resource.

As procurement leaders struggle to juggle their daily priorities of managing their team to meet the volume and unpredictability of their organization’s procurement demands; The last thing on their mind is thinking that they can slow down just a bit to take a snapshot of their “current state” procurement environment. Most importantly, the processes and systems in place today have most likely surpassed their usable effectiveness given the overall growth and demands of their organization.

In fact, if you feel like you are caught on a “procurement treadmill” or experiencing “Groundhog Day” over and over again, taking time to complete a Procurement Excellence Assessment is just what the doctor ordered.

Like in any strategic or change management initiative, it is important to select an external consultant and subject matter expert to take on the project management and technical aspects of the assessment. Let them take on the “heavy lifting” as your role continues to be maintaining your daily responsibilities while participating in a strategic journey to create your desired “future state” procurement environment a.k.a. Procurement Excellence.

The following is an outline of our recommended approach to performing a Procurement Excellence Assessment:

  • Planning and Visioning – Start your journey by establishing a baseline understanding of goals and priorities, and create an overarching vision for your future-state procurement operations.
  • Process Assessment Workshops – Baseline your current procurement activities through a series of process assessment workshops to discuss relevant policies, walk through current processes and challenges, and review the underlying flow of data between documents and systems.
  • Finalize List of Prioritized Areas for Process Improvement – Review the improvement opportunities and priorities recommended by your consultant, discuss differences between their priorities and yours, evaluate options and agree on a final, prioritized list.
  • Create Implementation Roadmap and Milestones – Bring everything together into a road map for modernization and automation of your procurement processes. The road map should provide specific steps to improve efficiency and accuracy, and also include recommendations for adoption of automated systems, where appropriate. The road map should also include key milestones so you can plan resources and track progress.

With the Procurement Excellence Assessment completed and the Implementation Roadmap in place, the important work of implementing the agreed-upon improvements is just beginning. Make sure to establish realistic timelines and align the required internal and external resources necessary to help you implement the changes needed to create your desired “future state”.

When the implementation process is complete, your organization will have a modern, scalable set of policies, processes and systems for your procurement operations. Your staff will benefit through simpler, more efficient processes, and your organization will benefit from a more effective and scalable infrastructure. You will now be ready to turn off the “procurement treadmill” and take a more strategic and efficient journey through each day. Let the Groundhog rest!!

The NY Department of Financial Services (NYDFS) Cybersecurity Regulation places significant cybersecurity requirements on covered financial institutions operating in New York. While there are certain, limited exemptions from this regulation, most state-chartered banks, licensed lenders, private bankers, mortgage companies, insurance companies, service providers and other foreign banks licensed to operate in New York are required to comply.

The NYDFS created a four-phased process to implement the new framework. Each phase had its own effective date, giving financial institutions sufficient time to integrate stronger policies and controls in their organizations.

The final phase (Phase 4) went into effect on March 1, 2019, and focused on the security of information accessed, processed or maintained by third-party service providers. To comply with the Phase 4 requirements, a financial institution’s third-party security policy is expected to define, at a minimum:

  • Written policies and procedures designed to protect users from risks posed by third-party service providers
  • The identification and risk assessment of third-party service providers
  • Minimum cybersecurity practices required of third parties
  • The evaluation of third-party cybersecurity practices through due diligence
  • Periodic, ongoing third-party risk assessments and due diligence

Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections addressing:

  • Access controls, including the use of multi-factor authentication
  • Encryption of nonpublic information in transit and at rest
  • Notifications to be provided in response to a cybersecurity event
  • Representations and warranties for a third party’s cybersecurity policies and procedures

Establishing a NY DFS Compliant Third-Party Management Program

In order to meet the Phase 4 requirements, covered entities have been refining existing vendor / third-party management programs or, in many cases, building them from the ground up. While compliance with 500.11 of the NYDFS regulations is driving the urgency, many covered entities are taking a holistic view of how they manage third-party relationships and are adopting new systems and general best practices in addition to the minimum compliance requirements.

We recommend that every third-party risk management program incorporate the following elements in their policies and procedures to not only be compliant with the NY DFS, but to also establish a strong foundation for managing contracts, compliance and risk with third parties.

  • Governance structure – who will own and manage the program?
  • Roles and responsibilities – which stakeholders are involved and what’s their role?
  • Applicability – which categories of third parties will be managed through the program?
  • Risk categories – what types of risk are to be managed?
  • Risk tiering – what is the level of risk in each third-party relationship and what are the criteria that determine that risk level?
  • Standards and Procedures – what are the minimum standards third-parties are expected to meet, and what are the procedures for executing oversight activities inclusive of questionnaires, forms and tools employees will use?
  • System – how will all of the tasks, metadata and documents be tracked and managed?
  • Reports – what type of executive, management and regulatory reports are required?

All of these elements should be thought through and right-sized to the organization to create a compliant yet practice third-party risk management program.

Closing Thoughts

Though Phase 4 was required to be implemented as of March 1, 2019, it is important to point out that financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020. So while many financial institutions have created the underlying policies and procedures, many are still working towards full integration throughout their operations.

If you need help getting your vendor / third-party risk management program fully compliant by February 2020, Vendor Centric can help by:

  • Assessing your program to ensure it complies with regulations
  • Supporting your change management initiatives to incorporate the new policies and procedures throughout you operations
  • Provide ongoing risk assessment and due diligence support

If you’d like to learn more, contact me at: trogers@vendorcentric.com

The Procurement function isn’t what it used to be. Once relegated to an obscure position in the back office, Procurement has found itself growing increasingly strategic and increasingly valuable over the last decade. Thanks to evolving solutions and emerging risk factors, more and more organizations are looking to increase their investment in the function and make it a value generator.

Unfortunately, organizations that have spent generations neglecting Procurement are probably lacking for internal expertise. While they might have what it takes to oversee the function’s tactical workload, a true strategic evolution would require time and resources they simply don’t have.

In all likelihood, these companies could benefit from third-party support in the form of a Procurement Services Provider. Whether they’re looking to offload tactical labor or supplement their capabilities for key, strategic initiatives – they’ll find a valuable helping hand in a PSP.

If you’re unfamiliar with PSPs, or scarred by memories of bad engagements, you’ll want to make sure you assess your options effectively. It comes down to doing your research and asking the right set of questions. Here’s some information that should help you enter into these conversations with confidence and identify a best-fit provider.

Will a Procurement Services Provider replace our team?

It depends. While some providers will enable you to totally outsource Procurement’s workload, that’s just one way to leverage a third party.

In many cases, a PSP can supplement your team rather than fully replace it. Think of tricky spend categories like Marketing and IT for example. Your team knows these are categories full of impactable spend, but it’s possible they lack the expertise (and time) necessary to generate savings. A great PSP will fill in those knowledge gaps to help your internal resources identify savings opportunities and act on the quickly.

Do Procurement Services Provides rely on off-shore resources?

Again, it depends. There are lots of PSPs out there who outsource their workload to professionals overseas. In general, this helps them to keep costs low. Never forget, however, that you get what you pay for. This sort of provider is typically a good inexpensive solution to tactical problems. They’re far less effective in carrying out more strategic initiatives. Establishing a category management plan or conducting a Procurement Transformation, for example, tends to demand a bigger investment in on-shore subject matter experts.

Are Procurement Services Providers paid by the suppliers they recommend?

Once again, some PSPs are simply re-sellers or agents for a small network of suppliers. These groups will generate savings, bill you for their work, and ultimately collect additional compensation from the supplier. Collecting money on both ends presents an inherent conflict of interest. A PSP that’s collecting a commission will always push recommendations that maximize their own earning potential. As such, it’s important to ask your provider how they’re compensated to ensure they’re supplier agnostic.

What is contingency-based cost reduction?

In a contingency-based agreement, a PSP will perform its work through a gain sharing model. Typically, they are billed at a percentage of savings dollars once a project is complete. In theory, this provides the client organization with a risk-free opportunity to reduce costs and refine its approach to procurement.

Not all contingency-based agreements provide this same sense of security. It all comes down to how savings are defined. One PSP might collect payment on any savings they’re able to identify. Others (Source One, for example) bill clients exclusively on the savings they actually realize.

Federally-funded nonprofits perform important work on behalf of, and in collaboration with, the federal government. In many cases they rely on third-party Contractors and Subrecipients to provide important services, software, and materials to successfully carry out that work. Such reliance on third parties presents a lot of risks that needs to be properly managed.

Risk management has become a major focus throughout the federal government. In July 2016, the Office of Management and Budget (OMB) issued an updated circular requiring federal agencies to implement enterprise risk management (ERM) to ensure federal managers are effectively managing risks that could affect the achievement of agency strategic objectives. Third-party risk is referenced throughout that circular.

Unfortunately, the federal government has provided little guidance to nonprofits on what they should be doing to manage risk with third parties who are paid with federal funds. The Uniform Guidance briefly mentions risk in both sections pertaining to third parties; specifically, the procurement standards found in sections 200.317 – 200.326 and the subrecipient standards found in sections 200.330 – 200.332. However, guidance is vague at best.

Regardless of the lack of guidance from the Uniform Guidance, it’s prudent and financially responsible for any federally-funded nonprofit organization to have a formal third-party risk management program. Otherwise, your organization is assuming unknown and unmanaged risks with third parties that may not only present challenges to your ability to deliver on your contractual responsibilities but may also lead to problems with future funding should something go wrong with a third party. So it’s important to have some fundamentals in place.

Let’s take a look at two stages of the third-party management lifecycle that are critically important to managing risk: pre-contract due diligence and post-contract monitoring.

Pre-contract risk assessments and risk-based due diligence

Third parties present varying degrees of risk. Whenever you contemplate entering into an agreement with a third party, it’s important to understand the potential risks of the relationship and perform an appropriate level of due diligence. That goes for both your Contractors and your Subrecipients.

Let’s take a look at how the Uniform Guidance addresses risk and due diligence for both Contractors and Subrecipients.

Contractors:

Section 200.318(h) of the procurement standards states, “The non-Federal entity must award contracts only to responsible contractors possessing the ability to perform successfully under the terms and conditions of a proposed procurement. Consideration will be given to such matters as contractor integrity, compliance with public policy, record of past performance, and financial and technical resources.”

Subrecipients:

Section 200.331(b) of the subrecipient standards says that pass-through entities must “Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring…” The section also goes on to list some factors that can be used in the risk assessment process such as:

  1. Prior experience with the same or similar subawards
  2. Results of previous audits
  3. Whether the subrecipient has new personnel or new or substantially changed systems; and
  4. The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).

While both sections offer some guidance regarding risk factors to look for, neither are too prescriptive. Further, there is little talk about the type of due diligence that should be performed on third-parties. Here are some examples of the types of risks you should be assessing on the front end of your third-party relationships, as well as the type of due diligence you should be performing:

Risks to Assess:

  1. Strategic Risk – risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent your organization’s stated strategic goals.
  2. Reputation Risk – risk arising from negative public opinion.
  3. Operational Risk – risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
  4. Transaction Risk – risk arising from problems with service or product delivery.
  5. Compliance Risk – risk arising when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
  6. Information/Data Security Risk – risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.

Types of Due Diligence to Perform:

  1. General Screening – Capture basic information about your third party, verify business registration and any applicable licensing requirements, check for negative news, screen for sanctions and check for potential conflicts of interests.
  2. Corporate Health – Evaluate the general corporate health of your third party through due diligence on financials, credit, bankruptcy info and litigation.
  3. Operations Management – Evaluate the quality systems and controls specific to any services your organization is outsourcing to the third party.
  4. Employment Practices – Evaluate employment practices relevant to personnel who may interact with your employees, donors or members and/or have access to nonpublic information.
  5. Fourth Parties – Evaluate your third party’s oversight practices relevant to subcontractors or downstream vendors (i.e. your “fourth parties”) who have a material role in the delivery of products or services to your organization and/or who may have access to nonpublic information.
  6. Information Security – Evaluate your third party’s policies and procedures around information security, and any other applicable documentation (such as SOC reports or disaster recovery plans), to understand how they may store, process or otherwise access your nonpublic information.

Ongoing monitoring

Often times, once the contract/award is signed with a third party, the ongoing monitoring of the relationship is overlooked. Uniform Guidance addresses ongoing monitoring in both the procurement and subrecipient sections, but places more structure around the process organizations should follow with subrecipients.

Contractors:

Section 200.318(b) of the General Procurement Standards states, “Non-Federal entities must maintain oversight to ensure that contractors perform in accordance with the terms, conditions, and specifications of their contracts or purchase orders.”

Subrecipients:

Section 200.331(d) of the Subrecipient Monitoring and Management section states that passthrough entities must “Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward…” and that “Pass-through entity monitoring of the subrecipient must include” items such as:

  1. Reviewing financial and performance reports
  2. Performing audits, on-site reviews and other due diligence, and ensuring the subrecipient takes timely action on any identified deficiencies; and,
  3. Issuing a management decision for audit findings pertaining to a Federal award.

While written in slightly different ways, the procurement standard and the subrecipient standard address the same idea; Don’t lose sight of your third-parties once the agreement has been signed.

Make sure to continually monitor your third-parties not only for contract/subaward performance, but also for areas of risk that you could end up becoming exposed to. Things like monitoring deliverables and performing invoice reviews are always important, but it’s also important to be aware of any changes to the vendor’s policies, operations, controls or management that could expose you to unwanted risk. This is especially true for third parties you have long-term agreements with.

In keeping with the “spirit” of the Uniform Guidance (reducing fraud, waste and abuse), it makes a lot of sense for Federally-funded nonprofits to have a formal approach to managing third-party risk. Risk management shouldn’t be a compliance issue – it’s a risk issue. Just because the UG doesn’t directly address third-party risk doesn’t mean that nonprofits should glance over it.

Here’s a question we hear a lot from prospective clients interested in updating or creating their third-party management programs: What is the most efficient way to impart the required changes to how we manage our third-party relationships?

As more and more companies rely on third parties to support critical elements of their core business operation, it is more important than ever to ensure they have the right people, processes and systems in place to mitigate risk and ensure successful delivery of the services and products their third parties are providing. Often times getting these foundational components of third-party management in place (people, processes and systems) requires change – and change can be hard to implement enterprise-wide.

While change is difficult, it is imperative to embrace it as an important element of a healthy organization. Here are a few simple yet practical tips to consider when embarking on change related to working with your vendors and third parties:

  • You can’t change what you don’t assess. An important first step is to complete an independent assessment of your current business processes and systems. This will identify gaps and deficiencies which will help you establish a roadmap with milestones including a prioritized set of recommendations for new (updated) policies, process improvements and business systems. A critical part of the assessment process is to include a visioning step where you explore the future state environment you want to create.
  • Engage stakeholders early in the process. We have found that early engagement and transparency are the best ways to approach making effective change and business process improvements inside an organization. Ensure you have considered all stakeholder groups that are involved with the oversight of your third parties so you can engage them throughout the processes, as needed.
  • Create a communication plan to guide the change you are seeking. One of the most important elements of effective change management is to create a well thought out and comprehensive communication plan to support successful change. We help clients create these plans and, in many cases, will co-lead “town-hall” and “individual” stakeholder education events. This helps everyone involved to embrace their new responsibilities and prepare them to play an important role in the change management process.
  • It helps to have an independent and unbiased expert assist you. It is really challenging to do a proper self-assessment of your current state. You should definitely consider the benefits of having a consultant from outside your organization help you assess, identify and carry out your change management activities.

While change is certainly difficult, it is an important and healthy activity to ensure you have everyone in your organization moving in the right direction. Further, you will ensure efficient and effective third-party oversight processes and supporting business systems are in place to support your organizations’ future growth for years to come.

There are many risks you need to be aware of in order to effectively manage your third parties. These include financial, operational and reputational risks just to name a few (read this blog to learn more about the key third-party risks you should be managing). One risk in particular that is often overlooked is called Third-Party Concentration Risk. Let’s take a look at why you might want to consider spending more time properly identifying, and managing, concentration risk with your vendors.

Third-Party concentration risk can mean a few different things, so let’s start by walking through how to spot it. There are three primary types of concentration risk:

#1: Over-reliance on one vendor for critical services

Finding a vendor that you can trust is great. It’s even better when that vendor has the resources and expertise to provide more than just one service to your organization. But be careful… relying too much on one vendor for all, or most, of your critical functions presents risk. Here are two scenarios to think about:

  • What happens if your organization uses a vendor for three critical services, and a data breach occurs that is tied only to one of those services. Do you continue using that vendor for the other two services?
  • What happens if the vendor that provides multiple critical services to your organization goes out of business? How severe will the impact be to your organization?
#2: Fourth-party concentration

Knowing your own third parties can sometimes be a challenging task on its own. But do you know your vendor’s vendors (i.e. your fourth parties)? Let’s say you’ve done a great job ensuring that you have a diverse group of vendors who provide services to your organization (concentration risk #1 from above has been significantly limited). From the surface you would have no idea that a potential concentration risk exists. However, after digging a little deeper you may find out that many of your critical vendors use the same vendor for their critical functions. An impact to the operations of one of your fourth parties could affect many of your third parties!

In general, it’s a smart idea to understand who your fourth parties are. Do you know if your vendors are passing your confidential or sensitive information on to other vendors? Do you know if your vendor is truly providing the services you are paying for, or if they are outsourcing much of the work to other vendors? Add fourth party concentration risk to the mix, and now you may want to think more seriously about identifying who your fourth parties are.

#3: Being in the same geographic location as your vendors

This type of concentration risk of course depends on your industry and the type of work you do, but in general you don’t want all of your vendors to be located in the same geography as your organization. What happens if a severe whether event has a detrimental impact on your geography? Not only are your organization’s operational functions impacted, but the functions that you may have outsourced to vendors in the same geography are impacted as well.

The key to identifying any type of concentration risk (whether it is specific to services being provided, fourth parties or geography) is documentation!! You need to be able to easily identify who your vendors are, where they are located, what products/services they provide and if they utilize any subcontractors/fourth parties. Implementing a vendor management system makes this a breeze, and it’s something we recommend not only as a best practice to our clients, but also as a core component of a successful Vendor Management Program.

Once concentration risks have been identified, the primary way to manage concentration risk is to have contingency plans and business continuity plans in place for your critical vendors that present concentration risk, and to use a vendor management system to store and assess these plans.

As companies grow from startup to small business to thriving enterprise, it is common that the founding executives have to embrace many roles and functions along the way. The common joke about an entrepreneur (a.k.a. the CEO) is that they are also often referred to as the Chief Bottle Washer.

One of the first positions that tends to get staffed as companies scale is the Human Resource function. Once an organization grows beyond 10 – 20 employees, there is a true need to have a trained professional step in and take on the role of managing the risk, compliance, cost and performance of the company’s most valuable resource – their people.

What commonly gets lost in this exciting and sometimes scary journey of organizational growth is the importance of dedicating an equal amount of oversight and formality to the management of another valuable company resource – vendors/third-parties.

Based on our experience working with organizations of all sizes, let’s compare how many companies view the Human Resource function vs the Vendor Management function as staff sizes and the number of vendors a company uses continue to grow.

First, let’s look at Human Resources:
  • Personnel – The Human Resource function most likely has grown and matured along with the company. What was once a single individual managing HR is now a team made up of specialists that help manage the employee lifecycle (i.e. recruiting, hiring, payroll, benefits and performance management).
  • Policies & Procedures – Enterprise-wide HR policies and procedures have been established, which helps to create consistency in the overall management of employees. As new staff are on-boarded, they are required to understand key HR policies (i.e. code of conduct, conflict of interest, leave, benefits, etc.) Upper management ensures staff remain familiar with all HR policies and procedures.
  • Tools and Systems – HR has likely implemented a variety of tools and systems to centralize employee information and to effectively manage HR-related processes. Examples of some common tools and systems include recruiting software, benefits management platforms and payroll systems.
Now, let’s look at Vendor Management:
  • Personnel – While the number of vendors the company uses has surely grown, the number of employees dedicated to managing vendor relationships likely hasn’t. In many cases, this responsibility is added to the plate of Business Owners rather than being assigned to a team of people dedicated to managing the vendor lifecycle (procurement, risk assessments and due diligence, contracting, onboarding, oversight and termination).
  • Policies & Procedures – Here, in most cases you will find that the opposite has occurred compared to what we see in HR. The company may have enterprise-wide policies and procedures that address some components of vendor management (most commonly procurement and contracting), but there isn’t a formal Vendor Management Policy.
  • Tools and Systems – While HR can easily tell you how many employees the company has, determining how many vendors a company has is a different story. This is likely due to vendor data being decentralized and the lack of investment in a true vendor management system. Each department may maintain their own list of vendors, and vendor contracts might be stored in emails or filing cabinets rather than in a central location.

When looking at Human Resources, the necessity of controlling risk and managing the complexity of employees is a mandatory business discipline. A company that reaches $30 million dollars or more of revenue wouldn’t be able to function or ever scale to that level of growth without a full investment in the HR function.

On the other hand, it is still common to find companies of this size and much larger that have not committed the resources necessary to manage their vendor relationships in a disciplined manner. More frequently than not we find that the oversight of third-parties is performed inconsistently across the company, which points to an unmeasured level of risk. Our belief is that more and more companies will begin to see their team of vendors as equals to their team of employees when it comes to adopting a disciplined, lifecycle approach to managing these relationships.

Moving forward, companies embracing the business discipline of Vendor Management, in a similar fashion to that of Human Resource Management, will ensure they have a consistent and well-disciplined approach to overseeing the investment in their most valuable assets – their people and their vendors. We believe this is the formula that will sustain their success for years to come.

One of the questions I hear a lot from companies looking to formalize a vendor management function is “Where should it live?” The simple answer is… it depends.

The vendor (or third-party) management function is still a relatively new concept to many organizations. However, as companies have begun formalizing this function within a Vendor Management Office, we are finding that no two VMO’s are alike.

Some VMO’s are staffed with just a few people while others have an entire team of people performing critical roles covering all areas of the vendor management lifecycle. Some companies have their VMO perform all functions in house, while others co-source certain functions like due diligence and contract audits.

However, regardless of the size or scope of your VMO, its ultimate success may depend on where it lives within your organization. So, if you’ve decided to take a serious approach to vendor management, and you are trying to determine the best home for your VMO, there are three key questions to consider:

1. What was the primary driver for the creation of your VMO?

The primary driver for the creation of the VMO has a strong correlation with the area of the business the VMO ultimately resides in. In many cases, organizations will make the decision to create a VMO out of necessity in response to some outside factor. Some examples are:

  • Changes in regulations relating to third-party management (VMO may end up under Compliance)
  • Some type of major data/cybersecurity event such as a system breach (VMO may end up under IT)
  • Reaction to failure or poor performance with a critical vendor (VMO may end up under Operations)
2. What does your organization consider to be its greatest third-party risk factor?

The areas of the business that are exposed to the highest level of third-party risk are also good to consider when determining VMO placement. Even if your vendor management program is enterprise-wide rather than department-specific, your VMO may end up being placed in an area of the business that has the highest concentration of third-party risk. Here are two examples:

  • If an organization in a highly regulated industry considers compliance risk to be its greatest third-party risk factor, the VMO might end up finding a home within the organization’s Risk or Compliance department.
  • If an organization relies heavily on third-parties for management/storage of its confidential and sensitive data (or uses a lot of vendors who otherwise have access to their nonpublic data), they may consider information security risk to be their greatest third-party risk factor. In this scenario, the VMO may end up residing under the Information Technology department.
3. Who is your Executive Sponsor for the VMO?

The answers to questions #1 and #2 above will help to determine who the executive sponsor within your organization should be. Once an Executive Sponsor is assigned, your VMO’s home within your organization should be clear.

It is important to remember that a successful enterprise-wide VMO interacts with all areas of the business. So even if your VMO reports up to a Chief Information Officer, that does not mean that the VMO’s scope should be limited to IT vendors. The VMO should assess and manage all third-party relationships consistently.

Having an Executive Sponsor is key to the success of a VMO, not only internally by having the authority to drive participation among internal stakeholders, but also externally by showing your third-parties that you take vendor management seriously.

There isn’t a “right” or “wrong” when it comes time to decide where your VMO will live. Every organization is different when it comes to the placement of VMO’s. When you are determining where your VMO should live, be sure to consider the three key topics covered in this article and you will already be on your way to a successful vendor management program.

“Everybody is doing something to manage third-party risk, but no one is doing exactly the same thing.”

We joined nearly 200 risk, compliance, legal and vendor management professionals at the summit to hear about current practices, emerging trends and new technologies. This was the fourth year for the conference and it was a full house. The adoption of third-party risk management continues to grow.

As we listened to panelists from Google, United Airlines, Target, FedEx and others with established TPRM programs, it was really interesting to hear that no two companies are doing it exactly the same way. What they are doing is adopting the fundamentals of governance, policies, standards and reporting – and then personalizing the program to align with their own unique goals, industry requirements and overall risk appetites.

We heard a lot of insights and practical advice from both panelists and attendees who manage TPRM programs within their respective companies. Here are a few of our favorite quotes and takeaways:

  1. “Risks with your third parties change – they aren’t static. You need to continuously evaluate and monitor them as the world changes around you.”
  2. “If you’re waiting for the auditors/regulators to show up to know whether or not your TPRM program is working, you probably already know the outcome. You have to test it to know it’s working.”
  3. “When information about third parties is siloed, it’s impossible to make educated, compliant decisions. Get important data about your third parties in one place.”
  4. “One area that’s getting a lot of focus right now is fourth-party risk; that is, understanding who your vendors rely on to provide goods or services to you. When you have critical vendors, you should know who your fourth parties are.”
  5. “Risk profiles and appetites are different for every company. You need to know what yours are before you can design an effective TPRM program.”
  6. “I’ve seen the vendor management office ‘live’ successfully within functional business units such as compliance, risk, operations and even procurement. However, the function that’s driving your desire for a VMO is likely the best place for it to live.”
  7. “Lots of third parties sit outside of accounts payable. When you create your initial inventory of third parties, you’ll need to capture data from multiple systems to ensure you have a complete and accurate inventory.”
  8. “We view our third-party program in three stages: design, implement and mature. We are through the first two, and will be working on the third continuously.”
  9. “If your standard process is to wait until after the contract is signed to perform due diligence on your third parties you are wasting your time. It’s too late.”
  10. “After due diligence is done we really hone in on addressing the residual risk; that is, the amount of risk that remains after we’ve been able to reduce it through other means.”

One final note. As we recommend to our clients, there was consensus that regardless of what industry you’re in you have to take a risk-based approach to managing third parties. Not all of them are created equal.

Focus on your biggest risk areas, get going with the fundamentals and continuously mature and right-size the program for your organization and your risk appetite!

Companies often overlook the fact that negotiations extend from inception of a potential relationship through to its eventual conclusion; during this time, there may be hundreds of individual negotiated events, internal and external, that contribute to the eventual outcome – successful or unsuccessful.

Employing the right negotiating style is important to your success. There are generally two core approaches to negotiation commonly called Positional and Principled. The positional style is competitive in its nature and therefore tends to lead to a “winner” and a “loser” in the negotiations. While the principled style is focused on collaboration, with the ultimate goal being a win-win for both parties. Let’s take a look at each one.

Positional Negotiation

Positional negotiation is used when you are trying stifle and limit discussion. It is designed to intimidate the other party so that they lose confidence in their own case and accept the other side’s demands.

A positional approach involves a person adopting a position and aiming to negotiate an agreement as close to that position as possible, without even exploring alternative outcomes or paying real attention to the other side. It is a style that allows for only limited and fairly predictable negotiating. In many instances it can degenerate into a ‘battle of wills’, each party wondering who is going to give in first. People adopting a positional style will assume that only one party can emerge from the negotiation a clear winner.

Principled Negotiation

Alternatively, principled negotiation is employed when you are serious about finding a mutually acceptable solution. It is based on the assumption that the parties share some common interests and that the outcome (and longer-term relationship) will be improved if there is full discussion of each participant’s perspectives and interests.

Principled negotiation is generally prevalent in many of the deals that you negotiate. While certain elements of the negotiation may still be positional (i.e. delivery dates, data security and other non-negotiables), the overarching goal is to understand the shared opportunities and risks that prevail and come to terms that both parties can feel good about.

Overall success in a principled negotiation is going to be defined in the relationship that results, not the specific contract terms that are signed. Contract signature is just a milestone – not an end point.

Do you fit into one of these styles? Or do you find yourself using a little bit of both?

Most negotiators have a natural preference for one method or the other, but experienced negotiators need to be able to employ both. That means that you should understand and practice both styles.

But always remember. The other party in the negotiation has goals and objectives they need to meet too. If you can negotiate to create a win-win for both parties, you are much more likely to have them committed to the long-term success of the relationship.

Organizations rely heavily on their third parties for improved profitability, faster time to market, competitive advantage, and decreased costs. However, third-party relationships come with multiple risks that include:

  1. Strategic Risk Risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with stated strategic goals.
  2. Reputation Risk Risk arising from negative public opinion. Third-party relationships that result in dissatisfied customers, interactions not consistent with policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of laws and regulations.
  3. Operational Risk Risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
  4. Transaction Risk Risk arising from problems with service or product delivery.
  5. Compliance Risk – Risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with company business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
  6. Information Security Risk – Risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.

Third-Party Risk Management (TPRM) is the process of identifying, assessing and controlling these and other risks presented throughout the lifecycle of your relationships with third-parties. This oftentimes starts during procurement and extends all the way through the end of the offboarding process.

Given the breadth and potential severity of risks that are inherently present with with third parties, TPRM has quickly evolved from a ‘check-the-box’ process to a substantive function, complete with policies, procedures and systems, in companies that are serious about managing third-party risk. These companies are now taking more comprehensive steps to ensure that their third parties not only comply with regulations, but also protect confidential IT information, avoid unethical practices, keep up a safe and healthy working environment, strengthen supply chain security, handle disruptions effectively, and sustain high quality and performance levels.

An effective third-party risk management function provides for, at a minimum:

  1. Central visibility into all third-party relationships and contracts
  2. A formal, pre-contract risk assessment and due diligence process
  3. Use of standardized, risk-mitigating contractual terms and provisions
  4. Risk-based monitoring and oversight
  5. Formal offboarding at the end of the relationship

An effective third-party risk management function also includes the identification and evaluation of fourth parties; that is, the downstream vendors, suppliers and contractors used by your own third parties. Risk flows down all the way to the last supplier in the chain, so it’s key you know who they are and how they are managed.

Remember, the responsibility of managing third-party risk falls on you. To protect your business from issues associated with profitability, reputation, regulation and even litigation, it’s important to establish processes that will allow you to oversee these issues. Regulators have stepped up their standards regarding how companies protect themselves against third party issues, so this area is becoming a more important part of your risk management plan.

Check out some Cyber Security tips that our friends at Aligned Technology Solutions recently shared!

The European Union’s General Data Protection Regulation, which has been enforced since last May, is inspiring renewed efforts worldwide, including at the federal and state levels in the United States, to boost privacy protections.
Several U.S. states, including Oregon, North Carolina, Virginia and Washington, are considering new legislation to shore up consumer data privacy laws in the wake of California passing strict privacy requirements last year.

While Democrats in Congress have once again introduced national breach notification and privacy legislation, states aren’t holding their breath that anything will get passed at the federal level and are taking matters into their own hands.

A by-product of the legislation is the spotlight that’s being placed on third parties. Companies are finding they have an incredible amount of data that is being collected, processed or stored by third-party service providers. This means there are going to be some changes that will need to be made in their third-party contracting and oversight to be compliant with these new laws.

For example, Virginia has proposed a bill that places new requirements on businesses to \”take all reasonable steps to dispose of, or arrange for the disposal of, consumer records.” That means businesses will be required to know which third parties collect, process, store or have access to consumer records, and establish the appropriate contractual clauses and procedures to ensure the third party disposes of the data according to policy.

North Carolina has proposed legislation that ransomware attacks would be considered a security breach, and a breached entity would need to notify the state attorney general’s office within 30 days. That means businesses will need to ensure their contracts clearly identify breach notification requirements.

These are just two examples and there are many more. As these proposals move into law, having visibility into third-party relationships is not a nice to have – it’s a requirement.

But here’s the reality. Most companies don’t know which third parties have their data.

A recent third-party risk survey conducted by Aravo showed that 73% of the respondents “cannot produce a complete report of all of their third parties with cyber risk exposure quickly and easily.” That means that nearly three out of four of those businesses who responded couldn’t comply with these data privacy regulations if they wanted.

If you’re concerned about the data that’s being exposed to your third parties, contact us today and let’s discuss how we can help.

I was in a meeting with a client a few weeks ago talking about third-party due diligence. We were discussing the types of due diligence they were considering on a few of their consulting vendors and a question came up that I hear pretty often: “Does a one size fits all approach make sense when it comes to performing due diligence on your third parties?”

When you think about third-party risk you can’t help but think of data privacy and cyber security as being the two getting the most attention right now. But those are only some of the risks we highlighted in our recent post titled Six Important Risks to Manage with Your Vendors.

The bottom line is that third-party due diligence is no longer optional – it’s required for every company regardless of size or industry. But does that mean you need to treat every third-party the same when performing due diligence?

From both a best practice and practical standpoint we believe firmly that the answer to this question is NO. Every vendor relationship is not created equal, and your due diligence needs to take that into account.

To shape the issue, let’s look at two entirely different types of vendor relationships.

Vendor #1

Provides a SaaS based software solution that is one of the core platforms used in your business operations. Personally Identifiable Information (PII) is processed and stored in the system, and if something goes wrong with the application it will cause serious problems in providing services to your customers.

Vendor #2

Is a consulting firm providing independent research for your organization. The outcome of their work will be incorporated into a major study you are releasing, but they are gathering all of the information independently. They have no access to confidential information and they do not perform or support any operational functions.

There is clearly a significant gap in the complexity and risks associated with the two relationships, and your due diligence should be aligned accordingly. Information and IT security are going to be critical areas you’ll want to evaluate for Vendor #1, while expertise, research methodology and use of subcontractors (i.e. fourth parties) will be important for Vendor #2.

So when you perform due diligence on your third parties, it’s crucial that you not use a one size fits all approach. Take a practical, risk-based approach, and align your due diligence activities with the identified areas of risk.

In a recent benchmarking survey on third party risk management, 72% of respondents said they “cannot produce a complete report of all of their third parties quickly and easily.”

While many people believe this information lives in their accounts payable system, the reality is it doesn’t. Nearly all a/p systems capture very limited information about paying your vendor, and absolutely no useful information about the myriad legal, compliance and risk obligations you need to understand and manage with the vendor.

Creating and centralizing profiles on your third parties is the only way to have the visibility, reporting and management capabilities you need to really know (and effectively manage) your vendors and other third parties. At Vendor Centric, we believe that the foundation of a solid profile requires three things.

  1. Tracking basic corporate information about the vendor.
  2. Knowing your contractual obligations so they can be managed.
  3. Understanding the risks to which you are exposed so they, too, can be managed and mitigated.

Here are some additional details on each.

1. Corporate Information

The foundation of your profile starts with capturing basic information about the vendor themselves. This provides visibility into the organization as well as the people with which you’ll be working. At a minimum, your basic vendor profile should include:

  • Legal name
  • DBA (doing business as) nameContact information (account manager, billing, help desk)
  • Address
  • Website
  • Ownership structure
  • Date of business formation
  • Tax ID number
  • DUNS number
  • Special classifications (i.e. small, minority, woman or veteran owned)
2. Contract Information

Can you quickly and easily see all of the contractual obligations, terms and conditions you have with your third parties? Most organizations can’t. And that’s not good.Contractual obligations are serious ones. They obligate you and your third parties to a variety of financial and legal requirements. At a minimum your profile should incorporate the following contractual information:

  • Contract owner
  • Type of agreement (master services agreement, statement of work, addendum, etc.)
  • Brief description of the contract
  • Start and end dates
  • Auto renewal provisions
  • Termination requirements
  • Notification dates for termination
  • Deliverables
  • Service level agreements
3. The Third Party Risk the Vendor presents

The third component of a complete vendor profile is the identification of the key risks presented by the relationship. Each third party presents a different level of risk when it comes to risk areas such as reputation, operations, transactions and information security. Identifying the risk associated with each vendor by conducting a risk assessment will provide visibility into the appropriate level of due diligence and oversight you need to maintain.Some of the big risks you want to evaluate and capture as part of your vendor profile include:

  • Does the third party collect, store and/or process confidential or sensitive data (e.g. nonpublic information)
  • Will they be using subcontractors or other suppliers/services providers (i.e. fourth parties) in their delivery of services to you?
  • Are they on any excluded parties or sanctions lists?
  • Are any key executives on politically exposed persons (PEP) lists?
  • Is there any pending litigation or bankruptcies that could impact the health of their organization?

Remember. Knowing these risks only provides you with visibility. A solid due diligence process is where you’ll dig deeper into each risk area to understand what your true exposure may be, and to ensure that you’re comfortable that the risk is being mitigated. This is where you can dig into things like financial health, employment practices and information security practices.

When you need to competitively procure a product or service from prospective vendors, determining what type of solicitation tool to use can be confusing. Do you use an RFQ or an RFP? What is the difference between the two? While they may sound similar, there are in fact specific use cases for each one.

Let’s take a look at the main differences between these two methods of procurement.

Request for Quotation (RFQ)

A Request for Quotation, or an RFQ, is a method of procurement used to obtain price quotes from vendors. RFQs are most commonly used when:

  1. You have a commodity-style procurement (i.e. goods rather than services)
  2. Exact quantities and requirements are known
  3. Price will be the primary evaluation factor used to determine a winning vendor

Take the following procurement for example, which illustrates when an RFQ is appropriate:

A procurement manager needs to purchase 25 new corporate laptops. The computers must have a certain type of processor, a hard drive with at least 500GB of storage, at least 18 hours of battery life and a one-year warranty. The procurement manager knows exactly what her requirements are, and all she is looking for from vendors is pricing information.

In summary, you should use an RFQ if the following are true:

  • What information do you have? Extremely clear details about the product or service you require.
  • What do you need vendors to provide? Pricing.
  • What is your primary goal? To get the best price.
Request for proposal (RFP)

A Request for Proposal, or RFP, is a method of procurement used to obtain detailed proposals from vendors for products or services (and is typically much more formal than an RFQ). RFPs are most commonly used when:

  • You are dealing with a large, complex procurement
  • You understand your project objectives but likely do not have well-defined specifications
  • You will select a vendor based on the creative solution they propose (not necessarily the vendor with the lowest cost).

Take the following procurement for example, which illustrates when an RFP is appropriate:

An organization is having trouble tracking down information about their vendors and contracts. They do not have a central database or system to store that type of information. The organization knows they need a vendor management system, but they don’t know where to start. They need to find a vendor who has the subject matter expertise to help identify requirements for this project, and who can implement a vendor management system.

When you use an RFP, you give the vendors enough information to understand what your project objectives are but you allow the vendors to apply best practices and creativity when developing their proposals. It is important to remember that the flexibility you provide to vendors should be limited to the solution they present, not the format of their proposals. In order to efficiently evaluate proposals side-by-side, you should require vendors to be consistent in how they develop their proposal documents (i.e. key topics to address, order of sections within the proposal, etc.).

In summary, you should use an RFP if the following are true:

  • What information do you have?You understand the project objectives, but need help defining the exact details of how to accomplish it.
  • What do you need vendors to provide? A creative solution.
  • What is your primary goal?To select a vendor that will help you achieve your project objectives.
Which one is best?

The answer simply depends on what you need from vendors. If all you are looking for is pricing information and the lowest cost product, an RFQ is most appropriate. If you need a vendor to provide you with a creative solution to meet your business requirements, go with an RFP.

Note that sometimes a “mini-RFP” may be the best route for smaller, less complex service-based projects. Rather than developing a formal RFP with multiple project objectives and lots of requirements, you may choose to document the few requirements you have and ask vendors to provide a simple proposal.

Why creating a maturity roadmap is important for vendor management.

Maintaining an effective vendor management program doesn’t happen overnight. It’s a journey that involves continual learning, refinement and evolution. And as a program matures over time, it results in the management of vendors and other third parties with fewer risks, lower costs, better performance and stronger compliance.

Since every company is at a different place in their journey towards better vendor management, it’s important to create a roadmap that you can follow as you continually grow and mature your program. A roadmap helps you visualize where you are, where you ultimately want to be, and the milestones you need to reach along the way. Following a roadmap allows your team to gradually improve processes and drive more value from your vendor management program at a pace that works best for you.

How to set about creating your maturity roadmap?

As with any roadmap, you need a starting point and an end point – and a plan for how you’re going to get there. You’ll also need to set aside some time, get a team of stakeholders together, and collectively visualize what the finished project should look like.

To create your maturity road map you need to have a:

  1. Vision for your program
  2. Baseline of your current operations
  3. Gap analysis to identify improvement opportunities
  4. Milestones for improvements
  5. Resource plan for getting things done

Here’s how these components all fit together.

Define Your Vision

Start with the end in mind and answer this question: what are the ultimate goals and objectives we want to achieve through your vendor management program?

  • Complying with federal and state regulations?
  • Mitigating risk with vendors who provide critical services or have access to confidential and sensitive information?
  • Improving pricing and controlling costs?
  • Eliminating poor performing vendors?
  • All of the above?

Ultimately, the goals you set will drive the size and scope of your vendor management program. The bigger your goals, the longer your roadmap may be.

Establish Your Baseline

Every roadmap needs a starting point, and that’s your baseline. It consists of your current policies and procedures across the complete lifecycle of the vendor relationship. From initial procurement all the way to off-boarding and everything in between.

Your baseline also needs to include the operational components of your program such as your governance and communication structure, workflow, systems and reporting.

Perform a Gap Analysis

The gap analysis is the process of comparing where you want to go (your vision) with where you are (your baseline), and figuring out all of the things you need to do to get there. Examples of practical findings that come up in your gap analysis include:

  • Developing missing policies
  • Updating antiquated forms and templates
  • Updating contractual documents with newer or missing provisions
  • Performing due diligence on risky vendors
  • Reclassifying vendors due to changes in the relationship
  • Auditing contracts and performance for SLAs and invoicing
  • Adding additional resources

Whether you have a new or existing vendor management program, there are always a ton of improvement opportunities that come up when you do a thorough gap analysis. But not every opportunity is created equal. So it’s important that the issues get prioritized so you know where to focus first.

Develop Milestones

Milestones are a critical part of your roadmap as they allow you to do two things. First, milestones allow you to group improvement opportunities into stages so that you can address them over a period of time rather than trying to do everything at once. And second, when done right, milestones actually allow you to build new value in your vendor management program each time a milestone is reached.

As an example, if you launching a new vendor management program from scratch, one of your first milestones may be to simply build profiles of all your vendors and contracts and get them into a central system so you have visibility. Reaching this milestone creates value by simply having a central view of vendors, their risks and all of the contractual obligations you have as an organization. While this sounds simple, many companies don’t have even these basics in place.

Alternatively, if you have an existing vendor management program, you may set a milestone to re-assess, rationalize and consolidate your vendor population. In addition to saving money through improved leverage and negotiations, you’ll also significantly reduce your risk (and potentially improve compliance with regulations, if applicable) by focusing your oversight and contract management with fewer vendors.

Create resource Plan

Finally, your roadmap needs to identify the resources you’ll need to get the job done, and assign responsibilities accordingly. Most companies – whether or not they have a formal vendor management office – are simply under resourced to get their program to the maturity level they desire. More and more, companies are bringing in experts to get things done faster and oftentimes cheaper than if done internally. Experts provide both speed and scalability to move projects along and get to the next milestone in an efficient, cost effective way.

Whether you’re improving the program you already have, or getting one going from scratch, a maturity roadmap is an important tool for creating a vision and a path for a more successful vendor management program.

As we have discussed in previous blogs, the focus on vendor relationships and the risks and responsibilities associated with them, is evolving rapidly. At the time of its birth, vendor management was near synonymous with cost management. This perspective was not only close-minded, but also destructive, as organizations neglected to uproot the value that their vendors could have provided.

Vendor Management reached a new level of importance when regulations began popping up in the past decade and compliance became a new motivator to control these relationships. While managing costs and compliance drew more attention to the potential untapped value available from vendors, these factors still failed to reveal the whole picture.

Thanks to the increased practice of sharing private and vulnerable data with vendors, risk is now the main motivator. This third piece to the puzzle brought more structure and consistency to the vendor management process, as organizations began to observe the risks presented by their vendors in a holistic manner. In order to properly evaluate risk, risk assessments must be performed on every vendor, and they should be segmented into tiers of risk based on these assessments. This process requires that organizations get to know their vendors more closely, which in turn increases transparency.

Have you decided which vendor risk keeps you up at night yet? According to the results of a survey conducted during our webinar, 41% of our viewers were most concerned about their vendors falling victim to a data breach.

Data breaches have certainly drawn more and more attention towards vendor management over the past five years or so, and for good reason. Results from a recent Ernst & Young study highlight that 30% of surveyed organizations have experienced a breach caused by a third party within the past two years.
In response, regulators are attempting to ensure that organizations have the tools (such as the SOC for Cybersecurity) to deal with this, as well as the means to proactively mitigate vendor risks. However, this is but one of many areas that vendors present risk to an organization. We will list some of the others below.

6 Important Risks to Manage with Vendors and Other Third Parties

  1. Strategic Risk – risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with stated strategic goals.
  2. Reputation Risk – risk arising from negative public opinion. Third party relationships that result in dissatisfied customers, interactions not consistent with policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of laws and regulations.
  3. Operational Risk – risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
  4. Transaction Risk – risk arising from problems with service or product delivery.
  5. Compliance Risk – risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with company business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
  6. Information Security Risk – risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take.

Once organizations have identified the types of risks that their vendors present them, the next step is to mitigate them by developing a set of standardized vendor risk management procedures. An ideal process should look something like this for each vendor:

  1. Conduct due diligence during sourcing.
  2. Perform a risk assessment and identify an appropriate risk rating.
  3. Implement risk-averse contract provision.
  4. Periodically evaluate the vendor to ensure the risk rating has not changed.

Going through this process of due diligence, risk assessments, and ongoing oversight allows organizations the chance to understand the separate stages inherent to the vendor management framework. In doing so, risk has become an effective motivator in pulling attention towards vendor management, especially when combined with the ongoing concerns of cost control and regulatory compliance.
While vendor management has matured significantly in the past decade or so, there’s still one piece of the puzzle missing – a focus on the untapped value of vendors. Once this perspective is adopted, organizations can finally begin to take a disciplined and holistic approach to controlling costs, facilitating compliance, mitigating risk, and driving value out of vendor relationships.

To learn exactly how to mitigate risk and develop a structured vendor risk management program, be sure to reach out to us with additional questions.

The Federal government has launched a public awareness campaign urging all types of U.S. businesses to better defend themselves against online attackers, who may be trying to steal their sensitive data or wage supply chain attacks.

The effort, being run by the National Counterintelligence and Security Center (NCSC) aims to improve the minimum level of information security practices in place at businesses.

At a minimum, NCSC is urging all organizations to review supply chain security, safeguard against spear-phishing emails, beware of social media deception and expect that, when traveling abroad, their equipment will be subject to surveillance or interference.

One area of emphasis is monitoring and managing threats through your supply chain. “A major factor enabling supply chain threats has been the globalization of our supply chains, characterized by a complex web of contracts and subcontracts for component parts, services and manufacturing extending across the country and around the world.”

Prevention includes asking the right questions, conducting due diligence, as well as hiring “acquisition and procurement personnel” to be integral members of an organization’s “enterprise-wide risk management and security program,” NCSC says.

While these risks aren’t necessarily new, they do place a big, fat spotlight on a weakness in many vendor management programs, most due diligence focuses on the primary vendor relationship and rightly so as that is oftentimes where the biggest risks lie. But it’s become increasingly as important to assess risk down the line to understand all of the players involved in the ultimate provision of your goods and services, that includes manufacturers, subcontractors and downstream vendors that provide outsourced services to your primary vendor.

Now is a perfect time to take a hard look at your procurement and due diligence process to ensure you’re asking the right questions, and have the appropriate subject matter experts to assess risks throughout your entire supply chain, and can effectively protect your organization both now and into the future.

The business discipline of vendor management, or the process of driving value out of vendors through a structured approach, has long been inching its way into new territories. Procurement departments have largely adopted the vendor management framework and data protection regulations, such as GDPR, have begun to acknowledge the importance of integrating vendor risk management.

Not surprisingly, the auditing and reporting standards released by the American Institute of Certified Public Accountants (AICPA) have also evolved dramatically within the past half-century to stress the importance of vendor relationship/risk management. This point is conveniently made clear with the AICPA’s newest project in development – the System and Organization Controls (SOC) for Vendor Supply Chains.

But this wasn’t always the case. Once upon a time, before the term ‘vendor management’ had even been coined, vendor oversight often took a back seat to a company’s internal needs or was ignored altogether. The epiphany that an entity’s vendors presented it with financial, operational, and reputational risk – and therefore should be managed/scrutinized – did not happen overnight.

This shift in perception was the product of a rapidly-changing business environment and the accompanying increase in the process of outsourcing. It was soon recognized that service vendors, such as those which process transactions and/or data for a customer (user-entity), would need to be scrutinized as closely as an in-house department would be, if not more so. In order to standardize this process and the criteria surrounding it, the AICPA stepped in.

Thus, the stone age of vendor management was over and its bright future was carved out. The standardization of service vendor oversight evolved quite rapidly soon after. We’ll guide you through this transformation by beginning with the first widely-accepted Statement on Auditing Standard (SAS).

SAS No. 70 (1992)

Before SAS 70, a company’s relationship with its service vendors was largely disconnected. The company would outsource a service such as payroll processing to the cheapest or most convenient vendor and call it a day. At some point, it became clear that this wasn’t good enough and that placing full faith in vendors wasn’t exactly business-savvy. These service vendors were processing the user entity’s data frequently and thus presented a serious operational, financial, and security risk to that organization. Thus, the SAS 70 was born and service organization audits became widespread as user entities demanded more transparency into their vendors’ internal control environment.

SSAE No. 16 (2010)

Fast-forward almost twenty years to the AICPA’s replacement for SAS 70 – the Statement on Standards for Attestation Engagements (SSAE) 16. This new guide for service organization reports fulfilled the demand for enhanced insight into service vendors’ internal controls. Service vendors’ were held to a higher standard during audits and vendor relationships were enhanced with the release of the Service Organization Control (SOC) reports.

These reports streamlined communications between service vendors and their user entities. They also offered more transparency into control environments in accordance with specific criteria relating to security, availability, processing integrity, privacy, and confidentiality. Once again, the idea that vendors present a security risk to their user entity was reinforced.

However, fourth-party risks were still largely ignored. What if a service vendor’s own vendor (fourth-party) failed to uphold a secure control system? In that case, the user entity would be threatened by fourth-party risk. At this point in time, organizations typically weren’t looking so far down the food chain.

SSAE No. 18 (2017)

When the newly expanded auditing standard (SSAE 18) was released in 2017, it once again changed the way user entities viewed their relationships with their service vendors. In doing so, it created new life for vendor management. The SSAE 18 requires service vendors to engage in diligent vendor management and examine the controls of their own vendors (sub-service vendors) just as closely as their customer (the user entity) is examining them. Confusing, we know, but it’s also important to understand. Service vendors must now prepare evidence of due diligence reviews, risk assessments, performance reviews, and ongoing oversight for their audit and reports. For the first time, vendor relationships are creating a chain-link of oversight and vendor management is truly transparent.

If your organization works with a service organization that has access to private information, financial transactions, or any type of restricted data, be sure to request a SOC 2 report from them. We emphasize this simply because it is such an easy task that is too often neglected. This report will provide priceless insight into the controls (or lack thereof) and risk management practices employed within the vendor that you trust with your data, your customers’ data, and thus your reputation. It’s worth looking into.

SOC for Cybersecurity (2017)

This nearly brings us to the present state of vendor management. User entities now have transparent insight into the internal controls of their vendors. They also, thanks to the requirements for the service organization’s vendor management program, have transparent insight into the controls and risks associated with their vendors’ vendors (fourth-party vendors). However, who really has access to this information? In reality, the access is typically restricted to the audited service organization and a few people at the user entity – not very transparent after all. With all of the recent data breaches covering the headlines in the past couple of years and the outrage from victimized customers, this scope of access was just not good enough by itself.

So, the AICPA also released the SOC for Cybersecurity examination and report in 2017. This came with a framework to standardize the cybersecurity risk management efforts across the board, as well as offer a much broader scope of access. This report is intended for use by the boards of organizations ensuring their data (and reputation) is in safe hands, to customers or investors who want to do their due diligence before committing to a company. For once, anyone looking to seriously assess the risk of doing business with a company can.

SOC for Vendor Supply Chains (TBD)

The AICPA has announced a forthcoming release of a new report, this time for vendor supply chains. The goal of this report is to shed some light onto the risks underlying the increasingly-complex global supply chain and how vendor management processes can contain this risk. The specifics of the next SOC release have yet to be announced by the AICPA; however, one thing is clear. No matter what it contains, the report will help to mitigate more risk and further evolve the discipline of vendor management. While businesses, supply chains, and risks continue to evolve and become increasingly complex, vendor management practices will adapt with them. That is made apparent from the past, and will continue to ring true going forward.

If you have questions about standards, reports, or vendor management, please don’t hesitate to reach out to us here.

In our latest webinar, Vendor Centric Founder and CEO Tom Rogers, VendorRisk Founder and Partner Gavin Mac Carthy, and Cohnreznick Partner and CPA Anne Schrantz came together to shed some light onto the most promising current trends in vendor management. The presenters, all of whom frequently work with clients on building their vendor management programs, discussed the best practices organizations are adopting to establish and mature their vendor management programs. To provide even more clarity into these best practices, we will be taking a deeper dive into each one throughout a series of blog posts, starting with this one.

While organizations around the world now realize how important vendor management practices are to their structural integrity and are implementing vendor management programs (VMPs) into their operations, many are struggling to conceive exactly what a VMP should look like. There are so many moving parts that go into managing vendors that many organizations are left asking themselves the same question: where does vendor management start and where does it leave off? To answer this question, let’s take a closer look at the first best practice from the webinar.

Best Practice #1: Take a Lifecycle Approach to Managing Vendor

In order to build or advance a VMP effectively, a crucial first step is to take a step back and look at your relationships with vendors from a new perspective. Too many organizations make the costly mistake of viewing these relationships as compartmentalized and unintensive – find a vendor, sign a contract, and leave it alone until something goes wrong or it’s time to cut a check. Managing vendors in this way is reckless and leaves entities exposed to financial, operational, cybersecurity, and reputational risk.

The responsible way to view these relationships requires some organization – taking all the bits and pieces of the relationships and pulling them into a structured framework that’s easy to visualize and track. It should have a clear starting point, ending point, as well as certain touch points in between. Building such a framework allows you to take a disciplined, lifecycle approach to managing vendors.

In a lifecycle approach, the various stages in the vendor relationship become clear and aligning certain policies and procedures with each stage becomes second-nature. Not only will this approach make managing vendors easier and more routine, it will also substantially reduce the risks facing your organization and make compliance with regulations more achievable.

Adopting this lifecycle approach is easier when using Vendor Centric’s Vendor Management Framework, which provides a visual for the starting/ending points of vendor relationships, as well as the most important touch points in between. There are two main components in the framework that are important to notice:

The core component: includes the 6 main stages of a vendor relationship:

  • Sourcing
  • Procurement
  • Contracting
  • Onboarding
  • Purchase-to-pay
  • Oversight and optimization

The secondary component: includes the foundational pieces – the people, processes, and systems – in a vendor relationship that really make it run:

  • Governance
  • Stakeholders
  • Policies and Procedures
  • Workflow
  • Reporting

Once this framework is adopted and the lifecycle approach is standardized, organizations can finally extract the value they deserve from vendor relationships. The framework will provide clarity to the department or team tasked with overseeing vendor management, and policies and procedures can be put in place to standardize the processes and delegate responsibilities. For organizations that previously hadn’t quite been able to visualize what a VMP should look like, this level of structure offers something unique: unprecedented transparency into vendor relationships. With this transparency, organizations will understand what level of standards should be set for their vendors, and thus can finally begin to drive real value out of them.

To learn more about the vendor management framework and how you can adopt it, check out our website page dedicated to it here. To listen to Tom Rogers and Gavin Mac Carthy discuss this best practice and more, be sure to watch the free webinar here.

Last April, the AICPA introduced a new tool for risk management: the SOC for Cybersecurity examination and report. Included in this was the cybersecurity risk management reporting framework, which was meant to standardize risk mitigation efforts across organizations

Although the exam is not mandatory, the main goal of the release was to enable anyone with access to private information (PI) to start taking a proactive approach to protecting it and begin incorporating cybersecurity risk management. In this blog post, we will introduce the SOC report by running through four W’s (who, what, when and why) and let you make an informative decision as to whether it is right for your organization.

Who is it meant for?

In contrast to previous releases, the SOC for Cybersecurity report is not tailored to service organizations specifically. In an effort to standardize cybersecurity frameworks across the map, the AICPA designed the new SOC report as a useful tool for any type of organization looking to exhibit its controls. In regards to its intended users, the SOC for Cybersecurity is also not as confidential as the SOC 2 report and is instead designed to be accessible by a broad audience. It is most useful for anyone attempting to ensure / prove that their organization has proper controls in place, such as the board of directors, top executives, and especially CFO’s and CRO’s. It is also largely accessible by external users looking to examine such controls, such as investors, analysts, regulators, customers, and potential creditors.

What is it?

By definition, the SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management programs (CRMP’s). Basically, this allows organizations to better understand, and better report on, their cybersecurity controls by establishing transparency into their policies. The report consists of the following three main components:

  • Management’s Assertion – Management provides insight into the goal of the report as well as their own role in maintaining oversight of cybersecurity
  • Practitioner’s Report – Auditor expresses an opinion on management’s assertion
  • Management’s Description of the Cybersecurity Risk Management Program – Management provides a specific description of controls & risks in CRMP
When was it released?

The framework was released last April by the AICPA. However, since this report is optional, it’s never too late to adopt it within your own organization. It may also be a wise decision to begin collecting these reports from your own vendors to ensure your information is in safe hands.

Why is it necessary?

The past five years have witnessed a changing landscape in cybersecurity. Investing in controls to protect your company from exposure was once almost a luxury. But over a short period of time, this perspective has shifted. Data breaches have impacted some of the world’s most prominent organizations; from Target, to Yahoo, to Equifax. These breaches carry consequences – fines, lawsuits, settlement fees, damaged reputation, etc. – and these consequences are becoming more serious as regulators pass cybersecurity laws such as GDPR.

Moreover, the differences between each organization’s approach to risk management has created confusion both internally and externally. According to Verizon’s 2017 Data Breach Investigations Report, 27% of data breaches in 2017 were discovered by 3rd parties, meaning that organizations were unaware that they had been breached until another party informed them.

What we found even more interesting in this report was the fact that 25% of the breaches were caused by internal attackers, by means of employee error or a vendor’s lack of risk management. In response to such incongruities and events, the AICPA established the cybersecurity framework to provide uniformity within the business world’s risk management programs.

The time for taking an ad-hoc approach to cybersecurity is no more. Organizations are now taking a proactive approach, and the SOC for Cybersecurity framework and report is one tool assisting them with this goal.

For more information on the SOC for Cybersecurity framework or examination, we recommend visiting the AICPA website or contacting us here.

If you’re a financial institution, you’re hopefully already aware that you’re required to collect SOC reports from your vendors. If you’re not a financial institution, you might want to consider collecting them anyway. Why? Because SOC reports, particularly SOC 2 reports, are the perfect vendor management tool. And the best part is that the work is already done for you, all you have to do is request them from your vendor.

The Service and Organization Controls, or SOC, independent audit and reports were introduced in 2011 by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). Although there are three types and multiple subtypes of SOC reports, they all generally do the same thing – provide insight into how your vendors run their business, maintain internal controls, and mitigate risk.

SOC 2 is arguably the most useful out of the three. While SOC 1 and 3 just require one audit and report per fiscal year, SOC 2’s require an examination of an organization’s controls over a period of time. At a high level, it tests controls for the security, availability, processing integrity, confidentiality, and privacy of a system.

This information is the Holy Grail of risk assessment tools for the apt vendor manager, and is typically collected from technology service vendors, or any vendor with whom you share your organization’s or your customers’ data in any way, shape, or form. In an age where the phrase “data breach” sends a chill up every executive’s spine, this sort of exam and report is an absolute must-have.

Not only is this report extremely useful when examining the controls of a vendor, but it also gives you insight into your vendor’s vendors. That’s right, we’re talking 4th-party risk assessment potential. It truly is the perfect vendor management tool. But how can it be used in practice? Let’s run through the six stages of the vendor management framework to find out.

Stages 1 & 2: Sourcing & Procurement:

If you’re looking to find the right vendor that you can trust, then you’ll have to do your due diligence. Typically, this is done by reviewing the vendor’s security practices, its criticality to your business operations, and the risk level it presents you based upon its access to private data. Instead of conducting this search and sending out questionnaires yourself, try to request a SOC 2 report. While you may have to sign a nondisclosure agreement, this document will provide invaluable information on the vendor’s controls and will help take some of the load off your shoulders.

Stages 3 & 4: Contracting & Onboarding:

Stages 3 & 4 are where you and your vendor should be getting everything out in the open. While contracting and onboarding a vendor, you should be making very clear your expectations through the negotiation of Service Level Agreement (SLAs), limits of liability, and so on; as well as developing your regulatory compliance oversight plan. A SOC 2 report would go a long way in use as a baseline for mutual agreement regarding security controls throughout this process.

Stages 5 & 6: Purchase to Pay & Oversight / Optimization:

From billing information security to regulatory compliance and risk management, SOC 2 reports will help you ensure that your vendor is not only maintaining adequate controls in their auditor’s eyes, but that they are also living up to your own expectations and agreements as made clear during the contracting phase. The reports will give you insight into the effectiveness of their security controls and enable you to continually mitigate risk, ensure compliance, and drive higher performance out of your vendor.

In short, SOC reports are becoming a critical piece to the vendor management process. If you outsource any private information to a service vendor (and almost every organization does) then you should be requesting these reports to ensure your data is in safe hands.

For more information on SOC reports, we recommend visiting the AICPA’s website, or contacting us here.

Vendor incidents are occurrences of an undesirable action or situation that was caused by the vendor’s actions. Tracking vendor incidents serves several key purposes when managing vendors such as:

  • Creating visibility into incidents and ensuring they get resolved,
  • Identifying trends that may signify recurring performance issues, and
  • Using the documented incidents as a way of negotiating better terms on contract renewal.

Most vendor incidents tie back to noncompliance with a specific contract term. Common examples include:

Vendor not meeting Service Level Agreements (SLA)

Many vendor contracts, especially those with software and service providers, include service level agreements. Complex contracts may also attach penalties to the vendor for not meeting the SLAs. Tracking problems with SLA’s is not only a performance management issue, it may actually result in payment of a penalty by your vendor.

Breach of contractual term or clause
  • Vendor communicates confidential information regarding your contract terms to a competitor
  • Vendor brings on a sub-contractor to provide services but the sub-contractor is not licensed
  • Vendor changes a process that is critical to your operation
Incident where there is not a contractual term or clause
  • Vendor’s representative is rude or unprofessional when providing customer service to your internal employeesVendor is downsizing its operation that supports your services
  • Vendor incidents should be created at the time the incident was reported. The best way to track the incidents is by using a vendor software system.
Where Can Vendor Incidents Come From?

There are multiple sources to obtain vendor incidents as long as a company has a process and system to track them.

Sources for vendor incidents:

  • Vendor scorecards – Monitoring scorecards is one way to verify the vendor is meeting the contractual SLA’s. Any SLA that is not met should be tracked as an incident.
  • Business owner of the vendor – When the business owner has identified an issue with the vendor they should always report this to the Vendor Management Office (VMO) to track and resolve.
  • Vendor reviews – Vendor reviews usually identify areas that the vendor can improve upon — any suggested improvements should be tracked as a vendor incident to monitor for resolution.
  • Internal resources that interact with the vendor – Internal employees that deal directly with the vendor will always be a good source to identify issues. No matter how petty the issue may be, the VMO should be the gatekeeper for all vendor issues.
  • Your customers – Some vendors may deal directly with your customers, and these customers may raise complaints. The channel your company has for complaints should feed any vendor-related issues back to the VMO to track.
  • Media – The VMO should be tracking the media for alerts on their vendors. There are usually industry-specific e-publications that you can subscribe to in order to help track your vendors.
  • Vendor – When vendors incur incidents, they should let their clients know immediately. Reporting directly to the VMO to capture the incident is the most efficient way to deal with such an occurrence.
  • Vendor’s competition – The competition likes to talk — while most of their claims could be false, it is always important to vet their claims out with the vendor and other sources before disregarding any such claim.
You Have a Vendor Incident — What Do You Do?

The Vendor Management Office (VMO) should be responsible for maintaining and managing vendor incidents.

1. Track the incident in a centralized system
  • Log the incident type
  • Log the date and time of occurrence
  • Obtain and log the vendor’s action log of repair
  • Log the resolution date and time
  • Document if the incident is related to a contractual term
2. Validate if the incident is repetitive
  • Review the incident log to validate if in fact the claim is a repetitive issue
  • If repetitive, review the past resolution and meet with the vendor to determine the root cause of the re-occurrence
  • Have the vendor build a new action plan and review their proposed resolution
3. Review the incident with the business owner
  • Alert the business owner of the incident
  • Provide your findings and determine the course of action: (a) Action Plan, (b) put on notice or (c) terminate vendor
4. Review the incident with the vendor
  • Advise the vendor of the incident and provide next steps for the vendor
5. Track the incident to ensure resolution
  • If an Action Plan is needed, manage the vendor to their Action Plan to resolve the incident.  Make sure the Action Plan is SMART-based and has specific timelines.
6. Document vendor incidents in next vendor review/contract negotiation
  • During vendor performance reviews, internal vendor reviews and contract negotiations, all of the vendor’s incidents from the last review/negotiation should be included.

Gavin Mac Carthy is Founder and Partner of VendorRisk, a software company that helps organizations manage their vendors & contracts through a cloud-based vendor management platform. You can reach Gavin at gavin@vendorrisk.com.

Developing a centralized procurement process can mean greater efficiency and heightened visibility for your organization. Procure-to-pay software creates spend visibility and context for contract and vendor management. If you’re not funneling everything through a central procure-to-pay software, you aren’t creating any controls of embedded workflows that the procurement function is equipped to manage.

Joe Payne, of Source One Management, is back again for a deeper conversation into the role which technology now plays in today’s procurement process.

One of the biggest challenges in procure-to-pay adoption can be attributed back to its history of usage primarily among large industry players. This has made it difficult for mid-market players to adopt the technology. Such technologies have since been scaled down to where it now makes sense for mid-market players to implement these programs. In reference to trends in P2P growth adoption, Joe Payne noted, “Most major players in the industry are predicting between 40-50% growth just within the U.S. market in the next year,” says Payne, “This tells us that it’s still a new system and there is a lot of room for companies to begin adopting these technologies.”

The value from these processes comes from the centralizing of data in reference to the suppliers your organization is working with and what you’re doing with said suppliers.

A high-level overview of procure-to-pay technology follows the workflow outlined below:

  1. Organization recognizes a need and creates a requisition
  2. Requisition is submitted as a purchase order
  3. Procurement function reviews purchase order and directs order to approved vendor
  4. Purchase is either made through the vendor or goes directly into a cataloging system
  5. Software automatically sends purchase order to preferred vendor
  6. Organization manages the product’s receipt and any embedded supplier management activities

The above workflow follows the organization all the way to the payments made to the supplier through a designated invoicing technology. Procure-to-pay programs are a great way to connect the various points within the P2P process through technology!

For many companies, procure-to-pay software transforms a very inconsistent, paper-based process, and brings it into a central system; a system which both automates the workflow and aids in compliance and approval processes. Integrating technology into the procurement function provides visibility into the organization’s collected data and allows for deeper analysis and therefore better-informed decision-making.

Hear more from our conversation with Joe Payne on procure-to-pay technology by listening to our podcast titled The Evolution from Procurement to Vendor Management with Joe Payne Source One Management.

With the new General Data Protection Regulation (GDPR) in effect, companies across the globe are attempting to discern whether the new law applies to their business, and if so, how they can become compliant as to avoid any potential fees.

As usual, massive regulation is yielding little guidance. To shed some light on this issue and get to the bottom of the newly enacted laws, Vendor Centric CEO Tom Rogers interviewed Alan Tilles, Partner at the law firm Shulman Rogers. Alan is an expert in data privacy and telecommunications law, and has been supporting businesses across the U.S. to get compliant with the GDPR.

Here are a few of the highlights from the interview.

  • GDPR is intended to give the owner of private information (PI) the right over who has access to it, as well as the right to be promptly notified if it was breached. It became effective May 25, 2018.
  • Many, if not most, U.S.-based establishments need to be compliant with GDPR. ”Even if you think you don’t conduct any business in Europe, Alan suggests you ask yourself these four questions before you ignore it completely:
    • Do you take credit cards?
    • Do you not restrict who you take credit cards from?
    • Do you do business with non-U.S. citizens?
    • Do you have a mailing list?
  • There are significant penalties for noncompliance. Some of the sanctions that can be imposed on companies include a fine of up to 10 million euros, or 2% of annual worldwide turnover of the preceding financial year, whichever is greater; or up to 20 million euros or 4% if infringement of other provisions occurs.
  • Alan advises to start simple – update your privacy notices on your website. One of the changes in GDPR is that website privacy notices must be more informative and be stated in plain English.
  • One other key point noted was that companies need to ensure certain vendors are complying with these regulations too. “If vendors are doing things like processing credit cards or creating mail lists for you, it’s your responsibility to ensure that they are complying on your behalf.”

Listen to the full interview with Alan Tissel by listening to our podcast titled, “GDPR and Vendor Management: Rethinking Privacy.”

New to Vendor Management? No problem. You can start here by listening to our first podcast in the series called “Rethinking Vendors.”

Our vendor management experts provide insight into the business discipline of vendor management, why it is growing in importance and adoption, and how Vendor Centric is creating solutions to help organizations manage risks, costs and compliance with their vendors.

Come for an introduction and stay for much more as you browse through our series of podcasts that each focus on a different aspect of vendor management. Listen to the full podcast here, and contact us with addition questions here.

In the competitive solicitation process, I oftentimes find there is confusion about the different types of ‘requests’ that can be solicited. Is it a proposal? A quote? Or is it a matter of simply looking for some preliminary information?

Regardless of the nomenclature, there are three types of requests that most organizations use: RFIs, RFQs and RFPs (collectively “RFXs”). All three have certain features in common, but each has clear distinctions. Understanding those distinctions will vastly improve your competitive solicitation process and increase the likelihood you’ll select the right vendor for the job.

Here’s a rundown of each document’s distinctions and guidance on when you should use it.

Request for Information

A Request for Information (“RFI”) is a preliminary document used gather information about the products/services you are looking to procure, and the solutions, capacity and capabilities of vendors who you’ve identified as potentially being qualified.

The RFI is a great tool to use when you need more information to help you understand the marketplace and, at a later point in time, create an RFQ or RFP for the products/services you want to buy. You can also use it to stimulate the supply market and to condition prospective suppliers about the potential opportunity that may exist.

Because an RFI is more of a fact-finding document, you’ll want to ask open ended questions that allow the vendor to talk about its full range of offerings. Typically, the RFI will state the broad business challenges you’re having, and then the vendor can tailor its response within the context of those challenges. Often times, the vendor will provide an overview of the market, explain its position in the marketplace (for instance, what industries it specializes in) and help you understand how they charge for the products and services they sell.

Request for Quotation

A Request for Quotation (“RFQ”) is a document used to solicit quotes from prospective vendors, generally when the goods/services being procured are not costly or complex. They are most beneficial when you’ve established a clear and complete set of technical and functional requirements, and when there is little difference in the solutions and expertise offered by prospective vendors.

The key elements of an RFQ should include, at a minimum, clear technical, functional and other requirements, pricing preferences (i.e. fixed fee, time and materials, etc), and delivery terms. Many companies also include their standard terms and conditions in the RFQ to ensure the prospective vendor considers those in their response. These can include payment terms, indemnification, right to cancel and other important contractual clauses.

Request for Proposal

Different from an RFQ, a Request for Proposal (“RFP”) is used for more costly and complex procurements, especially when there are a variety of factors you need to evaluate and consider when selecting the right vendor and solution. As a result, the RFP process is more comprehensive and time consuming than the RFQ process. It generally involves multiple stakeholders and requires a greater focus on vendor risk management.

An RFP contains more specificity than an RFQ in terms of a company’s needs, and allows for much more creativity in proposal responses from prospective vendors. In addition to outlining the scope of work, delivery terms and fee requirements, RFPs also generally include company background information and broader goals around the goods/services being procured. The key is to provide sufficient context to vendors in order for them to propose a valid solution, while also allowing leeway for the vendors to apply creativity and best practices to fulfill those needs.

Which one is best?

The answer really depends on two things: what you’re procuring, and the experience you have with the products/services being procured.

If the procurement is complex and is for a new technology or entirely new set of technical/functional requirements, it would be a good idea to perform an RFI to better understand the marketplace. While it takes more time, it allows you to get smarter about the viable solutions, vendors and related risks.

If the procurement is relatively simple and the requirements are clear, an RFQ is a really efficient way to ensure you are getting the right pricing from a relatively similar group of vendors.

And an RFP is the right tool to use when requirements are more complex (or aren’t quite as clear), and when you’ll need to evaluate both the solution and the vendor on a variety of factors beyond just price.

Regardless of which method you use, we recommend establishing guidelines and standards to help the folks who manage the procurement do it the best way possible. RFx templates and checklists are both important tools to help with this process.

As vendors and other third parties become more intertwined in day-to-day operations, vendor risk assessments are growing in adoption. Doing a proper third party risk assessment allows you to understand the level of risk you assume in each vendor relationship, and make informed decisions about how to mitigate and manage those risks. Or in some cases, avoid an unnecessarily risky vendor relationship before it’s too late.

Here’s a four-step process for conducting vendor and other third-party risk assessments that can scale to companies of different sizes and industries.

1. Develop Vendor Risk Criteria

Before you can do a risk assessment, you must first define the criteria on which you want to evaluate risk. There are lots of potential criteria to consider, and many industries have vendor risks that are important to them. For example, vendors who collect or store personal health information (PHI) present a very high risk in the healthcare industry. So it’s important that you view your risk criteria through your own, unique lens.

With that said, there are several vendor risks that are common across many industries.

  • Operational Risk. How important is the vendor’s work to your organization’s business activities and operations?
  • Data/Privacy Risk. Will the vendor be collecting or storing any data on your customers, members, donors or employees?
  • Transactional Risk. Will the vendor be processing any of your financial transactions?
  • Replacement Risk. If the vendor were to go out of business due to financial insolvency or other issues, could you replace them quickly to avoid disruption to operations?
  • Downstream Risk. Will the vendor be using their own vendors (i.e. fourth and fifth parties) who play a role in the delivery of your products or services?
  • Compliance Risk. Are there vendor-related regulatory issues with which you must comply?
  • Geographic Risk. Is the vendor located in a region or country in which it is inherently risky to do business?
2. Create a Preliminary Vendor Risk Profile

Once your risk criteria are identified, you will use them as the basis for a formalized risk assessment. In your assessment you should evaluate the risks of a new vendor relationship based on your risk criteria, and establish a preliminary risk profile of the vendor. This allows you to understand where your inherent risks lie with the vendor and assign an appropriate level of due diligence.

When doing this, most companies create different tiers for their risk profiles. The most common are high, medium and low tiers of risk, but the number of tiers is up to you. The higher the risk tier, the more due diligence you will need to perform to evaluate each of the risks and how well they can be mitigated and managed.

3. Perform Due Diligence Based on Risk Profile

Once the risk profile is established, the next step is to perform vendor due diligence to assess the risks you’ve identified. The riskier vendors will require more upfront due diligence and if you end up contracting with them, a higher level of ongoing oversight too.

Good vendor due diligence allows you to collect the right (and right amount) of information based on the vendor’s risk profile. Most companies collect information through the use of due diligence questionnaires and supplement those with other documents such as audited financials, SOC 2 reports, and disaster recovery plans.

Once the information is collected, you’ll need the right subject matter experts to help analyze it. This may require involving IT, security, finance, compliance or other experts to evaluate responses and reports. Some organizations also establish committees to help manage this process.

There are unique challenges to performing vendor due diligence when working with smaller companies; especially those that are privately held. Many won’t have audited financials or SOC 2 reports, so you’ll need to be flexible in how you assess those areas.

On the flip side, larger vendors may have an abundance of information but may require a more expansive due diligence process. This can include triangulating their responses with information from other data services (like Dun & Bradstreet Supplier Risk Manager). They may also require you to perform on-site visits to walk through and test processes.

Just remember that you don’t need to apply the same level of due diligence to every vendor. Align your activities with your vendor risk profiles to be both efficient and effective in this process.

4. Address the Risks You’ve Uncovered

The final step in the process is to actually take what you’ve learned and determine what to do with the information you’ve collected. Does the vendor have adequate systems and controls in place to mitigate the identified risks? Are there additional steps you need to take to further evaluate processes? Or is there simply too much risk to do business with that vendor?

Know that the goal of the vendor risk assessment process is not to eliminate all risks, but to use real data to understand what those risks are and determine how you’re going to mitigate and manage them.

Two of the most common ways to manage vendor risk are through well-designed contracts and ongoing vendor oversight activities. So it’s important to coordinate with legal during contracting, and the actual business units post-contract to ensure there is an appropriate level of ongoing vendor management.

The reality is that the “problem” of vendor risk isn’t going away. Business relationships are becoming more complex, and vendor risk assessments have transitioned from a ‘nice-to-have’ to a ‘requirement’.

Make sure you have a good process in place to know who your riskiest vendors are, and proactively manage those risks throughout the lifecycle of the vendor relationship.

Sourcing and procurement are both important business disciplines that oftentimes get mingled together. However, both of them are important activities that enable organizations to proactively and responsively address business needs, while concurrently managing costs, risks and compliance.

We recently sat down with Joe Payne, VP of Client Services at Source One Management, to discuss a variety of emerging trends and best practices in procurement and vendor management. Source One is a consulting firm that focuses on supporting strategic sourcing and procurement for their clients, and Joe is a leading thinker on the topic of procurement transformation.

One of the first topics we discussed was the difference between procurement and sourcing, and why it’s important for successful companies to have a vendor management program that incorporates both.

“Ultimately, the value proposition that sourcing and procurement bring to an organization has more to do with innovation and risk management than simply controlling costs,” said Payne. “Procurement, as it’s traditionally thought of, is no longer just about compliance. It’s about how you thoughtfully engage with suppliers, in a process-driven way, to create a competitive advantage.”

While procurement and sourcing are oftentimes thought of as a singular function, they are actually quite different and require different skill sets. “Sourcing is more strategic. It focuses on understanding the business need and the purpose it serves, and then determining the right approach to sourcing that that need,” said Payne. “Procurement, on the other hand, is more tactical. It requires following a disciplined approach to developing requirements, managing solicitations and analyzing results to make the most informed decision when selecting a new vendor.”

Organizations need to have both a strong sourcing and procurement function (with the appropriate skill set for each) to address the strategic and tactical issues associated with making the best decision for acquiring goods and services.

Hear more from our conversation with Joe Payne by listening to our podcast titled Strategic Sourcing and Procurement with Joe Payne, Source One Management!

Conducting the right level of vendor due diligence is a hot topic in vendor risk management. Here are seven tips for doing it effectively.

1. Set the right tone at the top

Senior management (as well as the board) must buy into the fact that managing vendor risk is an enterprise-wide initiative and not something that ‘comes from compliance’. This positions vendor due diligence as a required business practice, versus a nice to have, and allows for repercussions to occur if it’s not handled properly.

2. Consider a steering committee

Most organizations don’t have a formal vendor management office, and many don’t even have a central procurement department. Given the myriad stakeholders that can be involved in due diligence – procurement, compliance, risk, IT, finance and, of course, the actual business owner – a vendor management steering committee can be a way to provide governance to the due diligence process. This group can ensure the right questions are asked, and only properly vetted vendors come on board.

3. Communicate the value of vendor due diligence to your front line

The actual buyers of goods and services in your organization are most important to triggering the due diligence process. Help them understand that good due diligence will ultimately benefit them, not you.

4. Align due diligence activities with risk profiles

Not every vendor carries the same amount of risk, so due diligence should align with the risk profile of the vendor. Use a set of gating questions to initially tier your vendors based on what they do and the risks they bring. Then align your vendor due diligence activities based on those risk profiles – more risk equals more due diligence.

5. Build due diligence into the procurement process

Incorporate due diligence questions into the RFP/RFQ process with prospective vendors. This allows you to begin identifying potential risks and plan your due diligence activities early in the process.

6. Automate questionnaires and document collection

Using vendor management software to automate the due diligence process ensures consistency, provides visibility into compliance and drives the process much deeper into your organization.

7. Reassess vendors on a periodic basis

Due diligence is an ongoing activity and doesn’t end at contracting. Best practices are to perform an appropriate level of due diligence throughout the lifecycle of the vendor relationship to ensure things haven’t changed since your initial assessment.

A strong due diligence process is a must if you want to properly understand and mitigate vendor risk. Don’t skimp on the process, especially with your higher risk vendors. There are too many opportunities to regret it if you do.

This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.

Negotiating the right provisions in your contracts is one of the most important things you can do to mitigate and manage risks in your vendor relationships. Here are nine provisions you want to make sure you address in your vendor contracts.

1. Business Continuity and Disaster Recovery – Covers what happens in the event of a service interruption. Should include the right to test a vendor’s business continuity plans.

2. Data Ownership and Transfer – Identifies who owns the data that is collected and/or stored, and the process to be followed in getting that data back when you want it.

3. Indemnity and Liability – Allows for relief in the event a vendor does something wrong or fails to perform, and sets the limits around losses incurred as a result of a vendor failure.

4. Information Security and Privacy – Different from data ownership, it restricts the use of the data by permitting the vendor to use data only as required to perform the services.

5. Right to Audit – Provides the ability for you to audit the vendor’s operations and records to ensure they are meeting contractual requirements, industry standards and/or compliance with laws and regulations.

6. Scope of Services – Defines the nature of the services/products, timing, delivery methods and location. You’d be surprised how often these are too vague to hold anyone actually accountable.

7. Service Level Agreements – Establishes agreed upon expectations for service levels the vendor must meet. These are common in technology and outsourcing contracts, and should address expectations for non-performance or breach, and penalties for both.

8. Subcontractor Relationships – Requires the identification of 4th parties the vendor may use, and how the vendor is going to monitor their compliance with applicable contractual agreements.

9. Termination Events – Defines what triggers termination, and the transition activities that must occur to affect an orderly transition.

Incorporating the right provisions into your contracts allows you to mitigate risk at the start of the relationship rather than trying to “put the toothpaste back in the tube” later on. It also allows you to balance the acceptance of risk and liability in your agreements that makes sense for both you and your vendors.

This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.

Businesses in the financial services, healthcare and nonprofit sectors are heavily regulated with regard to procurement, contracting and management of relationships with third party vendors. Complying with those regulations is critical. However, the days of vendor management being purely a ‘compliance’ issue are fading away. More and more organizations are elevating the conversation about vendor management from a focus on compliance to, instead, a focus on risk.

That was the sentiment from a panel of vendor management experts at the 3rd Annual Third Party Risk Management & Oversight Summit. Risk, compliance and vendor management professionals from Abercrombie & Fitch, Centene Corporation and Ionic Security shared their thoughts on some of the ongoing and emerging vendor risks that keep them up at night. Pay attention – you may just recognize many of these vendor risks in your organization too.

1. Data Management and Security Risk – In 2017, more cybersecurity breaches were reported than in any previous year. The panelists agreed these breaches are only going to grow in frequency and, most likely, impact. Knowing which of your vendors are going to collect and/or store data, and focusing heavily on how you’re going to monitor and manage data and security risks with these vendors, should be a major concern and focus for everyone.

2. Operational Risk –  As reliance on vendors for critical business functions continues to increase, they collectively pose a significant risk to business operations for most companies. Mitigating these risks requires an understanding of key vendors’ own processes and operations, and insight into their health to ensure they can continue as a going concern.

3. Regulatory Compliance Risk – CMS, OMB, GDPR and OCC are only a few of the regulatory bodies that are targeting better management of third party vendors. Panelists agreed this is only the start, and regulatory compliance requirements for vendor management will continue to expand. It’s critical to integrate your compliance stakeholders into your vendor management program.

4. Geographic Risk – Abercrombie and Fitch sources from all over the world, and has identified 20 countries with a high risk profile. When they work with vendors in these countries, they perform additional upfront due diligence and expand ongoing vendor and contract oversight and management too.

5. Downstream Vendor Risk – An emerging area of vendor risk management is downstream vendors. For example, Centente Corporation (healthcare) outsources nearly all of the work required to deliver care and products to their insured members. This not only means they place a heavy reliance on their direct vendors, but also the ability of their vendors’ vendors (i.e. downstream vendors) to also deliver. Gaining visibility into these downstream vendors, and ensuring they are being risk assessed (and managed), is critical to ensuring consistency of quality care to their members.

6. Reputational Risk – While not a risk on its own, everyone agreed that the worst outcome of problems with vendors can be damage to the organization’s own reputation. Data breaches are a great example. The public and regulatory bodies don’t care whether or not third party vendors were involved – they care that the company they entrusted with protecting their information is doing so. And that requires proper oversight and management of their vendors.

Do any of these risks hit home with you? If so, now’s the time to evaluate your own vendor management program to ensure you’re able to identify, assign responsibility and mitigate these risks before problems arise – if they haven’t already.

This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.

Vendor Centric specializes in helping organizations create and mature the policies, procedures and systems they use to manage their important vendor relationships. For more information about our vendor management software and services, visit us at www.vendorcentric.com.

Target did nearly $70B in revenue in 2016 and had vendors operating in more than 50 countries. So it’s hard to believe that the retail giant only started their third party risk management program (TPRM) in 2015! But as Sarah Fercho, Director of Vendor Risk Management at Target, shared at the 3rd Annual Third Party Risk Management Summit, that’s exactly when their TPRM program started.

Sarah noted that shortly after the program was formalized, it was determined that the best place to initially focus would be with Target’s highest risk vendors in both merchandising and non-merchandising. So in 2016, Sarah and her team risk rated their vendor relationships, identified those that were most important to Target’s operations and business continuity and started their efforts there.

And as they began rolling things out, they developed a set of five priorities for vendor management that served as the foundation for their efforts. They were simple yet substantive, and provided guidance on where to focus efforts across their portfolio of thousands of vendors. They are:

1. Knowing with whom they do business – that means collecting and centralizing important information about vendors such as profiles, contracts, spend and relationship owners.

2. Protecting Target’s interests with appropriate contracts/agreements – they use contractual standards and templates, and have clear roles and responsibilities for contract development, approval and authorization.

3. Conducting consistent onboarding – which lets the vendor management team set expectations and make sure every vendor knows how to do business with Target.

4. Monitoring the relationship throughout the vendor lifecycle –this requires a coordinated approach to managing the vendor relationship from cradle to grave. This begins during the sourcing and procurement stages, and continues through contracting, onboarding and continuous performance management and risk assessments.

5. Executing intentional off-boarding – this means that vendor relationships don’t just dissolve into nothingness. They are transitioned in a thoughtful, deliberate way. This ensures an effective transfer of knowledge and data, and coordinated closure of all contractual responsibilities and terms that were agreed upon.

The responsibility for adhering to these tenets doesn’t live in one place – it permeates the entire company. There are actually three lines of defense which starts with the business units (first line), moves up through management and specialty departments like compliance and procurement (second line), and ultimately bubbles up to committees of the board of directors (third line). Also, the highest risk vendors require an Executive Sponsor (VP) and a day-to-day relationship manager.

The recency of the formalization of Target’s third party risk management program is a reminder that the business discipline of vendor management is still emerging – even to a company with nearly $70B in revenue. But evolving regulations for managing third parties, and a continued increase in cybersecurity breaches, is driving more formalized adoption of vendor management in organizations of all sizes.

This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.

Vendor Centric is excited to announce we have partnered with Humentum and InterAction, the two leading membership organizations of International NGOs, to develop a new purchasing cooperative program for their joint members.

As resources continue to shrink and force organizations to make critical budget decisions, the goal of the cooperative is to unlock the possibilities for members to have access to products and services at reduced rates. In addition, the purchasing cooperative will help International NGOs reach greater efficiency and take much of the guesswork out of vendor vetting.

During the next few months, Vendor Centric will be working with Humentum and InterAction to reach out to their member organizations to find out what specific needs would be most useful. Surveys, in-person focus groups and telephone conversations will be held to ensure we have the best data possible to create an offering that is based on member needs and feedback.

Vendor Centric specializes in helping organizations create and mature the policies, procedures and systems they use to manage their important vendor relationships. Learn more about our vendor management software and services.

We have previously discussed the benefits of using a vendor management framework to help shape and structure the fundamental building blocks of a vendor management program. Now, we want to break down the first three stages of vendor management, dissect what role each plays in your overall vendor management program and share how Vendor Centric can help you integrate each element within your overall program.

Stage 1: Sourcing

Sourcing is, for many organizations, the first stage in vendor management. It is also one of the most strategic. Sourcing requires an organization to take a holistic view of the common categories of goods and services they buy, and to develop a thoughtful, organized approach for procuring them in a consistent manner across every location and department. The associated activities to sourcing include:

  • Analyzing spend
  • Defining requirements
  • Assessing the vendor marketplace
  • Evaluating sourcing options
  • Establishing a sourcing strategy and plan

Vendor Centric can help you implement an effective strategic sourcing program by:

  • Identifying, engaging, and collaborating with the appropriate stakeholders
  • Aggregating, standardizing, and analyzing spend data housed on different documents and in myriad systems
  • Designing and implementing category-specific sourcing strategies that align with the size and complexity of your operations
Stage 2: Procurement

Procurement is a function where the true beginning of the vendor relationship forms. It can follow a sourcing strategy (if one is in place), or it can be a stand-alone event that happens when a new need or set of requirements is identified.

Good procurement practices allow an organization to develop clear requirements, solicit from a qualified pool of vendors, and consistently select a vetted vendor who provides the best overall solution. Common activities in procurement include:

  • Defining requirements
  • Developing the RFP/RFQ
  • Identifying qualified vendors
  • Managing competitive solicitations
  • Evaluating bids and proposals
  • Conducting due diligence
  • Facilitating the contract process

Vendor Centric can help you implement an efficient and compliant procurement management program by:

  • Assessing current procurement activities with a focus on streamlining processes and implementing best practices.
  • Clarifying roles and responsibilities in the procurement process
  • Evaluating and updating policies and procedures to comply with regulatory requirements.
  • Managing new vendor risk assessments and due diligence
  • Implementing procurement management software
Stage 3: Contracting

While contracting with vendors is sometimes approached as an afterthought to the procurement process, it is a critical stage in the vendor relationship as it provides for the opportunity to formally document the business relationship you’ll have with your vendor.

A well-developed vendor contract will provide clarity around key terms, performance standards, roles and responsibilities. But most of all, the contract is the most important tool for mitigating risk in the vendor relationship. Key activities include:

  • Establishing contract ownership
  • Negotiating contractual terms and conditions
  • Developing contractual documents
  • Executing and setting-up contracts

Vendor Centric can help you implement an effective contract management program by:

  • Helping you develop contracting standards
  • Clarifying roles and responsibilities in the contract management process
  • Developing contract policies, procedures, forms, checklists, and templates
    Implementing contract management software

This is the first in a series of blogs about how you can build a vendor management program, and how Vendor Centric can help. Learn more about Vendor Centric’s vendor management framework on our website.

Listen to the Podcast

There probably is not any feature of the Uniform Guidance issued by the Office of Management and Budget that has caused more angst than the rules on procurement of goods and services using federal grant funds. For sta