Vendor management is an emerging business discipline, being adopted with greater frequency by companies across every industry. Part of this emergence has been a transition from a purely compliance-based function to an enterprise risk-management function, oftentimes residing outside of compliance in its own vendor management office.
But there is no one-size fits all when it comes to a vendor management program. Rather, every organization should scale its vendor management function to align with its size, complexity and overall risk appetite. If you are getting a new program off the ground, or in the early stages of getting adoption within your organization, consider the vendor management best practices highlighted below.
1. Right-size your vendor management program for you.
Many companies delay starting a vendor management program because it seems overwhelming. Our advice – don’t try to boil the ocean. Get your fundamentals in place and kick things off by focusing on your most critical and riskiest vendors.
2. Set the right tone at the top.
Your leadership must buy into the fact that vendor management is a core business discipline and not a compliance function. It’s critical to have buy-in from senior management (and the Board, when applicable) for the program to have teeth, and deliver the type of measurable value it’s capable of.
3. Establish governance and engage your stakeholders.
Vendor management involves multiple stakeholders and subject matter experts from across the organization. In addition to the Business Owner who actually manages the day-to-day vendor relationship, you need to establish responsibilities across all lines of defense including risk, compliance, legal, information security and business continuity. You also need to define who is ultimately accountable at the top, and a reporting hierarchy to keep everyone informed and working together
4. Get visibility into your vendors and contracts.
Too many organizations lack even the basic systems to know who their vendors are and what contracts they have with them. Data and documents reside in multiple places including emails, shared folders and file cabinets. You can’t run a vendor management program with incomplete and disparate data. You need a central system for storing, managing and reporting on vendor-related information.
5. Know which risks apply to which vendors.
Not all vendors are created equal, and different types of vendor relationships bring different types of risk. Vendor risk assessments and tiering are core components of your vendor management program. They allow you to know where your risks are with every vendor relationship and align your due diligence activities accordingly.
6. Don’t skimp on due diligence.
Assessing risks is only part of the process, though. Due diligence is where the rubber meets the road in terms of drilling down to really understand your risk exposure and implement the appropriate tactics to reduce residual risk. Be sure to align your activities with the risk level of the vendor – more risk always requires more due diligence.
7. Be disciplined in contracting.
Contracts are your only opportunity to legally document the business terms to which you and your vendor have agreed. Yet contracting is an inconsistent process in many organizations, resulting in unclear expectations and unnecessary risk. Your vendor risk management program should provide for a standard, consistent contracting process that ensures all of the necessary, risk mitigating contractual clauses are incorporated into the final agreement.
8. Establish expectations during onboarding.
Vendor management doesn’t stop once the contract is signed. Rather, that’s when most of it begins. Your vendor risk management program must address what happens post-contract and who will be responsible.
9. Monitor and grow the relationship like you would any other.
Developing a strong, mutually beneficial relationship with your vendor requires an investment from both of you. It also requires following a consistent process for continually evaluating performance, costs, risks and compliance. This is where the relationship can blossom and provide tremendous value, or fall flat and lead to big problems. Nurture your vendor relationships to get the most value from them.
10. Have a formal process for breaking up.
When the relationship needs to end, don’t guess on what to do next. Have a formal process for off-boarding your vendors, especially as it pertains to key contractual requirements such as transfer of assets, data, or destruction of confidential information. You don’t want to leave this stuff to chance. So don’t.
Best Practices for Establishing a Vendor Management Program
Following these 10 vendor management best practices will ensure a solid foundation for any new program trying to gain adoption. How you ultimately run your program from there will depend on the size and complexity of the organization and the goals you’re trying to drive.
At Vendor Centric, we believe that a formal vendor management program is not a nice to have – it’s a must in today’s business environment. If you need help creating a new program, or taking your existing one to the next level, give us a call.