Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.Vendor management is an evolving business discipline. As you can imagine, vendor management terminology is evolving too.
While terms like procurement and contract management are familiar to most, others like Critical Vendors and Residual Risk Remediation are new to many.
Regardless of where you are in your vendor management journey, here is a breakdown of 14 vendor management terms everyone needs to know.
- Contract – A legal agreement that is used to document formal terms and conditions agreed to with Vendors. Contracts can take many a variety of forms including, but not limited to, including master services agreements, statements of work, consulting agreements, licensing agreements, subcontracts and amendments
- Contract Owner – The individual who is assigned responsibility for managing the contract, and monitoring the vendor’s compliance with contractual terms and conditions.
- Critical Business Function – An activity (or collection of activities) normally performed by the business that must continue at a sufficient level without interruption, or restart within acceptable timeframes, in order to ensure continuity of operations and/or avoid adverse effects to the business, employees, customers or other key stakeholders.
- Critical Vendors – A vendor that supports a critical business function and, if unexpectedly removed, would have an adverse effect on the critical business function. Ensuring business continuity with these vendors is of utmost importance.
- Due Diligence – The process of gathering detailed information about a vendor (e.g., financials, processes, procedures, SOC reports, and other data) in order to evaluate their policies, procedures, and controls. Due diligence should be risk-based and aligned to the vendor’s inherent risks.
- Fourth Party – Downstream ‘vendors of your vendors’. (Sometimes also called ‘Nth Parties.)
- Inherent Risk – The risk that exists in a vendor relationship (considering the products and/or services that are being provided) before the vendor’s mitigating factors (i.e. policies, procedures, and controls) have been evaluated.
- Key Risk Indicators – A collection of metrics used to monitor risk exposure with a vendor or collection of vendors, and to provide early warning signs of increased risk.
- Key Performance Indicators – A collection of metrics used to monitor a vendor’s performance against contractual requirements, quality standards, and other outcome-based expectations.
- Procurement – The collection of activities necessary to obtain goods and services for a business.
- Residual Risk – The risk that remains in a vendor relationship after due diligence has been performed, and the vendor’s policies, procedures, and controls have been considered. Residual risk can either be remediated, managed/mitigated, or accepted/rejected.
- Service Level Agreements – Defines the level of service an organization expects from a vendor, laying out the metrics by which service is measured, and remedies or penalties should any agreed-upon service levels not be achieved.
- Vendor – A supplier, contractor, consultant, or other type of third-party that provides goods or services as a normal course of business.
- Vendor Risk Management – The systematic approach to providing reasonable assurance that inherent and residual risk associated with vendor relationships is mitigated and aligned with the objectives of the organization.
While this list covers a lot of the basics, it is far from being exhaustive. If you’re looking for a term that’s not here, check out this glossary of more than 100 vendor and contract management-related terms from our friends over at Gatekeeper.
