Earlier this year, I wrote about the 6 Foundational Elements You Need to Incorporate in Your Vendor Management Program. One of the six foundational elements is a Vendor Management Policy (and related operational procedures). In this article, we’ll focus on some tips related to writing a vendor management policy. These tips can be applied to brand-new policies (if you are just getting your Vendor Management Program up and running), or existing policies that might just need an update here and there.
1) Address these core components – Every organization has a unique approach to writing corporate policies. Some follow a standard policy template (requiring consistent formatting and certain policy components), while other organizations give policy owners/authors the flexibility to write their policy the way they see fit. Regardless of structure or format, make sure your vendor management policy addresses these core components:
- Roles and Responsibilities – It should be clear who owns the policy (usually the Board, or in the case your organization does not have a Board, executive management). Your policy should also clearly spell out who the key stakeholders are in your vendor management program, and what their specific responsibilities are with regard to managing vendor risks.
- Criticality vs Risk – Often times, I see organizations using the terms “criticality” and “risk” as synonyms. These terms actually have very different meanings.
- Criticality refers to how significant a vendor is to your organization’s operations – If your vendor failed or was suddenly not operational, would your organization be able to function, or would there be serious financial impacts?
- Risk refers to the level of inherent risk a vendor could pose to your organization due to their level of access to information/data, financial impact, access to your building/office, or other categories of risk (as described below).
- Categories of Risk – What categories of risk does your organization assess at the start of a new vendor relationship (and on an ongoing basis)? Some common categories of risk that should be baked into any vendor management program include: Financial, operational (including information security risk, concentration risk, 4th party risk, etc.), reputational, compliance and legal risks.
- Vendor Lifecycle – Your Policy should follow a vendor risk management framework that covers the key lifecycle stages of vendor risk management, including:
- Risk assessments – Assessing the level of inherent risk a vendor poses to your organization, which helps determine the level of pre-contract due diligence needed as well as the type and frequency of ongoing monitoring activities.
- Due Diligence – Obtaining assurance that a Supplier is able to meet your organization’s strategic, financial or operational needs (through questionnaires, document collection and analysis, etc.). Due diligence should be performed prior to executing a contract with a vendor.
- Contracting – Drafting, reviewing, negotiating and executing agreements… ensuring that your organization’s standard terms and conditions are addressed and that the appropriate people review the contract prior to execution.
- Ongoing monitoring – Performing point-in-time monitoring (i.e. assessments) and continuous monitoring (i.e. through the use of business intelligence tools), the type and frequency of which depend on the vendor’s level of inherent risk.
- Termination/offboarding – Ensuring that your organization puts all vendors through a standard process when their goods or services are no longer needed (i.e. revoke access to systems/building, return or destroy data, process final payments, etc.)
- Applicable Laws and Regulations – If your organization must comply with particular laws or regulations regarding vendor/third-party management (there are MANY of them nowadays), you should ensure that your vendor management policy specifically references those laws/regulations. As you write (or re-write) your policy, take the time to ensure that the policy addresses all regulatory/legal requirements.
2) Focus on governance (vs procedure) – When writing your policy, it can be tempting to include process-related language in order to define how certain vendor risk management practices are performed at your organization. As a best practice, policy language should be high-level and should simply identify the policy statements regarding your vendor management program). Your program will likely also have a set of procedural documents, where you can spell out all the details of how certain activities are to be carried out.
3) Update other related policies – Your vendor management policy might have various touch points to other corporate policies. For example, many organizations (who have a central procurement department) maintain a separate Procurement Policy. Your organization should also maintain an Information Security Policy. Both of these, and others, will reference vendor relationships. As you update your vendor management policy, make sure to also update other related policies to ensure alignment across all corporate policies.
4) Obtain the appropriate feedback and approval – Policy should not be written in a bubble. Make sure to run your vendor management policy by stakeholders who play a large part in the functioning of your vendor management system. Take the time to obtain and incorporate the appropriate level of feedback to ensure multiple view points are addressed.
Vendor management isn’t just what we do – it’s ALL we do. We’ve helped organizations of all sizes write (or update) their vendor management policies. If you need help, feel free to reach out to us! We’d be happy to provide advice and help improve how your organization manages vendor risks.