When it comes to managing your organization’s vendors and other third parties (and the risks those companies present to your organization), paper forms, Excel and custom/home-grown databases just won’t cut it nowadays. You truly do need a software solution that is dedicated to third party risk management in order to make sure your vendor management program succeeds. But before you dive right in, take a step back and follow these best practice guidelines to ensure you select (and implement) your new vendor management system effectively.
1. Choose the right system
Before we touch on implementation best practices (which the remaining tips in this blog post address), you first need to make sure you select the right vendor management system. The market in this space used to be slim, but now there are a growing number of cloud-based systems that are dedicated to vendor and third-party risk management. Some systems may have lots of bells and whistles, while others may just cover the basics. Whichever system you choose, you need to make sure that it ultimately is capable of meeting the 7 essential elements of a vendor management system.
2. Define your operational processes
Having a system that meets all of your functional needs is, of course, a step in the right direction. But when it comes time to implement your system, you’ll need to answer questions like “Who approves that assessment?” or “Which risks trigger additional due diligence?”. Dedicate the proper amount of time on the front end to make sure that you define your vendor management process. This will allow you to document (or improve) your organization’s vendor management policies and procedures, but will also equip you with the necessary information to ensure that workflows and approvals are configured appropriately in your vendor management system.
3. Don’t tackle it all at once – Make a project plan and set priorities
Most of the big software providers in the vendor management space offer extremely robust systems. It’s impressive what modern systems are able to do, but sometimes it’s overwhelming to even imagine where to start when it comes time to configure and implement. You don’t want to end up with analysis paralysis, where you’re constantly iterating and tweaking the configuration plan before you even begin the implementation. Meet with your organization’s stakeholders (particularly those who will be impacted the greatest by your new vendor management system) and agree on what the most important near-term objectives are. From there, work with your software implementor to establish a prioritized implementation plan, configuring the most pressing functional needs first, and working towards lower priority needs later in the process (or even adding to a “future-state” roadmap).
4. Establish vendor and contract profiles
If you don’t yet have a vendor management system, take the time to determine which data fields you want to track for your vendors and contracts. Forming the appropriate “profiles” for vendors and contracts will allow you to easily report on data maintained in those profiles. On the other hand, if you already have an existing vendor management system (or maintain some type of vendor/contract profiles), use this as a time to reflect on whether or not ALL the fields you currently track are absolutely needed. It’s important to track enough data within a profile to make it meaningful, but it’s also possible to track too much data and overwhelm the users who are responsible for populate the profiles.
5. Prepare your data for import
Once you have defined the data fields that will make up your vendor and contract profiles, perform some level of “source to target” mapping. This process allows you to identify whether or not the data fields in your future-state profiles are already tracked in legacy systems, or if they are new fields that will need to be populated. Also, there’s a good chance that the format your data is currently maintained won’t align perfectly with the formatting requirements of your new vendor management system. Make sure to give yourself plenty of time on the front end to scrub/clean your data to ensure it is ready to go. This way, once you’ve configured your new system, you can simply upload/import your clean data and begin using and reporting on it!
6. Identify and collect documents
Along with data for your vendor/contract profiles, you’ll want to think about the types of documents that you currently maintain with those profiles. For example, a vendor profile may contain documents such as audited financial statements, SOC reports or insurance certificates. A contract profile may contain fully-executed agreements, but also amendments or exhibits associated with an agreement. With regard to the implementation process, what you want to focus on is identifying which documents you want to migrate to your new vendor management system, and also where those documents currently reside (i.e., paper copies in filing cabinets, PDFs on shared drives, etc.). It may take some time to hunt certain documents down, so it’s important to do this step up-front.
7. Define user roles, and identify users
Lastly, take an inventory of how many people within your organization will need access to your vendor management system. Not only will you need to create user accounts for all of your staff who require access, you’ll also need to ensure they have the appropriate level of permissions. Each vendor management system on the market is different, but the good products all offer some level of role-based access controls (RBAC). Taking the time early in the process to think through various levels of access permissions and collect basic user info (such as email addresses) means that, once your system is configured, you’ll simply be ready to roll it out.
Whether you need help documenting system functional requirements for a new vendor management system, creating policies/procedures/workflow for a vendor management program, or simply evaluating various software providers… Vendor Centric is here to help.
Author: Josh Angert
Job Title: Consulting Manager
Organization: Vendor Centric