Target did nearly $70B in revenue in 2016 and had vendors operating in more than 50 countries. So it’s hard to believe that the retail giant only started their third party risk management program (TPRM) in 2015! But as Sarah Fercho, Director of Vendor Risk Management at Target, shared at the 3rd Annual Third Party Risk Management Summit, that’s exactly when their TPRM program started.
Sarah noted that shortly after the program was formalized, it was determined that the best place to initially focus would be with Target’s highest risk vendors in both merchandising and non-merchandising. So in 2016, Sarah and her team risk rated their vendor relationships, identified those that were most important to Target’s operations and business continuity and started their efforts there.
And as they began rolling things out, they developed a set of five priorities for vendor management that served as the foundation for their efforts. They were simple yet substantive, and provided guidance on where to focus efforts across their portfolio of thousands of vendors. They are:
1. Knowing with whom they do business – that means collecting and centralizing important information about vendors such as profiles, contracts, spend and relationship owners.
2. Protecting Target’s interests with appropriate contracts/agreements – they use contractual standards and templates, and have clear roles and responsibilities for contract development, approval and authorization.
3. Conducting consistent onboarding – which lets the vendor management team set expectations and make sure every vendor knows how to do business with Target.
4. Monitoring the relationship throughout the vendor lifecycle –this requires a coordinated approach to managing the vendor relationship from cradle to grave. This begins during the sourcing and procurement stages, and continues through contracting, onboarding and continuous performance management and risk assessments.
5. Executing intentional off-boarding – this means that vendor relationships don’t just dissolve into nothingness. They are transitioned in a thoughtful, deliberate way. This ensures an effective transfer of knowledge and data, and coordinated closure of all contractual responsibilities and terms that were agreed upon.
The responsibility for adhering to these tenets doesn’t live in one place – it permeates the entire company. There are actually three lines of defense which starts with the business units (first line), moves up through management and specialty departments like compliance and procurement (second line), and ultimately bubbles up to committees of the board of directors (third line). Also, the highest risk vendors require an Executive Sponsor (VP) and a day-to-day relationship manager.
The recency of the formalization of Target’s third party risk management program is a reminder that the business discipline of vendor management is still emerging – even to a company with nearly $70B in revenue. But evolving regulations for managing third parties, and a continued increase in cybersecurity breaches, is driving more formalized adoption of vendor management in organizations of all sizes.
This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.