Regardless of whether you are trying to establish a new Vendor Management Program (VMP), or mature an existing one, you may be asking yourself questions like “what is the best structure for a VMP,” “is there simply a ‘blueprint’ we can use” or “what system should we implement to manage our third-party relationships?” Questions like these are common, and they are important to ask. While there isn’t a “one-size-fits-all” VMP, there are some key foundational elements that should be incorporated into vendor management programs of any size.
As a helpful analogy, think of the construction of a new home. Before you begin making any decisions regarding the style of the doors or the color of the carpet, you need to make sure that the foundation of your home is safe and sound. The same goes for a Vendor Management Program. Before you begin identifying what fields should be included on procurement forms or what the approval workflow should be for risk reviews, you need to make sure these six foundational components are in order:
- Governance – The team needs a leader! Having proper governance of your program provides vision, direction and accountability for the vendor management function. Governance is not only about making sure that someone owns the VMP, it’s also about incorporating the correct stakeholders. For example, your organization’s governance structure may include a Vendor Management Committee that your Vendor Management office (VMO) reports to.
- People, Skills and Training – Without the correct stakeholders, the job can’t get done. Ensure that you have the right level of vendor management resources, subject matter expertise and stakeholder knowledge. As an example, if through your vendor due diligence process you collect third-party documentation, such as a SOC 2 Type 2 report, you need to make sure someone on your team has the appropriate expertise to review a such a report.
- Policies and Standards – This is where things start to come together. Your Third-Party Management policies & standards establish the scope and guidelines for the program, and define key roles & responsibilities. For example, with regard to “scope,” your policy should identify if there are any specific types of third-party relationships that may not follow your standard vendor management policies (e.g. when paying state/local taxes, you would not consider your state’s Office of the Comptroller an “in-scope” vendor).
- Operating Procedures – Make sure that your staff understand what needs to be done on a day-to-day basis in order to execute the program. Your procedures should define everything from what form to use when selecting new vendors to who approves due diligence reviews to what your ongoing third-party monitoring process entails. Think of these as your step-by-step guide for making sure the vendor management program functions properly.
- Third-Party Profiles – Organization is the key here. Before figuring out exactly what system you may need, the most important thing is to identify what specific data points you will require for your third-party profiles, and what documents you’ll need to collect and store for each third-party.
- Vendor Management Systems – Systems that can be used to manage your third-party vendor relationships are available in varying levels of capability, complexity and price in today’s marketplace. While the exact system you select will depend on a number of requirements, the foundational components you should consider include the system’s ability to 1) centralize information, 2) facilitate automated workflows, 3) provide robust reporting and 4) ensure an audit trail of activities. (At Vendor Centric, we work with software partners to provide best-in-class solutions to our clients – check out our software and data intelligence tools).
If you need help establishing a new VMP, maturing an existing program (or even something in between) just let us know! We’ve helped organizations of all sizes design and implement right-sized vendor management programs so they can manage their third-parties with confidence!