A third-party management program (TPMP) is a valuable business function within any organization. As your TPMP grows and matures, you’ll soon realize that all sorts of data about your vendors will need to be captured, digested and reported on. From procurement to contracting to ongoing oversight, the TPMP needs to be able to effectively use reports to help make business decisions regarding your third-party relationships.
Here are four key reports your third-party management program could use to keep your senior staff informed, and to help show the value of a well-running TPMP.
1. Schedule of Vendors with Access to Nonpublic Information (NPI)
During the early stages of your relationship with a new vendor (or even when you are exploring the possibility of additional work with an vendor), it is important to understand what type of information your vendor will have access to, and what they will do with that information.
An up-front risk assessment process would usually be where this type of knowledge about your vendor relationship is gathered, and centrally stored. Vendors would then be “tagged” to help the TPMP identify which vendors have access to NPI, and which do not. In the event of a data breach, or even just to keep your CISO or Enterprise Risk Management team aware of potential risks, running this type of report becomes an easy task.
2. Value of Contracts Approaching Expiration/Renewal
Knowing when your contracts are set to expire or renew is a critical component of third-party and contract management. However, contract expiration/renewal dates alone do not tell the whole story. Being able to tie a specific dollar value to each contract adds another layer of information that can help your TPMP and Executives make decisions when contracts are nearing the end of their term.
This is not to say that the larger the value of the contract, the more important the contract is to your organization. Contracts with larger dollar values may, however, require more resources to manage and negotiate… and is the type of insight your Executive team would love to know.
3. Schedule of Vendors with Incidents
For your organization’s riskier and more strategic vendors, your TPMP should be tracking incidents that impact performance (i.e. system outage, data breach, late deliverable, etc.). As Business Owners oversee the day-to-day management of your vendor contracts, and especially when performing periodic performance reviews, it is valuable to know if and when incidents have occurred.
As work is being provided under your vendor contracts, this type of report can also keep your senior staff well-informed about the overall health of your vendor performance.
4. Risks Averted (and Savings Realized) by the TPMP
Running reports to help facilitate smooth operations is great, but you also want to be able to use reports to prove the value of your TPMP to Senior staff. One of the ways a mature third-party management program can help do this is by performing contract reviews, often times for your organization’s more strategic vendors.
A contract review could help you identify if there are any gaps in your vendor agreements (i.e. are all of your organization’s required contractual provisions addressed in the vendor contract?). A contract review may also prompt an invoice audit, whereby your Business Owners (in coordination with the TPMP) ensure that the invoices provided by your vendors align with the contracted pricing and invoicing schedules. The results of your reviews and audits can be reported up to the appropriate stakeholders in your organization.
It should be noted that after an agreement has already been signed, updating terms & conditions may not be as easy of a task as it would have been prior to execution. However, with proper negotiation and transparency, it’s worth the effort to identify contractual gaps.
The list of reports above is by no means exhaustive. There are all sorts of KPI’s and reports that a third-party management office can use to help manage your organization’s vendor relationships. It will ultimately depend on where your TPMP sits within your organization, what type of system you are using to manage your vendors, and how many resources you have