3 Rules for Your Vendor Repository

As a small business owner or employee at a large organization, you likely work with vendors in some capacity. And whether you manage a small network of partners or a complex web of third-parties, it’s important to maintain a central repository of your vendors. Think of it like a “Who’s who” of third-party risk management. Here we explore the top three “must-haves” when building third-party relationships and how Onspring can make that process much easier.

For the last few weeks, I’ve been working with a client that’s building additional structure and rigor into their vendor risk management program. They have all the pieces: a formal vendor policy, established relationship owners, regular risk assessments and due diligence reviews, and a detailed contract management process. However, they lack a connected view of all these moving parts, so my colleague Jason and I have teamed up to help them bring all the pieces together into a smart and scalable solution.

This certainly isn’t our first rodeo. Over the years, the Onspring team has delivered vendor management solutions for organizations of all shapes and sizes, from small nonprofits to large financial services firms. We’ve learned a few things about building solutions that go the distance, and I’m happy to share some of those lessons with you today.

So you here you have it…3 Rules for Your Vendor Repository:

1) Have a Vendor Repository

OK, I know this sounds like snark, but I mean it earnestly. It’s not unusual for organizations to have healthy, active vendor relationships but no consolidated repository of vendor data. The information probably exists, but it may be scattered across multiple functions or owners.

As the organization scales or implements tighter risk management processes around vendor relationships, the lack of centralized vendor data can start to hurt.

“Is this vendor still active?” “We’ll have to contact Accounting.”

“Does this vendor meet our InfoSec standards?” “Let me dig through my files.”

“Where’s our evidence of due diligence?” “I know it’s here somewhere…”

The process of building and maintaining an accurate vendor repository may be onerous, but living without it (in the long term) can be debilitating. In order to monitor vendors and ensure they consistently meet your organizational standards, you need a centralized, searchable view.

Some of the details you should capture in your vendor repository:

  • Legal entity name and any trade names

  • Internal relationship owner

  • Vendor contacts (including name, email and phone)

  • Description of products or services provided

  • Contract details (effective date, expiration date, review status and any special terms)

  • Associated risk assessments, performance evaluations or due diligence reviews

2) Make It Accessible to Relationship Owners

You may be in a situation where vendor details are scattered among relationship owners with no cohesive view. Or you may have the exact opposite problem: A central vendor repository that relationship owners can’t access! This can lead to significant challenges with accuracy. When relationship owners don’t have a clear picture of the vendors for which they are responsible, they may:

Maintain their own offline records. Vendor relationship owners need information at their fingertips, including contact details, contract status, and any special requirements based on the vendor’s criticality or risk rating. If relationship owners can’t access this information on-demand in your vendor repository, they’ll collect and store the information in their own files out of necessity. At best, this leads to duplication. At worst, it can lead to outdated or inaccurate data in your vendor repository. It’s crucial to have a “single source of truth” when it comes to vendor data. Granting relationship owners access to the information they need—in real time—is a necessity.

Make decisions without the details. One of the greatest advantages of a vendor repository is that it gives you a historical basis for future actions. How do you determine whether to renew a vendor contract if you don’t know how that vendor has performed in the past? Relationship owners may not have complete knowledge of a vendor’s performance, particularly if they are new to the job. But when they have access to historical data in your vendor repository, they are equipped to make sound choices.

Best Reports for Vendor Management from Onspring

Explore the top reports vendor managers use daily to manage third-party risk.

Download the reports > 

3) Keep It Fresh with Regular Feedback and Due Diligence

OK, you have a central vendor repository, and your relationship owners have access to the information they need. Now, the secret sauce comes with engaging those owners to keep your vendor repository alive. This is where the real value lives.

By capturing ongoing risk assessments, due diligence reviews and satisfaction surveys in your vendor repository, you can keep your finger on the pulse of your vendor relationships. You can regularly assess the health of those relationships and make changes (as needed) to improve quality and protect your organization from undue third-party exposure.

And…this is important…you’ll never again find yourself in the position of cobbling together your vendor repository from scratch. You may have some holes to plug here and there, but over time, your vendor repository will fill out into a rich source of intelligence for your business.

About the author

Sarah Nord Director Learning at Onspring GRC Software

Sarah Nord
Director at Onspring
10 years GRC experience