Improving Vendor Relationship Management
Defining Your Vendor Management Policy
More than likely, you have a process for managing vendor relationships and your vendor policy. You may even have a sophisticated vendor management process with a centralized vendor repository, risk assessments, due diligence, contract review, careful onboarding, and ongoing monitoring. But how many of your employees know the process? And more importantly, how many of them understand how they fit in?
This is where a vendor management policy is so important. You see, vendor relationships are wide-reaching and touch many parts of the organization, from the department that “owns” the relationship to oversight functions like risk management, compliance, legal, security, procurement, and more. An effective vendor management program involves lots and lots of communication (to put it mildly!), and that communication can get out of hand if employees don’t understand the sequence of events. (If you’ve ever been pinged by a business owner 20 times about the status of a vendor contract or risk assessment, I’m sure you get it.)
But beyond communication headaches, a vendor management policy helps to ensure that your standards and processes are carried out correctly. In other words, if people don’t know what’s expected of them, you shouldn’t expect them to follow the rules, which can lead to harmful consequences. BitSight states it bluntly:
“The truth is, if you don’t have a vendor management policy in place today, your company is being negligent. Unfortunately, not having a policy in place means that there’s a good chance your organization’s sensitive data may be handled by someone who shouldn’t have access to it. And this puts the health of your entire company on the line.”
So what should a vendor management policy contain? Here are a few ideas:
Policy Scope
Your vendor policy should define requirements for third parties in the following areas (at minimum):
- Human resources security
- Physical and environmental security
- Network and system security
- Data security
- Access control
- IT acquisition and maintenance
- Vendor management (i.e., how your vendors manage their vendors)
- Incident management
- Business continuity/disaster recovery
- Compliance
Risk Scoring Criteria
If you’re going to assess vendor risk, it’s crucial to define your scoring methodology within your policy and communicate it to all vendor relationship owners. Organizations commonly separate vendors into three risk tiers: high, medium, and low. There is no standard definition for these risk tiers, but when determining what’s right for your organization, keep these factors in mind:
- Criticality of the vendor’s services in delivering your own products and services
- Access to personally identifiable information (PII) for employees or customers
- Access to non-public information (financials, strategic plans, intellectual property, etc.)
- Level of spend and length of engagement
- Any personal relationships between your organization and the vendor that may warrant a higher level of diligence
Procedures and Process Flows
In addition to your vendor policy, employees will benefit from step-by-step guidance on how they should manage vendor relationships. Consider all parties that need to be involved: relationship owners, executive sponsors, legal, compliance, procurement, IT, and other functions, along with the vendor itself.
If your procedures are complex, a visual process flow can help people understand where they fit into the process and who is responsible for completing various tasks. Here’s a simplistic example:
As with all policies, it’s wise to track employee awareness and acceptance on a periodic basis. Also, be sure that your vendor management policy is accessible to employees at all times. When questions arise, “Consult the policy!”
If you’re interested in learning more about Onspring’s vendor management software, schedule a demo with us.
About the author
Sarah Nord
Director at Onspring
10 years GRC experience