(270) 506-5140 CONTACT US
Login
Best Practices

Centralizing Vendor Management: What Does the Team Look Like?

Jun 30, 2020 by Gordon Rudd, CISSP

Often, we find that organizations operate their vendor management programs in one of three ways – centralized, decentralized or a hybrid of the two models. As organizations begin to mature, they naturally become more inclined to operate a centralized vendor management program. This is due to their desire to realize the efficiencies and consistency that comes with a more centralized program.

Are you curious what many centralized vendor management teams look like? I’m here to break it down for you.

7 Key Players in a Centralized Vendor Management Program

Here are the key players that you’ll find involved in a centralized vendor management program:

1. The Vendor Management Team: A team, like the compliance office or third-party risk management department, oversees all vendor management activities. These include areas like the following:
  • Vendor Selection
  • Risk Assessments
  • Due Diligence
  • Contract Management
  • Reporting (to the board, your senior management team and your lines of business)
  • Ongoing Monitoring
  • Exit Strategy

While your lines of business are focused on vendor performance management and the service level agreements, key performance indicators (KPIs), business goals and new strategic initiatives, someone or some team must watch over the entire portfolio of vendors and all of the processes and procedures that entails for the whole enterprise. That team is the vendor management team. The vendor management team is all about creating enterprise standards and operational efficiencies in vendor management with a disciplined approach.

Behind every successful vendor management program lies all three lines of defense – the business units, third-party risk department or compliance office (independent risk function) and internal audit. Each line of defense is fully operational and all the gears meshing. They’ll be covered more throughout this overview and you’ll see how this is all intertwined.

2. Compliance: Your compliance department is responsible for ensuring the organization meets or exceeds the regulatory requirements for your industry. Depending upon your industry, your compliance department will have very detailed requirements for each and every department in the organization. It’s the vendor manager or third-party risk manager’s job to make sure that all compliance standards are met and that when the vendor management department is audited by the compliance team, they’re part of the process and are ensuring the organization meets all industry legal and regulatory requirements. I always consider compliance to be part of the internal audit line of defense.

3. Internal Audit: This is one of the three lines of defense, known as the third line, that your organization should be utilizing to make sure you’re mitigating risks and to verify all appropriate controls are in place and fully operational. It sounds funny to say it out loud, but internal audit should be your best friend as they’re the ones who should be able to help you keep everything on track and in accordance with your vendor management policy and program.

4. The Business Unit: The business unit, also referred to as the first line of defense, is in the trenches. They’re working with the vendor every day. The person within the business unit who works directly with the vendor is often call the “vendor owner”. This person should be taking part in the following:
  • Noting the vendor’s performance
  • Documenting any vendor issues or concerns
  • Assisting with gathering the required due diligence

The business unit should be working closely with the vendor management team (the first key player mentioned) to ensure all seven pillars of vendor management are being addressed. The business unit is where the touch point between the vendor and your organization is; therefore, they must be part of the vendor management process.

5. Subject Matter Experts (SMEs): Although the vendor management team is overseeing a centralized program, they still need to use SMEs to do some of the heavy lifting. The SMEs review due diligence like financial statements, SOC reports and more and thoroughly document their finding in an expert analysis.

6. The Board: Setting the tone from the top, boards carry the ultimate responsibility for the management of the business. They can and often do ask the hard questions. It’s the board of directors that have the fiduciary responsibility to the organization and, if publicly traded, the organization’s shareholders and they should be aware of vendor management activities. To do this, the vendor management team will report on information that the board needs to know regarding third parties and share it with them in regular meetings.

7. External Audit & Examiners: As more of a call out, it’s important to mention that they do play a big part in your program. External auditors and examiners have a lot of leeway in what they scrutinize and how they report their findings. By this, I mean that while you should see consistent application of rules and regulations from your internal audit and compliance teams, when the external auditors and examiners come around to audit your vendor management program, the same may not be true. The lack of consistency is largely due to the fact that, in most cases, you’ll see the same audit/exam team no more than two times in a row and then new auditors/examiners come in and take over. As this cycle repeats, the auditors and examiners all place emphasis on what they’re auditing/examining differently. This is partially by design and partially due to exam policies and procedures. Therefore, they keep you on your toes. As a best practice, it’s important to learn from these changes and incorporate their critical feedback into your centralized program. Hence, your program will evolve and change often over time because of their requests.

Understanding the Size and Volume of Centralized Vendor Management Programs

When it comes to centralizing vendor management, the size of the organization and the number of vendors, known as the volume of work, are critically important. Here's why:

In small organizations, it’s relatively easy to communicate, to get organized and stay organized. As the organization grows, or the number of vendors increases, it takes more time to complete all the tasks that’ll need to be performed in your vendor management program. The larger the organization becomes, the harder it is to get everyone on the same page and keep them there. That’s why people tend to migrate to a centralized program.

You see, size and volume are often misunderstood. The larger an organization becomes, the more money it actually saves from the efficiencies inherent in a more centralized vendor management program. And, the more vendors your organization has, the more cost-benefit analysis will favor the more centralized vendor management operational model. Therefore, you will see a lot of mid-sized to larger organizations operating a centralized program, or hybrid which incorporates aspects from both centralized and decentralized.

How Vendor Management Platforms Help More Centralized Teams

To properly manage a more centralized vendor management program, many teams rely on vendor management platforms to assist. Today’s organizations have vendor lists ranging from hundreds to thousands of third parties. It isn’t economically feasible to manage that many third parties without a system to house all the information your program will generate. This is because the reality is that spreadsheets and shared filing systems will fail you at some point as they’re very inefficient and time-consuming to manage. And, the larger the organization, the more a vendor management platform makes sense…meaning the more vendors you have, the more reason for a platform to help as it becomes very cumbersome to manage vendors without one.

A more centralized vendor management program creates efficiencies and consistent processes that can’t be matched if operating a decentralized program. If your vendor management program isn’t centralized at all right now, start planning your next steps and take the time to deploy a more centralized operating model at your organization. It will surely set your team up for future vendor management successes.

Want to dive deeper into vendor management models and approaches? Download the eBook.

third party risk operating model

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP
Subscribe--Bg.jpg

Subscribe to the Venminder Blog