8 Strategic Ways to Effectively Manage Vendors

Vendor risk management is a reality in our world today. Every organization on the planet is looking for better ways to strategically manage their business, and vendors are a strategic part of the organization’s production and delivery of products and services. 

Vendor risk management is all about taking your enterprise strategy, assessing all the risks and ensuring everyone in your organization and all of your vendors are all on the same page. With some of the following best practices in mind, hopefully you’ll have a better handle on your vendor risk management program at the enterprise level… and that’s the level where strategic decisions are made!

8 Best Practices for Strategically Managing Vendors

1. Choose vendors wisely.

Vendor selection is a key element in overall vendor risk management success, so make sure you understand what business need or requirement the vendor is going to fulfill. It’s surprising how many times a line of business will want to buy the latest “chrome whirly gig thing-a-ma-bobber” without finding out if the line of business already has something in place that can do the job and just hasn’t discovered it. It’s equally as frustrating for vendor management when little or no real vendor due diligence has been done despite requests from the business line.

2. Live by the six stages of vendor management.

The stages of vendor management exist for six great reasons! Scoping, inherent risk and criticality assessment, due diligence and residual risk determination, vendor selection and contract management, ongoing monitoring, and termination must have processes and procedures behind them before your organization will be operating vendor risk management at a strategic level.

3. Involve all three lines of defense.

Your internal audit team and your lines of business are all part of making enterprise class vendor risk management function at its absolute peak performance level. Get all three lines of business together and make sure there’s alignment around the vendor management key performance indicators (KPIs) you’re going to use.

Pro Tip: If you’re in a highly regulated industry, healthcare and finance spring to mind, or you’re publicly traded, you’ll also want to get your compliance team involved. Compliance and internal audit can be your best friends when you’re building a best-in-class vendor risk management program. 

4. Ensure your lines of business and your vendors are working well together.

It’s not enough for them to simply communicate regularly. Each line of business needs to be able to have a strong working relationship with your vendors. This is ensured by simply developing both the communication and relationship style you want your lines of business to have with your vendors. Setting an example of excellent communication is the ultimate best practice.

5. Business continuity management is more than just numbers.

Yes, you do want to make absolutely certain each critical or high-risk vendor has a business continuity plan that matches your organization’s maximum tolerable downtime (MTD), recovery point objective (RPO) and recovery time objective (RTO). Of course, you need to make sure that you vendor’s RTO is less than or equal to your organization’s RTO. Beyond checking those numbers, you need to get familiar with each of your critical and high-risk vendors business model. The more you understand their business model the better you can determine if that vendor is a good fit, great fit, or a vendor to be avoided.

6. Pinpoint the best internal vendor risk management structure.

This will look different for every organization. Whether or not you use a centralized vendor risk management model or a decentralized model matters! Centralized models are far easier to manage, and far easier to get the whole enterprise’s cooperation and support than decentralized models.

7. Always have a backup vendor.

There is an old military axiom that applies here, “Two is one; one is none.” For every critical and high-risk vendor, you have there should be another vendor waiting in the wings to take your primary vendor’s place. You could even go so far as to have a contract in place with your secondary vendor.

8. Don’t forget about penalties and interest.

Utilize the contracting process to build in penalties for non-performance. If you look at any contract closely, it has built-in penalties for certain types of default on the part of each party involved. Take the time to work out a penalty for non-performance.

Final Thoughts on Vendor Strategy   

Vendor risk management is an enterprise class program. It’s a program that functions optimally when centralized. It’s a program that requires KPIs, SLAs, terms and conditions as well as fall back positions. Make sure you have all three lines of defense as well as compliance engaged, then work your way through defining your KPIs, SLAs, terms and conditions and alternate vendors.

Last, organizations don’t solve problems. People solve problems. Take the time to get to know the people in your vendor’s organization. Your vendor’s people are the ones that will solve problems as they come up or go to bat for you when you need something extraordinary.

Vendor risk management programs typically consist of people who are all attempting to perform what they believe you want them to do, at the best of their abilities. Constant communication with the people in your organization and in your vendor’s organization will keep you in touch with the reality of any vendor’s performance and the success of your vendor risk management program.

This comprehensive checklist will guide you to successful vendor management. Download the checklist.