(270) 506-5140 CONTACT US
Best Practices

How Mature Is Your Vendor Management Program?

Apr 30, 2019 by Gordon Rudd, CISSP

A topic we hear a lot at industry conferences and during webinars is the maturity of your vendor management program. What exactly does this mean? Let's go through that now...

What a Mature Vendor Management Program Looks Like

As someone who has seen everything from the most basic (or even non-existent) program to programs running like a well-oiled machine, here are 11 hallmarks of a well-managed, mature program:

  1. The program supports the organization’s strategic and business objectives.

  2. The program is well-documented with robust guidelines that conform to regulatory guidance and is up-to-date and approved by the board on an annual basis.

  3. The front-line managers, also known as “the first line of defense”, know what their role is and understand their vendor management responsibilities.

  4. The senior leadership is well versed in the performance of the vendor management program.

  5. The team is adequately staffed and highly qualified to do the job.

  6. Your organization is innovative, meaning you’re open to new ideas and changes, instead of constantly confirming to the same processes just because it’s how it was done in the past. 

  7. The head of vendor management has periodic reporting responsibilities to the organization’s risk committee and the board.

  8. SLAs have been established and are actively monitored to verify that they are being met. 

  9. The 6 pillars of third party risk  management are evident in all activity. The pillars include selecting a vendor, risk assessment, due diligence, contractual vendors, reporting and ongoing monitoring.

  10. There is a governance process for selecting a vendor and completing risk assessment work prior to signing a contract.

  11. Vendor management is not an afterthought.

If you find these elements in play in an organization, you know you’re looking at a well-managed and mature vendor management program – one that helps to protect the organization, its leadership and its customers.

And, we've actually surveyed organizations of all sizes and types around the industry and found out where they stand with having a mature program. Download our State of Vendor Management 2019 for more. 


Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog