(270) 506-5140 CONTACT US
Best Practices

How a Vendor Management System Works and Why You Need It

Jul 16, 2019 by Gordon Rudd, CISSP

Dunbar’s Number says that the number of people you can maintain stable relationships with tops out at 150 people. It should be easy to keep up with 150 friends, relatives, coworkers and acquaintances. Right?

If you have five friends, you have 10 bilateral relationships; scale up to 50 friends and you have 1,225 bilateral relationships. If you have the max number of friends Dunbar’s number postulates you can keep successfully, you will have about 3,675 bilateral relationships.

Think about this from a vendor management perspective too – third, fourth and, yes, even fifth parties – and now you’re getting the picture.

Dunbar’s Number is the foundation for today’s social networking. Facebook, LinkedIn and virtually all online social networks, even technologies, utilize Dunbar’s Number one way or another. Even Blockchain has roots in Dunbar’s Number.

How Does This Have Anything to Do with Vendor Management?

A single third party vendor will typically have the following people working the deal:

  1. Sales Rep
  2. Account or Relationship Manager
  3. Business Development Individual (possibly)
  4. A few from IT/Technical Support
  5. Project manager (and they’ll likely come and go as projects run through their lifecycle)
  6. And finally, of course, the ever-present member of the vendor’s management team that’s always there if you need someone to escalate an unresolvable issue to

Let’s say there will be at least five people for every third party vendor. Even if one person is supposed to be the Single Point of Contact (SPOC) for that vendor, there will be several people associated with every vendor. Remember, the average small to medium-sized organization has 245 vendors, give or take a few. That’s a lot of vendor and individual relationships to know and manage.

Spreadsheets Won’t Cut It as a Vendor Risk Management System: Here’s Why

Regulators, examiners, auditors and sound business practices all dictate the establishment and ongoing development of a functional vendor management or third party risk program. They expect the process you establish to be sound and efficient. Here’s why spreadsheets should not be used.

  1. Difficult to Manage: Attempting to establish or operate a vendor management program using spreadsheets is an exercise in futility. You may get one spreadsheet filled out one time. However, the reality of the heroic effort it’s going to take to keep that spreadsheet up-to-date hits you in the gut so hard you have trouble maintaining consciousness.

    Spreadsheets, small database programs like Microsoft’s Access and other so-called solutions DO NOT WORK. I’ve been there. Done that. Got the T-shirt. Again, these solutions can’t be sustained over a long period of time.

    Every time I let management talk me into going down the spreadsheet path, it ended horribly. The effort it takes to keep those solutions current will burn you out faster than the effigy of the burning man dissolves into ashes every year.

  1. Too Many Relationships Need Monitored…Constantly: Think about it this way. When you get to 30 vendors, with an average of five people on the vendor’s team, you’re at Dunbar’s magic number of 150. What happens if your organization has multiple contracts with your core system provider? The number of vendors stays static while the number of products and services probably goes up. Every contract will, more than likely, have five people associated with it, and often times, you will utilize a vendor for more than one product or service. Each product/service you’ve contracted must be assessed as part of ongoing monitoring.

  1. It Makes Document Storage Too Complex: We have the added dimension of the contract. First, we must store those documents somewhere. Someone using the spreadsheet solution will probably try to use a share drive or Microsoft’s SharePoint for document storage. If you go down this path, you will have access control issues. By that I mean, you will likely have to limit access to just yourself. In which case, by doing this you become the single point of failure and the bottleneck everyone has to pass through to gain access to vendor management documents. Yes, you can grant access to “certain other individuals” to ease your burden and open the funnel a little wider but you have to be cautious with access.

    With this method, unfortunately, documents begin to disappear. Documents begin to get misfiled, moved, accidentally deleted and overwritten. Again, an idea that is doomed to failure and you’ll be able to measure the time from inception of the vendor management program to the abject failure of the program in months, not years. 

  1. Difficulty Tracking Significant Dates: Oh, but there’s more! How do you keep track of all the dates that you are responsible for on all those contracts? How are you going to keep from missing critical dates? You won’t. You’ll definitely miss a few. Unfortunately, it’s inevitable. Contracts have, at a minimum, start dates, end dates, renewal notice time periods, problem resolution timelines and termination timelines to keep track of.

To give you a real-world example, I’ve had a former boss drop by and ask where we were on a real estate lease with the world’s largest retailer. I had to ask, “What space and what contract?” I had never seen the aforementioned location or the agreement. I then discovered that the space this contract secured for our organization was the owner’s personal pride and joy! A literal family jewel. And, I didn’t have a copy of the contract.

When I found the contract, tucked away in one of the other corporate officers file cabinets, I read the agreement carefully and found we had 45 days to notify the landlord of our intent to renew the lease. Missing contract dates gets ugly and very expensive fast.

Starting to See the Picture? Is It a Pretty Bleak Picture? 

Let me bottom-line it for you. Vendor management is a basic organizational function every soundly managed business needs to have fully operational. Third party risk management is a step or two up from basic vendor management. Vendor management doesn’t function without a system. If you don’t have a solid platform for vendor management, you’re going to fail.

Having very difficult conversations with management about funding for the resources necessary to operationalize a vendor management program are easier than making yourself available to the industry. Not having a vendor management platform is a career limiting move.

How Does a Vendor Management System Work?

Now that we’ve covered why you need a vendor management system, let’s discuss how one even works.

First rule of thumb is to never have multiple systems for vendor management. The bottom line is simple; your vendor management system (VMS) needs to be able to handle all of your organization’s vendor management and third party risk management requirements. Period. End of story. There’s too much riding on any platform that is tracking your third and fourth parties

6 Recommended High-Level VMS Components 

There are six components I recommend watching out for:

  • There should be contract storage, due diligence documentation storage, the ability to create and manage risk assessments in any manner your organization chooses, the ability to setup notifications on timelines of your choosing and the sole platform for managing all your vendor management regulatory requirements.

  • Your VMS company must be transparently honest. It pains me to have to make this point. In this life, you either have character or you are a character. Sometimes it’s hard to find a company that has character. When you chose a VMS, choose one that has people with character standing behind their product.

  • Your VMS must have excellent customer setup and support. If you have a question (and you will), someone must be there to help you solve the problem.

  • Your VMS should be easy to learn and extremely intuitive to use. A solid VMS will always be complex internally, but that’s not something you want to see. You don’t want something that’s going to be a beast to use.

  • A VMS that is a SaaS (software as a service) platform for your organization. That is, one that is cloud-based. The cloud-based platforms give you flexibility, business continuity and disaster recovery capability. All of which your organization should require.

  • A VMS that is capable of handling unlimited number of contracts as well as capable of tracking any number of dates for each contract. They will offer you access controlled document storage.

10 Must-Haves in a Vendor Risk Management System

In addition, any VMS worth its salt should be able to perform all of the must-have features below.

  1. Ease of use
  2. Admin/setup/configuration for your use
  3. Flexible capacity limits
  4. Storage and retrieval of contracts and other documentation
  5. A vendor portal for questionnaires
  6. Parent/child relationship management for a vendor’s products
  7. Product tracking
  8. Fourth party tracking
  9. An extensive and flexible notification engine
  10. Flexible risk management functionality

A vendor management system helps create efficiency across your organization but also protects your organization from risk and unnecessary expenses due to failure to properly monitor vendors. 

Vendor management may seem like a large investment, but there's a huge ROI. Download the eBook.


Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog