(270) 506-5140 CONTACT US
Best Practices

How to Prioritize Vendor Management Tasks

Sep 24, 2019 by Gordon Rudd, CISSP

All too often it's hard to find a place to begin any new project. Prioritizing tasks can be challenging when all seem incredibly important. So, let’s consider this common situation that most of us have or will experience. You’ve been tasked with starting, revamping, forklift upgrading or improving your organization’s vendor management program. That can be a daunting situation to find yourself in on a good day. On a bad day, something like this could cause you to rethink your career choice.

Take heart! There’s an easy way to find a place to start and then work your way through a process that will get you and your organization exactly where you need to be.

9 Tips on How to Prioritize Vendor Management Tasks

Let’s walk through the following nine tips and in the order to do them:

  1. Get a list of vendors from accounts payable system. This is going to be an exploration into all the vendors that your accounts payable system has paid any dollar amount to over the last two years. The list may be long and distinguished, but it’s a great starting point.

  2. Prune the list. Hopefully your organization’s accounts payable system will allow you to export the data into a spreadsheet. This may be the one and only time I tell anyone “it’s ok to use a spreadsheet”. Once you have the information, sort through the list and eliminate the items that are not vendors. There will be quite a few. For example, if your organization has multiple branches in different locations, it’s likely each branch is giving back to their local community. Maybe they’ve donated $100 to the high school football team. The donation will be captured in the accounts payable system and should be removed from the vendor list. Once you prune the list, you’ll be left with your preliminary vendor list.

  3. Socialize the list. Once you have your preliminary list, share the list with your senior management team and the heads of your lines of business so everyone is on the same page. They will help you refine the list further.

  4. Select a platform. Look into platforms to use for vendor management. Avoid the false trail of spreadsheets and shared file systems. If you start down the road of using Excel spreadsheets and a shared file system, you will crash and burn. I’ve seen well over 100 vendor management programs start from the ground up and it isn’t a question of if you will crash, just a matter of when it will happen.

  5. Collect copies of all contracts. Use your vetted vendor list to do this. Hopefully by this point you have a platform to enter them into so that they’re all in a single repository.

  6. Decide who your critical vendors are. This is a fairly easy thing to do. Just ask these simple questions. If the answer to any one of these questions is, “Yes!” the vendor is a critical vendor for your organization.
    • Would a sudden disappearance of this vendor - due to insolvency or a sudden termination - cause a material disruption to the business?
    • Would the disruption have an impact on your customers?
    • Would the time to recover from the disappearance be outside of your organization’s recovery time objective (RTO) or recovery point objective (RPO)? Your RTO, RPO and MTD (maximum tolerable downtime) can be found in business impact analysis inside of the business continuity plan

7. Socialize your list of critical vendors. Share your reasoning for these vendors being considered critical. Again, give all the stakeholders an opportunity to review and suggest changes.

8. Read and enter the contract information into your platform. You will have to read every contract for every critical vendor. AND…I say it that way for a reason. You will invariably find you have more than one contract for a particular vendor. Each contract is a separate document you need to track. Make sure you enter these six elements regarding every single contract:
  • Start date
  • Termination date
  • Expiration notice date
  • Business line contact
  • Primary vendor contact
  • Due diligence review date

9. Enter all the due diligence. Do this for every critical vendor. You will need to make sure you have all the necessary due diligence documents and ensure they are current. Due diligence tends to include things like:
  • Financials
  • SOC report
  • Business continuity plan
  • Disaster recovery plan
  • Information security assessment
  • Vendor risk assessment

Even when you prioritize properly, at this point, I think you can see why having a platform for vendor management and NOT using spreadsheets and shared file locations is a must. Every day we talk to businesses that are using spreadsheets and shared file locations whose vendor management efforts are failing.

Even though you may get pressure to start with spreadsheets and a shared file location, you need to keep asking for a platform. For all intents and purposes, it’s just not practical. You just can’t track all the dates and documents for every vendor properly.

Simply put, a platform ensures less room for error and makes your life easier.

Make sure you've met all third party risk requirements. Download the checklist. 

New call-to-action

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog