(270) 506-5140 CONTACT US
Best Practices

Vendor Management vs. Enterprise Risk Management vs. Third Party Risk Management vs. Supplier Relationship Management

Apr 10, 2019 by Gordon Rudd, CISSP

Could it get any more confusing? Ever wonder, “What am I really supposed to be doing?”. Vendor management (VM), enterprise risk management (ERM), third party risk management (TPRM), vendor risk management (VRM) or supplier relationship management (SRM)? They don’t all mean the same thing.

Who knew this could be so complex? Let’s see if we can shed some light on the problem of identifying exactly what you need to be doing and offer a few tips and tricks on how to do it without losing your mind. 

From the outside looking in, they can certainly all look the same. The first thing we should understand is there isn’t one pure answer. All VM, ERM, TPRM, VRM and SRM programs do use components of each type of program. They not only share common elements; the curators of each discipline tend to have a broad definition of what each discipline really does for the business.

Let’s review the 5 programs types:

1. Vendor Management

Vendor Management is an operations strategy that allows organizations to accomplish the following:

  • Control costs
  • Drive service excellence
  • Mitigate risks to gain increased value from their vendors

Research shows that simply implementing a vendor management program where there was none before can add 2.5% to the bottom line. It takes some effort and you must monitor all your vendors from start to finish in what is referred to as the “deal lifecycle”. 

VM is another way of saying you must have all the processes and procedures in place to take the needs of any one business unit, generate a requirements document, secure competitive bids for the product or service and select the best fit for your organization. Then, once you’ve done that, you must monitor the vendor to make sure they perform according to the terms and conditions in the contract.

2. Enterprise Risk Management (ERM)

Enterprise risk management takes into consideration all the varying areas of risk present at an organization. The risks are comprised of areas like compliance, credit, operational, reputational and more. Yes, even vendor risk.

ERM helps with facilitating the following:

  • Creating risk policy standards
  • Determining the organization’s risk appetite – basically a fancy way of saying define a material loss
  • Evaluating all elements of risk – not just focusing solely on vendor/third party risk

3. Vendor Risk Management

Vendor risk management adds the element of risk to the VM process. For VRM to work optimally, the organization needs to have an ERM program in place. The ERM will generate a risk appetite statement that the VRM team can utilize.

VRM’s purpose is to ensure the following doesn’t develop by using a vendor:

  • An unacceptable risk of potential business disruption
  • A negative impact on business performance in any way

VRM will use risk assessments to identify and quantify potential risks associated with the use of every vendor. That risk for the one vendor is then “rolled up” into a total risk profile for the enterprise.

4. Third Party Risk Management

Third party risk management is the process of analyzing and controlling risks presented to your organization, data, operations and finances by parties other than your own organization. TPRM looks beyond the risk assessment and into the control of risks to many facets of your business.

TPRM adds the following elements:

  • Your organization’s and customer’s data
  • Assessing the fanatical impact of a vendor failure
  • Forecasting the effect that a third party vendor’s failure would have on operations

From there, you develop contingency plans for every vendor and, hopefully, avoid any disruption to your business, prevent negative impact on your reputation and of course protect your financials.

To function optimally, TPRM requires a great deal of expertise, industry knowledge and knowledge of your organization. It also requires a coordinated effort from the entire organization; therefore, the lines of business, aka the business units, and the board must participate in the adventure that is TPRM today.

5. Supplier Relationship Management

Supplier relationship management is the discipline of strategically planning for, and managing, all interactions with third party organizations that supply goods or services to your organization to maximize the value of every supplier/vendor interaction. SRM is enterprise-wide and seeks to establish processes and procedures to assess the strategic value of every supplier. It looks at every supplier’s assets and capabilities then compares that with your organization’s overall business strategy.

It’s fair to say SRM is a strategic approach to vendor management. SRM is a lot like customer relationship management (CRM). In fact, SRM is often referred to as CRM, only with suppliers/vendors.

SRM is performed to do the following 2 things:

  • Maximize every supplier interaction
  • Create true partnerships – though not in the legal sense of the word – with suppliers that will maximize your organization’s interaction with every supplier, every time

When we look at all the various forms that vendor management can take, we see that they tend to build off one another and add more complexity as you move along the continuum from vendor management to supply chain management. Each has elements of all the other model and delivers added value to the organization in the form of an improved bottom line.

Take a deeper dive into the lifecycle of vendor management. Download the eBook to learn more. 


Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog