(270) 506-5140 CONTACT US
Login
Best Practices

How Vendor Management Affects Each Department in Your Organization

Feb 18, 2020 by Gordon Rudd, CISSP

Vendor management (VM) is indeed a team sport. At this point in my career, I can assure you that vendor management is a team sport because it takes every department, every line of business, the senior management team and the board of directors to create a fully functional vendor management program. 

Make no mistake, vendor management is an enterprise class operation. That’s why the average return on investment (ROI) you can expect when your organization moves from an ad hoc form of vendor management with the lines of business each doing their own form of vendor management to a more organized and controlled enterprise focused program is a 2.5% increase in the bottom-line.

That single fact should be enough for any organization to say let’s get started by involving our departments and make it known why and how vendor management affects each one.

Over the years, I have started or helped start dozens of vendor management programs and have helped to adjust countless programs. I can’t tell you how many times I’ve heard a department head say something like, “I never knew managing our vendors could be so easy.”  I’ve also heard, “I’ve never had a vendor management team to help me with the vendor selection process.” Often, these departments don’t accurately understand where they fit into the overall process.

When you think of vendor management, do you really appreciate that it’s a team sport? Just like football, baseball, soccer or your sport of choice, vendor management is a team effort and everyone in the organization has a spot on the team that they should be informed of. 

Outsourcing a Product or Service to a Vendor Is a Team Effort

Let me break it down for you with a specific example. The decision is made by the compliance department that a new bank secrecy act/anti-money laundering (BSA/AML) software platform is needed to better track, detect and prevent money laundering. In many cases, unless you have an active vendor management team, the BSA officer is on their own and will have to go through the vendor selection process alone. But why? That process simply doesn’t make much sense and isn’t efficient.

In this scenario, and in every scenario when outsourcing a new product or service, the BSA officer needs to have a concrete process to follow and procedures to guide them. In case this isn’t crystal clear right away, vendor management probably isn’t in the BSA officer’s wheelhouse. There are a lot of people that need to be involved in this example and I want to share with you exactly why.  

The approach we’re about to cover is the same across the organization. If your marketing team needs a new customer relationship management system, the same efforts would take place. All are involved.

Team Cooperation Across Departments Necessary for Third-Party Risk

Now, the decision is made, and the compliance department needs to outsource a new BSA/AML platform. With a functioning vendor management program that has made it known at the organization that everyone has a part in vendor management, the first call the BSA Officer would make is to the vendor management team. The BSA officer would simply inform the vendor management team that the decision has been made and at this time the organization needs a new BSA/AML platform. The vendor management team will immediately initiate a set of formalized processes and procedures that have already been developed and walk through the steps to give the organization the best chance of obtaining the best BSA/AML platform for the money. A platform that fits the organization.

The vendor management team will have a defined vendor selection process that the board has approved, and senior management is holding everyone in the organization accountable for following. The board and senior management are overseeing the process.

Although the vendor management team is heavily involved in the vendor review and selection process, these processes will put the BSA officer and their team front and center.

9 Potential Steps for the Vendor Selection Process

The vendor management team will just do the heavy lifting associated with some version of the following steps:

  1. Define the BSA/AML requirements for the new platform
  2. Review the market for products that have the features and functions to meet the BSA team’s requirements
  3. Establish a list of potential vendors
  4. Setup webinars and product demos for the BSA/AML team (Callout: This means the team in need of the product or service attends the product demo and is completely aware and part of the decision making process)
  5. Check the features and functions of the BSA/AML team’s requirements with the potential vendor list and narrow the field of potential vendors
  6. Begin vetting the short list of vendors, including running a BSA/AML OFAC check (seems self-evident, doesn’t it?)
  7. Work with the BSA/AML team develop their vendor short list
  8. Begin the negotiation process with the vendors on the short list, with the goal of finding the two or three top choices for the organization
  9. Work with the BSA/AML team and the senior management team in negotiating the final contract

So, what just happened here? As you can see, many departments have become involved in the vendor management process. You're involving the business unit and department that is in need of a product or service, your vendor management team is overseeing the project and ensuring compliance, senior management is kept informed and the board has approved this process.

After the appropriate vendor has been selected, the vendor management team will make sure all seven pillars of vendor management have been accounted for. That means selecting the vendor, risk assessment, due diligence, contracting, reporting to the BSA/AML team, senior management and the board, ongoing monitoring with the BSA/AML team and, finally, keeping an eye on the organization’s exit strategy.

Examples of Why Team Involvement in Vendor Management Is Necessary

Let’s take another, slightly different look, at this situation. Do you think it’s the best use of the BSA officer’s time to perform the ongoing monitoring and annual risk assessment of the vendor? Probably not. 

This person is going to be focused on being the best at BSA/AML. Just like your marketing team is going to be focused on being the best at building brand awareness, customer implementation is going to focus on being the best at supporting their customers, the sales team is going to be focused on being the best at generating revenue, etc. You get the picture.

Yet, still, the ongoing monitoring and the annual risk assessment of the vendor must get done. It absolutely involves input from teams like these, but these teams have critical duties and responsibilities that the organization depends on being performed every single day. Therefore, the vendor management team should be performing the ongoing monitoring and the annual risk assessment with the assistance of these teams as needed.

Every department will be different, yet similar. If we look at Information Technology (IT), they usually have so many vendors that any help they can get is greatly appreciated. The cybersecurity department may have fewer vendors than IT, but they too are going to appreciate all the help they can get to keep every vendor viable and to make sure other departments don’t overlook vendors they may have that have access to customer data.

Moral of the story is the department doesn’t matter. No matter what, every department and every line of business has a function in vendor management that they must perform. However, the well-trained vendor management staff is the glue ensuring everything is done correctly, assigned appropriately and that examiners and auditors are happy at the same time. A win-win in this team sport!

Centralize Your Vendor Management Efforts

I suppose I just made the argument for a centralized vendor management program. Decentralized vendor management programs can be harder to operate and more prone to missing something critical in the vendor lifecycle than centralized programs. I speculate that you can kind of see why at this point.  Centralized vendor management programs, meaning a program with expertise determined across the organization and a team built around vendor management, allow the organization to function at a high level and still maintain their compliance requirements for exams and audits.

Why Vendor Management Falls on the Board

The responsibility for vendor management and third-party risk management lies with the board. As does enterprise risk management. Once an organization forms an enterprise risk management program, the organization will normally grow vendor management into third-party risk management to tie all the risk assessments together. It makes sense to have both enterprise risk and third-party risk at the enterprise level.

Set your organization up for success with the right operating model for vendor management and then take the time to run an employee awareness campaign so everyone knows what’s going on and how they fit into the vendor management picture for your organization. Then take a victory lap as the processes and procedures begin to make life easier for everyone.

Still need help navigating vendor management? This cheat sheet breaks it down for you. Download now. 

risk management cheat sheet

Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP
Subscribe--Bg.jpg

Subscribe to the Venminder Blog