(270) 506-5140 CONTACT US
Best Practices

Why You Need Vendor Management (VM) Not Just Enterprise Risk Management (ERM)

Aug 13, 2019 by Gordon Rudd, CISSP

I was talking to my friend Jeff the other day. Jeff works for a rather large organization. I asked him how he was handling third party risk management. He informed me that his organization has an enterprise risk management system, so they didn’t need a separate third party risk management system.

I hear this opinion from time to time. I hear people say they have a vendor management solution within their Enterprise Risk Management (ERM) suite. When I ask them how it’s going, there are always suggestions for improving the ERM vendor they chose. The certainty of complaints has become a given and the list of flaws in “the system” is usually long. Though there does seem to be five common complaints that will come up early in the conversation; it often goes something like this…

The system won’t let me do the following:

  1. Enter multiple products for one vendor without entering all the vendors’ information over again
  2. Easily add/change/delete risk assessment questions
  3. Set automatic alerts by product and by product owner
  4. Generate the reporting our regulators want to see
  5. Enter multiple risk assessments for one vendor

It’s at this point that I usually stop and explain ERM.

What Is Enterprise Risk Management (ERM)?

ERM is part of Governance, Risk and Compliance (GRC) and its focus isn’t on vendor management. An ERM platform is, and should always be, focused on the 26 most widely accepted risk categories and on helping you track and roll up the risk for each into an overall risk score for your organization. An ERM system will concentrate on the SCORE risk categories: Strategic, Compliance, Operational, Reputational and Expense (Finance). ERMs aren’t designed to do vendor management. 

At the ERM level, you’re working to do the following:

  • Create policies
  • Determine the organization’s risk appetite
  • Evaluate all areas of risk for your organization

You'll find some ERM vendors who claim their platform is capable of handling vendor management. However, it has been my experience that these vendors are interested in making a sale and may fail to disclose how much work it will take to implement all the workarounds necessary for vendor management to operate in a functional manner.

Today, you need a strong vendor management platform. You may also require a strong ERM platform.  What you don’t need is an ERM platform masquerading as a vendor management platform. That is, an ERM platform that may be able to be used as a vendor management platform, if you work very, very hard.

What Is Vendor Management (VM)?

Vendor management (VM) rests on six pillars which are selecting a vendor, risk assessment (by product or service), due diligence, contractual standards, reporting and ongoing monitoring. Though there's a risk assessment component to vendor management, third party risk management is rolled up into the overall enterprise risk.

Third party risk is just one element within ERM, hence the need for vendor management. Vendor management focuses on the following:

  • Controlling costs
  • Driving service excellence
  • Mitigating vendor risk

Vendor management contributes to the organization’s risk profile but stands alone as a discipline.

A Quick Look at Vendor Management Systems

Implementing a dedicated vendor management system is a must. A vendor management system should do these six things and it should do them well:

  1. Help you select a vendor
  2. Create and perform individualized risk assessments on multiple products and services from the same vendor
  3. Give you the ability to track the due diligence for every vendor
  4. Establish reminders for all your contract dates as well as other significant dates
  5. Generate reports that your regulators want to see and allow you to modify them meet your needs
  6. Provide support for all the ongoing vendor monitoring that your organization requires

Why You Need Vendor Management Separate From ERM

Trying to use one system to do both vendor management and ERM is like using the trunk of a Cadillac sedan to haul a washing machine. You tie the trunk down and it works but it’s the wrong tool for the job. Always use a truck. If you’re behind that sedan you hope the twine they used to tie the trunk down holds and the washing machine doesn’t fall out. You know that at any minute the car will hit a bump and the washing machine will fly out and an accident will happen.

Vendor risk is one component of enterprise risk. Each discipline, vendor management and enterprise risk management are unique in its requirements and in its purpose. ERM is designed to be the enterprise risk management vehicle and the vendor management system is designed to handle enterprise vendor management. Two separate enterprise functions. 

The ERM and vendor management system should be interfaced. That is, they should be able to seamlessly share data. That makes sense.

Let’s look at a few reasons why having a separate enterprise class vendor management system makes good dollars and sense:

  1. It’s a regulatory expectation. Vendor management, or also referred to as third party risk management, is a regulatory hot button. As it should be! There are too many details in a vendor management system that must be well-managed in order to protect your organization from vendor risk.

  2. It’s complex. Overseeing hundreds upon hundreds - sometimes thousands upon thousands - of vendors is a Herculean task! It can’t be taken lightly and certainly can’t be ignored. There needs to be a team, and system, fully dedicated to vendor management before you can achieve effective oversight.

  3. Examinations are chaos. When you get the notice of examination, it can be quite a frantic time. But, it doesn’t necessarily need to be if you’re utilizing the right vendor management system and you’re giving vendor management the attention it deserves.

  4. Examiners expect it. Examiners expect every organization to have a well-developed vendor management program in place, separate from ERM.

  5. It’s expensive. We’ve seen large organizations spend millions of dollars trying to save hundreds by kludging together a vendor management program and forcing the program to utilize an ERM. The time and energy it takes to support the “frankenbuild” is astonishing. 

  6. Eventually you will fail. Using an ERM for vendor management fails 99% of the time. It fails hard and that’s never pretty.

Vendor management isn’t something to take lightly. It’s a mission critical function in every organization and it needs to have a strong focus and an established vendor management program with appropriate policies and procedures. It needs well-defined processes and a dedicated vendor management system.

Trust me, it’ll make your life easier. If you want to be a winner, streamline your internal processes, save your organization money and satisfy examiners, get a reliable vendor management platform, not just an ERM. You won’t regret it. 

Investing resources in vendor management will save your company time and money. Download the eBook.


Gordon Rudd, CISSP

Written by Gordon Rudd, CISSP

Gordon Rudd is a Third Party Risk Officer at Venminder. Gordon has more than 30 years of experience in the financial services industry in the areas of third party risk management, technology, information security, enterprise risk management and GRC (Governance, Risk Management and Compliance) program development. Gordon works with the Venminder delivery team as a third party risk management and cybersecurity subject matter expert in residence.

Follow Gordon Rudd, CISSP

Subscribe to the Venminder Blog