A vendor management policy is a document that informs senior management and the board about the activities provided in the vendor management program. A comprehensive vendor management policy is the foundation of a strong vendor management practice. It’s really where it all begins.
The policy identifies who’s responsible for vendor management as well as acknowledges regulations, identifies elements of managing vendors, broadly outlines concepts of due diligence, risk assessments, contract management and more and determines how you keep the senior management team and board informed. The policy is one of three documents we recommend creating and maintaining for a well-organized vendor management program. The three documents include the policy, program and procedures. For today’s discussion, let’s focus solely on the policy.
Writing the Vendor Management Policy
Remember these five tips when writing the policy:
- The policy should be written at a board of director's level and should be fairly familiar to them.They need to be actively involved in vendor risk management, so this document should explain how to be involved and allow them to then set the "tone from the top" to empower senior management and the lines of businesses to enact the program and procedures.
- The policy should reference the appropriate regulatory guidance.
- In high-level terms, it should cover each of the pillars of third party risk management; the program documentation will later expand on each of these. The pillars are selecting a vendor, risk assessment, due diligence, contractual standards, reporting and ongoing monitoring.
- It should be a short and concise document, perhaps 5 or 6 pages, and appropriate for executive level discussion.
- It should be approved annually by your board and updated as guidance changes or significant organizational changes occur.
Typically, the policy is also one of the first documents provided to examiners or auditors during a review of the third party risk management practices, so be sure to spend adequate time on the development of your policy.
Sections within the Vendor Management Policy
Often times, the policy includes the following sections:
- An overview of the vendor risk management framework
- The purpose of third party risk management at your organization
- High-level details regarding each of the key functions such as selecting a vendor, analyzing risk, ongoing due diligence monitoring and other areas of third party risk management
- Applicable regulatory guidance citations
- Addresses the relationship to other areas of the risk management and compliance management practices
Involving Your Team
The policy should involve the input of subject matter experts (SMEs) from around the organization but for consistency of tone, language and content, it should be ultimately written by one author. It usually takes several rounds of revisions to get it right, but it's quite important to make sure it's accurate and sets the right framework for the organization.
Involving the Board
Once written and finalized, take the time to educate the board of directors on it and ensure they understand their vital role in its success. Remember, you should have the policy formally approved by the board of directors. Track this by date stamping the document and reflecting the approval in board meeting minutes as well. To reiterate, it’s vital to update annually or as guidance changes to keep the policy as current as possible. With each update, you’ll want to regain their approval.
Rolling Out to the Organization
Consistent with the manner in which you introduce other compliance and risk policies to your broader organization, the third party risk management policy should be shared with anyone involved in vendor management. Consider holding education sessions or "did you know?" luncheons with key members of the staff. Provide feedback and encourage input – after all, everyone has a role in compliance and risk management.
Following these guidelines should help greatly in the development of a comprehensive vendor management policy that supports your program.
See how your peers are handling vendor risk management. Download the whitepaper.