A vendor management program involves many different interconnected activities designed to accomplish goals specific to an organization. Senior management and the board are required to stay informed of these activities, and this is where a vendor management policy comes into play.
The policy is the first document that should be created and will identify the roles, responsibilities, regulations and overall purpose of a vendor management program. It also provides a broad outline on the areas of due diligence, risk assessments, contract management and establishes how the board and senior management will stay informed of vendor management activities. When used alongside other governance document, such as a program and procedures documents, a policy will help build the foundation of a well-organized vendor management program. In this blog, we’ll cover some tips on how to write the policy, who should be involved and how to implement it within your organization.
Writing the Vendor Management Policy
Remember these five tips when writing the policy:
- Keep it high-level. The policy should be written at a board of director's level that’s familiar to them. They need to be actively involved in vendor risk management, so this document should explain how to be involved and allow them to then set the "tone-from-the-top" to empower senior management and the vendor owners or lines of business to enact the program and procedures.
- Reference the appropriate regulatory guidance. Make sure to align your policy to the applicable guidance, as needed.
- Cover the stages of the vendor risk management lifecycle. The stages are onboarding, ongoing and offboarding with additional steps such as planning and risk assessment, due diligence, contracting and more included within each stage to ensure you're thoroughly monitoring and assessing a vendor.
- Be concise. The document will be concise describing the core program components, requirements, roles and responsibilities and should be appropriate for executive level discussion.
- Seek approval and update as necessary. The board should approve the policy annually and it should be updated in the event of regulatory changes or significant organizational shifts.
Typically, the policy is also one of the first documents provided to examiners or auditors during a review of the vendor risk management practices, so be sure to spend adequate time on the development of your policy.
Sections Within the Vendor Management Policy
Very often, the policy will include the following sections:
- An overview of the vendor risk management framework
- The purpose of vendor risk management at your organization
- High-level details regarding each of the key functions such as selecting a vendor, analyzing risk, ongoing due diligence monitoring and other areas of third-party risk management
- Applicable regulatory guidance citations
- The relationship to other areas of the risk management and compliance management practices
Involving Your Team
It’s important to obtain the input of various subject matter experts (SMEs) when creating the policy, but the document should ultimately be written by a single author. This ensures that the tone, language and content are consistent. The policy will likely need to go through several rounds of revisions, but this is an important step to establish accuracy and the right framework for your organization.
Involving the Board and Executive Leadership
Once written and finalized, take the time to educate the board of directors and executive leadership on it and ensure they understand their vital role in its success. Remember that the board should be approving the policy annually. Track this approval by date stamping the document and recording it in the board meeting minutes. The policy should also be updated and reapproved if regulatory guidance changes.
Rolling Out to the Organization
Consistent with the manner in which you introduce other compliance and risk policies to your broader organization, the vendor risk management policy should be shared with anyone involved in vendor management. Consider holding education sessions or "did you know?" luncheons with key members of the staff. Provide feedback and encourage input – after all, everyone has a role in compliance and risk management.
Following these guidelines should help greatly in the development of a comprehensive vendor management policy that supports your program.