After publication, Venminder created and released a new, simplified third-party risk management lifecycle that is more user-friendly. Learn why we made this big change here. And, learn the stages of the new risk lifecycle here.
There’s a lot that goes into vendor management, and all the hard work makes it an integral component of an organization’s success. Vendor management (or often referred to as vendor risk management and third-party risk management) is the process of fully identifying all of the significant companies that aid in the delivery of a product or service to your organization, or to your customers, on behalf of the organization. It involves controlling costs, driving service excellence and mitigating risk to gain increased value throughout the deal lifecycle.
Vendor Management Roles and Responsibilities
The role of vendor management within an organization consists of wearing many hats. Some responsibilities include:
- Working closely with vendors on a day-to-day basis
- Assisting with planning and developing the vendor management policy, program and procedures
- Facilitating vendor selection and contract negotiation processes
- Continuously monitoring vendor risk even after the vendor contract is executed (e.g., monitoring performance levels and periodically requesting and analyzing current due diligence)
- Communicating with internal departments such as lines of business/business units, internal audit, senior management and more to answer vendor questions and oversee tasks
- Maintaining a database of pertinent risk information pertaining to third parties, and communicating this data via consistent reporting to senior leadership, pertinent stakeholders and the board
Managing Your Vendor Lifecycle
In addition, the role of vendor management plays a strong part in managing each vendor’s lifecycle. While some who aren’t directly involved in vendor management on a regular basis may not realize there’s an entire vendor lifecycle, there certainly is.
Every relationship has a beginning, a middle, and ultimately, an end. The vendor lifecycle looks like this:
- Scoping. Clearly define and understand what relationships should be considered and managed by third-party risk.
- Inherent risk and criticality assessment. Inherent risk assessment is identifying all the potential risks of outsourcing a product or service to a third party, and the business impact of that service if it were to go away.
- Due diligence & residual risk determination. This stage is where you do your homework. Adequate due diligence assists with selecting the best vendor for your organization, and understanding the controls in place which mitigate the risk to your organization, giving you the residual risk.
- Vendor selection and contract management. In order to choose the best roster of vendors possible, it’s critical to go through the process for drawing up strong written agreements with third parties which include negotiation, change management, and ongoing maintenance. This stage can help you limit liability for your organization, set expectations and pave the groundwork for right to audit and service-level agreements.
- Ongoing monitoring. Risk fluctuates. In this stage, it’s important to keep an eye on your high-risk and critical vendors. This phase also includes SLA and performance tracking, and eventually, planning for the periodic re-assessment of risk and due diligence, which brings us full circle.
- Termination. When the time comes for the relationship to end, follow your exit strategy contract terms accordingly. Now, the vendor leaves the lifecycle.
Three Lines of Defense in Vendor Management
When you think about the role of vendor management, everyone at your organization actually plays a part. Basically, that’s because there are three lines of defense involved – which tends to include a lot of the organization – and even if you feel you’re not part of one of these lines of defense, you can help by sharing experiences you’ve had with the vendors you work with.
The three lines of defense include:
- The first line. This is the front line or business unit. They’re managing the third-party relationships on a daily basis. And, by this we mean they’re speaking to the vendor, addressing issues or concerns, asking questions and more.
- The second line. This is the independent risk management function. This tends to be the compliance or third-party risk departments overseeing vendor management.
- The third line. This is the independent audit function. They review the first and second-line work product and effectiveness of the controls, as well as the policy, program and procedures, and advise if any changes need to be made. They’re looking for gaps in processes. You want them to catch it before an examiner does.
Really the role of vendor management within your organization and what it means comes back to what the definition above says. It’s extremely important. Without it, an organization would have a lot of trouble doing the following three things:
- Driving costs
- Controlling service excellence
- Mitigating risk
Risk is inevitable, but a strong vendor management team and program helps prevent it as much as possible.