(270) 506-5140 CONTACT US
Best Practices

What Is a Vendor Management Program?

Jun 18, 2019 by Branan Cooper

To sum it up, a vendor management program is a plan established to protect your organization from vendor risk. By outsourcing a product or service to a third party vendor – or those fourth party vendors that get involved – you’re exposing your organization to financial, operational, reputational, transactional risk and more. Sounds concerning, doesn’t it? Frankly, it sure is. However, understand the following regarding what a vendor management program is and it’ll all become a little more clear.

3 Purposes of Vendor Management Programs

First, remember that a vendor management program’s purpose is three things to instruct senior management and the lines of business:

  1. Control costs
  2. Drive service excellence
  3. Mitigate risks throughout the vendor lifecycle

Always keep those 3 elements in mind as you embark on your vendor management journey.

3 Lines of Defense in Vendor Management

Now, let’s talk about your three lines of defense. They come into play a lot in a vendor management program:

  1. The first line of defense: This is your front line, aka the business units. They’re the ones who interact day-to-day with your vendors.
  2. The second line of defense: Consider this the compliance or vendor management team who will be overseeing the vendor management program.
  3. The third line of defense: This is audit. They will evaluate the program periodically and notify of any changes that need to be made.

6 Pillars of Vendor Management You Should Know

With that in mind, think about the 6 pillars of vendor management to better understand what a vendor management program is and why it’s so important. These pillars are selecting a vendor, risk assessment, due diligence, contractual standards, reporting and ongoing monitoring. They’re truly what a vendor management program is comprised of. Here’s why:

  1. Selecting a vendor is the first element that needs managed in any vendor management program. Well-developed processes should be in place to vet a vendor properly before you sign the contract.

  2. The risk assessment helps you facilitate one of the ultimate goals of a vendor management program – mitigating risk. If you don’t perform a risk assessment on every single vendor, then you won’t have a true understanding of how much risk your organization is exposed to. Essentially, you’ll be in the dark.

  3. Every program involves gathering and analyzing due diligence This means reaching out to the vendor to obtain items like financials, SOC reports, policies and procedures, business continuity planning reports and more. And then, taking it a step further, thoroughly review the information provided to verify that it meets expectations. You can use your first line of defense to help you obtain the documentation and internal subject matter experts to assist with reviewing (e.g., CPA for financial reviews, paralegal for contract reviews).

  4. Speaking of contract reviews, contractual standards must be developed and are an important element of a vendor management program. So, for example, always set forth in contract your organization and vendor’s responsibilities and expectations. In addition, consider things like negotiation, contract start dates and end dates and more. This is something that needs to be managed and a vendor management program helps with that.

  5. Okay, so you may feel like I’ve bombarded you with a whirlwind of information about what a vendor management program is and includes; however, the great news is it can be easier to manage with the right reporting. It’s important to have some type of reporting in place – whether you’ve created it in-house or you’re outsourcing to a third party vendor – that is comprehensive and can show you insight into where your vendors stand at all times (e.g., risk ratings, upcoming contract expirations/renewal notice periods, expired documentation). Trust me, it’ll make your life a lot easier and make senior management, the board and examiners happy.

  6. And, to bring it all home, ongoing monitoring is a huge component of any vendor management program. It’s extremely important to continuously monitor the vendors you’re managing and assess their risk to see if anything new has happened.

There’s so much to a vendor management program. Understandably, it can be overwhelming. However, with the right knowledge and tools, it can become a lot clearer.

Read 10 best practices that really good vendor managers follow. Download the infographic.

New call-to-action

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog