For the last few weeks, I’ve been working with a client that’s building additional structure and rigor into their vendor risk management program. They have all the pieces: a formal vendor policy, established relationship owners, regular risk assessments and due diligence reviews, and a detailed contract management process. However, they lack a connected view of all these moving parts, so my colleague Jason and I have teamed up to help them bring all the pieces together into a smart and scalable solution.
This certainly isn’t our first rodeo. Over the years, the Onspring team has delivered Vendor Management solutions for organizations of all shapes and sizes, from small nonprofits to large financial services firms. We’ve learned a few things about building solutions that go the distance, and I’m happy to share a some of those lessons with you today.
So you here you have it…3 Rules for Your Vendor Repository:
Rule #1: Have a Vendor Repository
OK, I know this sounds like snark, but I mean it earnestly. It’s not unusual for organizations to have healthy, active vendor relationships but no consolidated repository of vendor data. The information probably exists, but it may be scattered across multiple functions or owners.
As the organization scales or implements tighter risk management processes around vendor relationships, the lack of centralized vendor data can start to hurt.
“Is this vendor still active?”“We’ll have to contact Accounting.”
“Does this vendor meet our InfoSec standards?” “Let me dig through my files.”
“Where’s our evidence of due diligence?”“I know it’s here somewhere…”
The process of building and maintaining an accurate vendor repository may be onerous, but living without it (in the long term) can be debilitating. In order to monitor vendors and ensure they consistently meet your organizational standards, you need a centralized, searchable view.
Some of the details you should capture in your vendor repository include:
Legal entity name and any trade names
Internal relationship owner
Vendor contacts (including name, email and phone)
Description of products or services provided
Contract details (effective date, expiration date, review status and any special terms)
Associated risk assessments, performance evaluations or due diligence reviews
Rule #2: Make It Accessible to Relationship Owners
You may be in a situation where vendor details are scattered among relationship owners with no cohesive view. Or you may have the exact opposite problem: A central vendor repository that relationship owners can’t access! This can lead to significant challenges with accuracy. When relationship owners don’t have a clear picture of the vendors for which they are responsible, they may:
Maintain their own offline records. Vendor relationship owners need information at their fingertips, including contact details, contract status and any special requirements based on the vendor’s criticality or risk rating. If relationship owners can’t access this information on-demand in your vendor repository, they’ll collect and store the information in their own files out of necessity. At best, this leads to duplication. At worst, it can lead to outdated or inaccurate data in your vendor repository. It’s crucial to have a “single source of truth” when it comes to vendor data. Granting relationship owners access to the information they need—in real time—is a necessity.
Make decisions without the details. One of the greatest advantages of a vendor repository is that it gives you a historical basis for future actions. How do you determine whether to renew a vendor contract if you don’t know how that vendor has performed in the past? (For a funny and informative take on this, read “Do You Like Your Vendors?”) Relationship owners may not have complete knowledge of a vendor’s performance, particularly if they are new to the job. But when they have access to historical data in your vendor repository, they are equipped to make sound choices.
Rule #3: Keep It Fresh with Regular Feedback and Due Diligence
OK, you have a central vendor repository, and your relationship owners have access to the information they need. Now, the secret sauce comes with engaging those owners to keep your vendor repository alive. This is where the real value lives.
By capturing ongoing risk assessments, due diligence reviews and satisfaction surveys in your vendor repository, you can keep your finger on the pulse of your vendor relationships. You can regularly assess the health of those relationships and make changes (as needed) to improve quality and protect your organization from undue third-party exposure.
And…this is important…you’ll never again find yourself in the position of cobbling together your vendor repository from scratch. You may have some holes to plug here and there, but over time, your vendor repository will fill out into a rich source of intelligence for your business.
Vendor Risk: Find It Before It Finds You
Practical Guidance for Identifying and Managing Risk That’s Hiding in Your Vendor Relationships