Defining Your Vendor Management Policy

Defining Your Vendor Management Policy

By Sarah Nord

More than likely, you have a process for managing vendor relationships. You may even have a sophisticated process with a centralized vendor repository, risk assessments, due diligence, contract review, careful onboarding and ongoing monitoring. But how many of your employees know the process? And more importantly, how many of them understand how they fit in?

This is where a Vendor Management Policy is so important. You see, vendor relationships are wide-reaching and touch many parts of the organization, from the department that “owns” the relationship to oversight functions like risk management, compliance, legal, security, procurement and more. An effective vendor management program involves lots and lots of communication (to put it mildly!), and that communication can get out of hand if employees don’t understand the sequence of events. (If you’ve ever been pinged by a business owner 20 times about the status of a vendor contract or risk assessment, I’m sure you get it.)

But beyond communication headaches, a vendor management policy helps to ensure that your standards and processes are carried out correctly. In other words, if people don’t know what’s expected of them, you shouldn’t expect them to follow the rules, which can lead to harmful consequences. BitSight states it bluntly:

“The truth is, if you don’t have a vendor management policy in place today, your company is being negligent. Unfortunately, not having a policy in place means that there’s a good chance your organization’s sensitive data may be handled by someone who shouldn’t have access to it. And this puts the health of your entire company on the line.”

So what should a vendor management policy contain? Here are a few ideas:

Policy Scope:

Your policy should define requirements for third parties in the following areas (at minimum):

  • Human resources security
  • Physical and environmental security
  • Network and system security
  • Data security
  • Access control
  • IT acquisition and maintenance
  • Vendor management (i.e., how your vendors manage their vendors)
  • Incident management
  • Business continuity / disaster recovery
  • Compliance

Risk Scoring Criteria:

If you’re going to assess vendor risk, it’s crucial to define your scoring methodology within your policy and communicate it to all vendor relationship owners. Organizations commonly separate vendors into three risk tiers: high, medium and low. There is no standard definition for these risk tiers, but when determining what’s right for your organization, keep these factors in mind:

  • Criticality of the vendor’s services in delivering your own products and services
  • Access to personally identifiable information (PII) for employees or customers
  • Access to non-public information (financials, strategic plans, intellectual property, etc.)
  • Level of spend and length of engagement
  • Any personal relationships between your organization and the vendor that may warrant a higher level of diligence

Procedures and Process Flows:

In addition to your vendor policy, employees will benefit from step-by-step guidance on how they should manage vendor relationships. Consider all parties that need to be involved: relationship owners, executive sponsors, legal, compliance, procurement, IT and other functions, along with the vendor itself.

If your procedures are complex, a visual process flow can help people understand where they fit into the process and who is responsible for completing various tasks. Here’s a simplistic example:

Vendor Management Process Flow

As with all policies, it’s wise to track employee awareness and acceptance on a periodic basis. Also, be sure that your vendor management policy is accessible to employees at all times. When questions arise, “Consult the policy!”

Featured Resource:

Vendor Risk: Find It Before It Finds You

Practical Guidance for Identifying and Managing Risk That’s Hiding in Your Third-Party Relationships

Like What You’ve Read? Subscribe for More

Join the Onspring Insights newsletter for monthly updates from our blog. You may unsubscribe at any time.

NOTE: By submitting this form, you confirm that you agree to our Privacy Policy.