Building a Vendor Management Program

How much can an insufficient vendor management program cost your business?

$60 million (and more in loss of faith) if you asked Morgan Stanley. Late last year, when the Office of the Comptroller of the Currency fined the marquee bank, it was a reminder to organizations that vendors are more than business enablers. They are in equal parts - handlers of sensitive information, and the business’ first external gateway to the market.

Hence, the vendor management protocol is often the yardstick for a business’ readiness and customer-centricity, and its commitment to provide secure and seamless experiences.

The fine lines between a ‘vendor,’ ‘supplier,’ and a ‘seller.’

Contracting guru Ken Adams has a quick, witty, and useful note on the nomenclature:

Use vendor for a party that’s in the business of selling the property in question; use seller for a party that isn’t.

Don’t dream of using vendee instead of buyer. Besides inviting -or / -ee confusion, no humanoid says vendee.

What about supplier? Use supplier for a party that not only is in the business of selling widgets but is contracting with you to supply you widgets over time.

Our usage of the term.

For this article, we will consider a ‘vendor’ as any third-party service provider that helps a business fulfill customer obligations. This includes - independent contractors, commissioned organizations, and limited-term technology.

What is Vendor Management?

Vendor management is the organizational process to - select, onboard, monitor, and govern the deliverables of 3rd party service providers to your business.

This has direct/indirect implications on your operational efficiency as a business or the experience of your customers/partners with your product/service.

Who Should Own The Vendor Management Process?

With the development in technology, both its impact on the quality of vendor work and the repercussions it might create have followed suit. Over the last 5 years, the financial impact of lapse in data management by vendors has quadrupled.

This brings in heightened regulatory governance around ERM, and consequently the need for a centralized source of truth for third-party/vendor risk management. to streamline access to data without compromising on quality standards, Deloitte’s TRPM Survey, 2020 found.

Fragmented data repositories create divisive quality control, bring complexity in management, and consequently make information harder to access or at risk of loss/theft.

On the other hand, having a singular point of access to all third-party/vendor information brings accountability, and helps build a resource allocation and data protection strategy quickly.

This means while the ownership of vendor management might rest squarely on either the general counsel, Compliance, or IT, information needs to flow in from across the organization to understand vendor SLAs and deliverables. Ideally, scale-up organizations that cannot expend the resource on a dedicated vendor management team should have legal and IT co-owning the process.

Why should Legal/Compliance and IT co-own vendor management?

IT’s knowledge about individual tools, data processes, and cybersecurity effectively complements the general counsel’s people and risk management, negotiation, and policy development skills. This streamlines people and resource accountability and helps maintain a strong data-handling.

This ensures organizations can ensure that their vendors and the data assigned to them are adeptly accounted for to avoid information or data leaks, or reduce the barrier to information.

Prerequisites to a good vendor management program

The rationality, objectives, and outcomes differ for each vendor in your ERP, and therefore the management process too will differ on the operational and hierarchical dynamics of each organization. However, there is common ground to what constitutes a successful vendor management program:

1. Amicable knowledge-sharing between vendors, reporting authorities, and teams
2. Periodic performance and outcome analysis
3. Streamlined SLAs and solid KPI-setting
4. Free-flowing communication and feedback cycles

And while organizational demands will convolute the stages in a vendor management process, this is the overlying framework 👇

Following are the steps that underline a great vendor management program protocol:

Laying the groundwork

Defining metrics and expectations at the evaluation stage is the first step to bridging the information gap for a prospective vendor. Setting the terms, marking out people involved (both workers and evaluators) at the start, also arrests complexities at the contract negotiation stage.

You will likely adopt different vendors for separate forms of support within the organization, or even within the same business function.

And while cost will almost definitely be a core consideration while choosing a vendor, it is important that you have distinct metrics (ideally a rulebook) for each vendor category, based on your previous experiences.

For example - When evaluating law firms, look at the ones that have stood out to you the most and identify the distinguishing factors.

We’ll go first with a list of features you might typically want to consider before choosing your legal vendors-

Law Firm

Individual Counsel

ALSP

Legal Technology

Spend per matter

Spend per matter

Spend per matter

Subscription cost

Response rate

Response rate

Response rate

Degree of data security

Litigation exposure over time

Quality of reports generated

Degree of data security

Rate of integrations with existing tools

💡 Tip: Choose 1 core metric and up to 4 affiliated metrics as the foundation of your rulebook. Too many metrics work counterintuitively and divide focus.

Bulletproofing deal terms

Once you have identified your vendor it is essential to communicate the KPIs and the measurement process to them. This ensures there is no disparity during your ongoing exchanges at a later stage.

Setting action items

- Include your KPIs as action items in your SLAs
- Set remedial clauses for if conditions of engagement are not met
- Clarify measurement procedure to minimize confusion
- Clarify other terms of operation (e.g. non-U.S. payment, hours of service, etc.)

Streamline vendor contracts for data-extraction

Each vendor contract is actually a repository of information you can depend on during evaluation or initiate renewal discussions.

Some of the data that you can expect to find in vendor contracts are:

- Performance
- Renewals
- Terms of service
- Delivery, and more

Naturally, there is a strong case for better contract management as a means to transform the way you access, manage, or evaluate vendor data.

Contemporary contract management software also merges with existing business tools for data extraction, which can work to funnel data into your system without the hassle of constant follow-ups. Here is how that works:

Let’s say your organization is expanding into a new market. And in order to leverage local insights for expansion, you hired a sales boutique that promised to get you initial paying customers. During renewal discussions, you would want to know the total number of deals they brought in, the average deal value, and upsell rates to find ROI on your spending.

There are two ways to navigate this:

A) Approach and hold conversations with your vendor, finance team, and undergo a thorough analysis of the particular sales contracts generated by the vendor.

OR

B) Use your contract management software that automatically pulls in data from your existing CRM, creates all your contracts near-instantly, and also presents a highlight of all key details in an instant.

A greater share of vendor insights is nested directly inside your contracts. Ensure that you are utilizing them well.

Making knowledge sharing seamless

Vendor relationships are primarily value-driven; you hire experts, work happens faster and more effectively. Depending on archaic communication or knowledge-sharing channels can slow the process down for you.

An important part of vendor onboarding is also integrating their technology with yours so they are not always dependent on you for knowledge or resources.

Instead of using separate tools for communication, add them to common workspaces and assign a company SPOC who can act as an intermediary. Tools like Slack, Notion, and more support adding external parties to your workspace while limiting access to information.

SpotDraft’s contract platform also limits the degree of control any member has on matters, so any external legal counsel can only see data you have earmarked for their perusal.

Think data-first

Last year, after COVID forced digitization on the economy, business cyber-attacks went from 38% to 43%, the Hiscox Cyber Readiness Report 2021 found. Count even the U.S. Treasury and Commerce Departments in that list and you know that data-handling and incident readiness cannot be overlooked.

How safe can your customers expect to feel if key business data oscillates between multiple management profiles across your organization and vendors?

While evaluating the risk associated with your SaaS or any other business tools is a lot easier, multiple variables make it much harder to gauge the pitfalls with your independent contractors or external vendors.

The solution to vendor data handling issues

The What: Tie risk analysis to performance analysis.

The How: Instead of doing a blanket analysis for potential leaks throughout, use an objective-gradation model. Grade each vendor by the sensitivity of data accessible to them, and use another grade to determine vulnerability.

It is best to isolate vendor trust from the equation because assuming the likelihood of a breach skews the potential impact of a breach (if and when it happens).

By analyzing vendor security by the type of data and the sources of access to the data, it is far easier to predict potential loopholes than levying weight on cosmetic metrics.

The risks of that are best explained in this blog by Shared Assessments:

Likelihood balances against impact by weighing the probability of a breach occurring. This helps organizations prioritize incidents. Across many areas of vendor risk, organizations can measure likelihood with SLAs and policies. For example, cloud providers offer availability guarantees and backup services that let organizations quantify the probability of different data loss scenarios.


Taken together, impact and likelihood form a risk score. And the third parties with the highest risk traditionally demand our greatest attention. The SolarWinds cyber-attack demonstrates the weakness of this approach. The trust placed in a vendor can lower the overall risk score by assuming the likelihood of a breach is low.