We see a lot of companies overthink their vendor management program. Inevitably, they end up tangled in a complicated process design. By its very nature, vendor management is a simple process.
Here are the 5 most important things to remember when designing your vendor management program:
- Start with a simple 4 or 5-step process design. With more than 5 key steps your vendor management process becomes unnecessarily complicated and has a high probability of running into trouble.
- Always start by listing the process steps first, not writing your policy. Too many companies fall victim to an endless series of drafts and rewrites to get a formal policy approved. Outline the process instead. This brings your focus back to key process steps. Once you have a process designed it is easy to write the policy document. The policy document just explains why you do each step and affirms that you have to do the process formally and consistently.
- Know who will be responsible for completing each stage of the vendor management process. Will the business owner be responsible or will a subject matter expert (information security officer, finance analyst, etc.) be responsible for the step?
- Affirm that the party responsible for each step has the requisite knowledge and expertise to answer the questions that need to be answered. As an example, many companies want to decentralize their risk assessments but often business owners don’t have the specialized skills and knowledge needed to complete these risk assessments.
- Communicate and train your vendor management process. Make sure you establish a firm mandate for immediate compliance with the policy. Make it clear that noncompliance will be monitored and penalized. This is important and appropriate because an improperly-managed vendor risk program invites legal liability, reputational and strategic exposure, and regulatory penalty for your organization.