Until the financial meltdown or the regulators made Vendor Management important it was almost impossible for anyone to get the resources or technology investment necessary to build and support effective Vendor Management, even if there is a burning platform in the form of regulatory sanctions like what is happening in the financial services sector, or your C-Suite became aware of the many risks and potentially foregone benefits. Vendor Management is in the midst of a long, slow evolution to a value-added, professional discipline.
How many of you have heard your IT business partner say, after you get the budget approved to build or automate an effective Vendor Management program, “Sorry, my vendor ate your budget”.
Because they have a vast number of vendors supporting their operations, IT is usually one of the functions that will gain the greatest benefits from professional vendor management. Without a robust capabilities and risk reporting, leaders in every key internal function including Operations, Real Estate or HR and especially business leaders in revenue-facing organizations, will have limited or virtually no insight into the risks vendors’ internal business practices or weak risk controls present to their organization and the company. My experience is that the first time you present detailed risks by vendor, by risk factor and by line of business to key leaders leads to an intense discussion. Much like the first time you profile vendor and category spend to senior folks - it’s a real eye opener for most leaders.
So what do the terms Vendor Management, Vendor Risk Management, Supplier Relationship Management and Outsourcing Governance mean. Are they different names for the same thing? To quote what I learned in MBA school is “it depends”.
Once you have completed all of the intense activities to source and conduct due diligence to find the right vendor, it's time to enable vendor management. Any number of studies have been done to explain the benefits of effective vendor management. Vendor Management can be thought of as an umbrella term for the many facets of getting what’s expected from your contract and relationship with key vendors. When designing programs, I like to keep things simple, so organizing your program into three headings makes it easy for most people to remember.
1. Cost Management includes the ongoing costs to acquire contracted goods and services, transition and implementation costs, realizing negotiated savings and threshold discounts, leveraging price de/escalation clauses, and calculating the costs for managing the relationship. This is broader than a Total Cost of Ownership (TCO) calculation because it includes visibility and reporting for baseline costs, cost/price (de)escalations and TCO over time.
Reporting all current and expected future costs to your business partners or their key vendor relationships is made possible if your company has invested in a software solution that draws production data from Accounts Payable and Strategic Sourcing or establishes a defined data feed from key vendors. The alternative is a small army of data processors and analysts - not a winning solution in anyone’s book.
2. Risk Management is based on a consistent, repeatable assessment of the strengths of the vendor’s internal controls over many facets of risk. While some of these are industry-specific, common risks include Information Security, Privacy, Business Continuity Planning, Financial Viability, Sub-Contractor Management to name a few. Industry-specific risks may include Model Risk, Anti-Money Laundering, Supplier Supply Chain and/or Anti-Corruption risk. Mature Vendor Management organizations will have implemented a Vendor Management Risk Framework, Standards and Policies, processes and assessments, training,
Most companies that have a Vendor Management program risk rate the vendor twice. Initially based on their Inherent Risk, and then on their Residual Risk. These are point-in-time assessments, initially the risks the vendor presents before assessing the strength of the vendor’s internal controls, and finally after the strength of their internal controls for key risks is assessed.
More mature vendor management programs also re-assess key risks at one or more points mid-contract for those vendors presenting a High level of risk and/or those that are Material to the organization. Material and Critical are often treated as interchangeable terms. The frequency and scope of mid-contract assessments is usually determined by the vendor’s previously assessed level of risk and/or Materiality. The purpose is to determine whether the level of risk has changed and whether new controls are required. Sometimes deterioration in the level of risk will result in developing a remediation plan or even termination of the relationship.
At each step, the vendor is risk rated and summarized as High, Moderate or Low risk. Some companies use 5 or more levels of risk to rate their vendors. My advice is “less is more”, no need to overcomplicate your program.
3. Performance Management is also an umbrella term that captures many important aspects of effective vendor management. It includes contract management to ensure you are receiving and delivering everything contracted for. It also includes Transition and Implementation management, Relationship Management, Operations management, Communications, Business Reviews, Service Level Agreement management, Change management, Compliance management, verifying Insurance coverage, assessing Independent quality and control assessments like SSAE16, ITIL, TMMC, etc. In short all the many aspects of working with a key supplier that your company depends on in order to deliver services to your customers.
There are two aspects of Performance Management. One is the list of mandatory activities, frequency and timing prescribed by your enterprise-level Vendor Management program. The second is the management responsibilities that your functional area is accountable to ensure you are spending sufficient time and effort on key vendors that are integral to your operation.
The Investment Argument
These three sources of value can neatly come together into an information-rich Supplier Portfolio Management Strategy. Imagine the benefits to business leaders if they had insight into the Costs, Risks and Performance of their key vendors, and the benefits of proactive leadership made possible by current, actionable information.
The keys to an effective and efficient program are:
Implementing a flexible technology solution that supports your vendor risk management program processes combined with robust reporting capabilities – preferably in a production environment
Scaling the work effort according to total vendor costs, the level of Residual Risk and the Materiality of the vendor and
Having enough discipline to avoid using terminology that your business partners would need a PhD in Risk Management to understand
So the next time you hear “Sorry, My Vendor Ate Your Budget” you’ll be prepared with a well thought through reply to why investing in Vendor Management is one of the best investments a company can make.
Linda Tuck Chapman is a recognized expert in Vendor Management, Outsourcing Governance, Contract (Re) Negotiation and Procurement Transformation. She can be reached at
firstname.lastname@example.org or 416-452-4635.