Is your business continuity solution ready to help in a disaster?
Your organization likely uses dozens of critical vendors to support your products, services, and internal operations. Each of these vendors needs to be carefully chosen and managed to address and mitigate vendor risk within your organization. Unfortunately, many institutions manage their vendors inefficiently or incompletely. Here are three key issues you can work on now to ensure you have a successful vendor management program in place.
Doing Too Much
There are two aspects to this section that we are going to focus on: knowing what vendors belong in your vendor management plan, and knowing which monitoring activities are most important.
Often, when someone hears the term ‘vendor management’, the assumption is that the program will include every third party that your organization pays for to provide a product or service. For some organizations this could be hundreds of vendors, each one with their own set of monitoring activities – and enough work to keep your team tied up forever. Fortunately, this is not the case. Your Vendor Management program should be focused on third parties who your institution has a business relationship with that perform operational functions integral to your product or service offerings. Organizations like your loan origination software provider should be included in your program. However, the landscaping business your institution employs to keep the grass mowed is simply considered a supplier, and does not need to have monitoring activities assigned to it.
Now that you have determined which vendors you actually need to focus on, you can decide which monitoring activities are necessary to keep your institution secure. A common misconception for people maintaining a vendor management program is that you must monitor everything available for every vendor, which uses extensive resources. Fortunately, this is not needed. You want to choose monitoring tasks based on the inherent risk rating for that vendor. The higher the inherent risk, the more monitoring will be required. Conversely, if a vendor has a low inherent risk, you will not need to do extensive monitoring. Utilizing your risk assessment results to prioritize your monitoring tasks will allow you to use your team’s time more efficiently, and ensure that your critical risks are properly managed. You may find some extra time that you were misusing by monitoring irrelevant activities that you can now use more effectively elsewhere. Imagine that, a risk management program that actually saves you time!
Decentralization is one of the biggest issues we see in vendor management programs. Vendor contracts are spread throughout many departments of an organization, which obscures the holistic view of your vendor relationships. Even worse, there can be vendors you don’t even know about if contracts and due diligence items are not managed through the risk manager. If you want to know if you have a handle on your contracts, ask yourself: Do you know where all your vendor contracts are? Can you quickly find a list of all the vendor contracts that will be renewing this month? Can your team see upcoming vendor renewals with enough time to decide whether renewing is the best option? If you answered no to any of these, you need to take another look at how you manage your vendor contracts.
It is imperative that you collect all vendor contracts in a central repository. This can be done via manual means, like a folder on your organization’s network, or through an automated vendor management platform. A word of caution as you decide – keeping contracts on your network can mean inaccessibility if there is an outage, which can be troublesome if you need to pull up a contract to check a vendor’s business continuity process, so make sure data in your network folders can be available if your network is not. Keeping duplicate paper copies is an alternative, but can result in version issues, so be diligent updating every copy. Thinking ahead and weighing out the best option are key to making your methodology a success.
Manual Vendor Management
Managing your monitoring activities manually can be time consuming and inefficient. Compiling every activity and trying to determine the priority of each within a monster spreadsheet is almost impossible as you sift through hundreds of rows. Are you sure you’ve accounted for every relevant activity and every vendor? Which monitoring activities are coming up? What is the status of each one? Who will be doing the work? Are high risk activities prioritized first? Do you have the most up-to-date-version? There are so many issues and potential for mistakes and miscommunication with a manual process because spreadsheets rely on constant checking and verification of just the layout alone.
These issues can be resolved using an automated vendor management solution. Software as a Service offerings allow everyone to log into the same program and make edits in real time, removing version control issues. Complete your risk assessment and the prioritization is handled for you based on your results. This allows you to spend less time deciding what is most important to monitor and more time actually monitoring. Any good vendor management software solution should allow you to set owners for specific tasks, so you can see an activity's progress and assist your team in removing any roadblocks. Vendor management software solutions should also be able to house your contracts, so you can have them in a central, easy to access location to keep an eye on upcoming renewals.
Your vendor management program should be complete and efficient to support the strategic goals of your organization. By centralizing your contracts, using a risk based prioritization, and creating efficiencies by utilizing automated tools, you can save your organization time, money, and resources while creating a more robust and effective program.