Post By: Tom Rogers, CEO at Vendor Centric, CPA, CCMP
I get asked this question often. With all of the relationships, risks and regulatory requirements you need to manage, maintaining an effective vendor management program can be overwhelming. But it doesn’t have to be.
If you focus on three fundamentals – structure, consistency and accountability – you can have an effective (if not necessarily perfect) program and still make your regulators happy. Let’s break this down a bit.
Establishing Structure
An effective vendor management program starts with a well-documented policy describing how your board and senior management intend to do vendor management. Some of the key components your policy should cover include, but are not limited to:
- Policy Statement – the overarching objectives for your program, including a statement about your risk appetite.
- Governance Structure – the role of the board, committees, senior management and, preferably, enterprise risk.
- Roles and Responsibilities – primary responsibilities from first- and second-line stakeholders including the business owners, subject matter experts and internal audit.
- In-Scope Vendors – the types of third parties that are covered under the program and which are out-of-scope.
- Categories of Risk – the types of risks that are to be managed such as reputational, financial, operational, information security and compliance.
- Exceptions and Deviations – handling of policy exceptions and deviations.
Creating Consistency
Then it goes to another principle I preach – consistency in form and practice. Simply put – are you putting into practice what you said you were going to do? In my experience, this is oftentimes where the vendor management program falls short – and where all of your risks are exposed. To create consistency, you need three things:
- Adequate resources (internal and external) to support vendor management.
- A vendor management system to serve as the glue that holds things together, and allows for the standardization of processes.
- Continued training and education of staff to provide the understanding they need to carry out activities in a compliant, consistent way.
Accountability
The best way to confirm that you are consistent with your processes, and to ensure everyone is being held accountable, is to test controls and procedures on a periodic basis. This can be accomplished by your internal audit team (if you have one) or by an external vendor management specialist that can help you find and fix issues before the auditors even show up.
Are You Ready for Your Regulators?
I’ve often said that if your approach is based on an acceptable vendor management framework and, as importantly, consistently applied, you’ve got half the battle won. If it’s ad hoc, there are loose threads to pull and the whole thing unravels.
When there is a problem – you need advice and direction – head to your risk committee, your audit committee and the board – and be ready to show that they “have your back” in the form of escalating issues, terminating contracts (if needed) and generally being there as a guide.
Regulators do not expect perfection but they do reasonably expect performance and progress. Sometimes, that’s easy but the devil is in the details -do your actions match your words? If so, then you’re on the right path.
Tom, Happy new year!
Thank you for sharing such a informative article on vendor management program, I liked the post, Good Luck with your next upcoming post, Keep posting!
Thanks for the note Saayed. Glad you found it informative. I’ll be contributing more on the topic over the coming months.
The blog is really good. Thanks for sharing it.
Hey Aman – sorry for the delayed response as I’m just seeing this. Thank you for the kind note.
Hi Aman – sorry for the delayed response. Glad you enjoyed the blog!
Tom, you are truly a treasure cove of information on Risk Management.
I’d be blessed to have you as my mentor !
Hi Karl – thanks for the note and glad you found the post helpful!
Comments are closed.