How to Design a Vendor Management Process

Whether you’re a small business or a global enterprise, over the last decade or so outsourcing business functions to third-party vendors has become essential to your business operations. Vendors are used in nearly every business process. They provide tech support, back-office and e-commerce platforms, networked and cloud-based applications and networks (IaaS, SaaS, PaaS, etc.), CRM systems and other essential processes. It’s very common for companies to collaborate with vendors and agencies to perform sales, traditional marketing and website, social media and digital marketing initiatives.

All this outsourcing makes good business sense because it can save money while increasing productivity and profitability. But these business benefits are not without risk. Dependence on vendors also increases your company’s susceptibility to threats. Having a good vendor management process helps identify, manage and mitigate risks associated with your business’s dependence on third-party vendors.

Work With More Than the Procurement Organization for Vendor Management

In this article, we will walk you through the critical steps you need to take to manage your vendors efficiently. And to be honest, managing your vendors can be easier said than done. Many companies make vendor management a function of their procurement and/or legal organizations. However, procurement and legal manage contracts and agreements; they do not manage the day-to-day business operations and IT policies. It’s important for every organization that engages with a vendor to contribute to and review the terms and conditions in vendor agreements. These organizations should also be engaged when designing vendor management processes.

Consistently Reassess Your Vendor Processes

Network and system environments, architectures and solutions continuously evolve, so it’s a good idea to periodically assess your company’s vendor processes. Before implementing a vendor management process, you should define the current and expected business requirements, organizations impacted, areas of risk within the vendor relationship life cycle and the types of vendors that need to be managed. After an overview of the vendor environment is established, audit current solutions to identify how well current processes are working. Look for opportunities to streamline existing processes and strengthen relationships with vendors by:

  • Sharing information and priorities with vendors regularly and frequently.
  • Ensuring vendors know and understand their contacts for contracts, technical support, product management, etc., including who are the administrators and key security contacts. For example, Google recently announced the popular G-Suite email and productivity platform was adding a “confidential” mode, an important security update and making it the default for all users. Does your organization want or need these features? What are the implications or uses of it? These are important questions that should come up as part of your regular vendor management review.
  • Setting expectations for competitive bidding processes.
  • Understanding your vendor’s business and how to partner for the long term.
  • Negotiating agreements based on value to your business, not just price.
  • Providing training on your company’s priorities and security environment.

Protect Your Business by Managing Risks Associated With Vendors

Risk management is one of the most important things to consider when engaging with third-party vendors. Your business should receive secure support and services while maintaining control, ensuring industry compliance and creating audit trails. At the very minimum, you must have a vendor risk management solution that authenticates, audits and controls access by third-party vendors. Be sure to review workflows and user interfaces; usability is essential for encouraging compliance with your processes.

Investing in vendor risk management tools and other vendor management processes provides protection in an ever-changing technology and business environment. With the right process, you can increase efficiency, reduce costs and improve service while mitigating your risks.

Tony Howlett

Avatar photo

Tony Howlett

Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.

tony-howlett has 14 posts and counting.See all posts by tony-howlett