Virtually every organization utilizes vendors ranging from mission critical support to taking care of commoditized tasks. Not every organization successfully leverages vendors to maximize business value; in contrast, organizations often fail to get their money’s worth out of contracted services. We interviewed several organizations recently about vendor management practices; feedback included responses like “I don’t know why we still use them,” “I’m not sure our information is secure with them,” and “they don’t do what we need them to do”. These responses reveal real issues with managing vendors.
We will narrow the Vendor Management topic scope to just vendors supplying important or critical services. A significant part of this blog can be applied to other types of vendors or suppliers offering a wide range of services. Managing vendors is as much Art as it is Mechanics. Art is the ability to drive real business value from vendors, and Mechanics is the rigors of vendor management; both should address risk management, costs, and quality.
The Art of Vendor Management
Art centers around relationships, understanding the needs of all parties, then leveraging them to create value. It would help if you genuinely connected with critical vendors, centered on communications, commitments, and transparency. The following points illustrate ideal ways to create meaningful relationships benefiting all parties:
- Relationships: create a true bidirectional relationship with a forum for all parties to communicate openly and transparently. This is especially important when services or delivery is degraded, and open communications enable both parties to address issues promptly. Consider activities to reduce adversarial conflicts. Build relationships through multimodal communications, in person interaction, and when warranted team building activities (coffee and happy hour counts).
- Expectations: both parties need to set clear (documented) expectations. You need to go beyond the boundary of traditional contractual elements. Set the expectations for cultural and local variables impacting vendor services and offerings and include your goals in contracts and agreements. Ensure your vendors clearly understand your business needs, especially as needs evolve due to business changes; include vendors early in organization and operational changes.
- Leadership: take charge of vendor relationships. Identify what is working and areas of improvement, then solve it. Do not wait for review periods or formal processes. Pick up the phone and talk with your vendor to strengthen your relationship. Teach others in your organization how to create and improve vendor relationships.
- Accountability: both parties in the contractual relationship should hold each other accountable. Periodic reviews should include standard metrics measuring the contract deliverables and evaluating the relationship. Consider holding your vendors to the same standards as your staff; vendors might have direct access to your critical data, manage them accordingly. Do not stop at the review; create methods to improve relationships during the engagement lifecycle. There is such a thing as a bad customer, don’t fall into the trap of believing the relationship is one-directional.
Vendor relationships will vary based on the situation. For example, if you have a critical service like a Managed Service Provider (MSP), you must ensure alignment with your goals through frequent service reviews and open communication. If you have a critical service provided by a large-scale Software as a Service (SaaS) provider, you need to have open communications with your account manager. Consider joining user and client groups and participating in beta testing new releases.
The Mechanics of Vendor Management
The Mechanics apply to all vendors, and it is crucial to use rigors in vendor management based on business value and risk. Multiple SaaS solutions support vendor management; however, you still need a process to ensure proper management. I recommend the following key elements in your program, elaborate to adapt it to your needs.
Formal Selection Process
Create a two-step program aligned with your business requirements; avoid over rigorous programs that frustrate users, often leading to them bypassing best practices.
- Categorize All Vendors: a simple yet effective vendor rating system includes 4 levels: Critical, High, Medium, and Low. Critical and High rates relate to mission support, data, and cybersecurity requirements. Most of the initial and ongoing management is focused on the highest ratings, and this level often includes SaaS providers, technical and cybersecurity providers, and professional services. Rate all vendors, even ones considered Low.
- Formal Evaluations: complete formal, documented evaluations for all Critical and High vendors. Review the contracts carefully and validate your goals and budget requirements. Complete due diligence by reviewing their cybersecurity program, ensuring alignment with your risk and compliance requirements. Evaluate their contingency planning and validate its alignment with your expectations and requirements for service restoration. Annually re-evaluate critical vendors to ensure alignment and service metrics are met. Manage through spreadsheet checklist or SaaS.
How to Get Started
This oversimplifies what you need to do to manage your vendors effectively; however, it will give you an idea of the process.
- Create a Formal Program: complete with policy, procedures, and a method to track vendors. Align it with your business requirements and risk level.
- Inventory: identify and track all vendors and suppliers; this can be an arduous process exasperated by cloud and SaaS providers. Many vendors or supplies will be listed as Low, which should still be identified and tracked; however, you will not need to perform in-depth due diligence. You may need to check with accounting to run a list of all IT related expenses and check with department leaders to find hidden or additional vendors and solutions. You may be surprised by the overlapping of services by different service providers and how much company data (even critical data) is outside your control. Track all vendor services, the data, who uses the vendors, and vendor relationship managers; use spreadsheets or SaaS to track.
- Conduct Vendor Evaluations: classify all vendors, then evaluate all critical and high-level vendors. You may be surprised at what you find, often existing vendors do not achieve your cybersecurity requirements or contingency plan expectations.
- Incorporate Vendor Management: managing vendors should be incorporated into standard business practices. You will achieve success when your program supports your business activities through streamlined processes aligning with other organizational activities.
When you master the Art and Mechanics of Vendor Management, you will achieve clarity, consistency, and real business value from your vendors. This is a long, never-ending process, as each vendor is unique. Similar to other programs, do not attempt to accomplish this alone. Reach out to ISOutsource if you have any questions