**From the August 2020 issue of AOTMP® Insights**

Every organization has a vendor management process. Because telecom, mobility, and IT is complicated – and few (if any) companies out there can handle everything the industry throws at their technology team.

But, just because you have a process doesn’t mean everyone affected by it knows it exists. Or has the slightest idea of how it works. Do your employees know how they fit into your current vendor management process? Do they know what steps they’re responsible for? Do they understand how to work within your rules in a way that minimizes risk?

Most modern service provider relationships are extremely broad in scope. For you, that means a partner’s impact likely affects more processes – and people – than you may realize. As today’s technologies extend beyond the traditional boundaries of your IT team, the vendor management process is reaching departments and employees outside of the relationship’s “owners” more frequently than ever before.

Procurement, compliance, legal, security, and more need to be involved in today’s vendor management initiatives. But legacy processes do little to support these increasingly intricate relationships. To keep everyone involved and informed, you need a vendor management policy that’s easy for everyone in your organization to understand and communicate.

Otherwise, you’ll find it challenging to ensure your vendor management standards and rules are carried out correctly. If your people don’t know what’s expected of them, it’s impossible to assume they’re going to follow your rules. Which means consequences that could potentially put your entire organization in harm’s way.

Modernizing Your Vendor Management Process

While you probably have internal security policies in place for your technology, most businesses lack similar standards for governing third-party service providers that – under regulations like the General Data Protection Regulation (GDPR) – hold you accountable for any mistakes they make.

Data breaches, which now cost the average organization almost $4 million, are just one example of a risk that can be eliminated by comprehensive policies positioned to serve as the foundation for your service provider management processes moving forward.

An effective vendor management policy should contain several components to not only protect your organization’s current vulnerabilities, but keep it flexible enough to take on new challenges as the nature of your relationships evolve and grow. It should detail precisely who is responsible for each step of your management process, consider all relevant regulations, identify any essential element or resource involved, outline universal concepts, and determine how all vendor management stakeholders stay informed as things change.

But creating your policy is easier said than done. Fortunately, there are a few best practices you can follow to make this process as easy as possible.

Creating the Perfect Vendor Management Policy

If I haven’t made it clear enough yet, vendor management isn’t any one person’s or team’s responsibility anymore. As a result, your policy needs to be written at a level that everyone in your organization can understand. It’s important that you include input from professionals outside of your vendor management team because months or years down the road the relationship could include people that weren’t initially involved.

The best vendor management policies are the ones that address all organizational needs without being overly wordy or complicated. In our experience, a five- or six-page document that’s updated and approved by everyone annually (or as significant changes demand) seems to be the ideal solution.

So, where do you start? Before anything else, you need to know which risks you’re already dealing with. Your first step should be assembling a list of your current third-party service providers, contractors, and/or associates to determine:

Once you discover the technology partners that meet any/all of these conditions, they should be prioritized in your policy moving forward. These are the vendors you need to spend most of your time learning about, monitoring, and requesting remediation from – because these service providers are the most likely to lead to serious damage should they be compromised in any fashion.

Your policy also needs to include plans for failure. Even with contractual promises and guarantees in place, it’s likely your partners will experience a service failure at some point during your relationship. And you need to be prepared when that failure inevitably impacts you. Make sure your policy contains:

A visual, step-by-step process flow can also be an extremely helpful tool to keep your vendor management team informed of their roles and expectations. Things like flowcharts that consider all parties, functions, and unique vendor requirements make it easy for your employees to understand where they fit into a policy and who is responsible for which tasks.

What Your Vendor Management Policy Needs

Now that you know how to build an effective policy, let’s talk about what things it needs to include. While every organization’s technology partner relationships are unique, there are 10 essential elements your vendor management policy needs to oversee:

  1. Human resources security considerations
  2. Physical and environmental security considerations
  3. Data security and liability considerations
  4. Third-party access control
  5. IT acquisition and maintenance standards
  6. Vendor management visibility (i.e. how they handle their own vendor relationships)
  7. Incident management and response mechanisms
  8. Business continuity/disaster recovery abilities
  9. Industry and regulatory compliance standards
  10. Service level agreements

Putting Your Policy Into Action

If your goal is to minimize business risk, your service provider management policy must define a vendor scoring methodology and communicate the logic behind it to all relationship stakeholders. That way, you can clearly and accurately categorize partners into high-, medium-, and low-risk categories with standardized definitions that everyone involved can understand.

From there, putting a policy into action becomes infinitely easier. You’ll be able to use these risk ratings to benchmark vendor performance against not only others you use, but against performance across the entire industry.

However, service provider assessment is only the first step. And your policy must prioritize continuous risk management to make your priorities known – as well as give your team the ability to monitor and verify any partner’s security posture hasn’t changed to create new risks or vulnerabilities.

To make your policy one that’s supported and respected by all employees, seek the approval of everyone involved before you make it official. If people feel involved and included in its creation, they’re not only more likely to follow your policies but also more likely to offer feedback that gives you continuous refinement and keeps your rules relevant.

Today, technology vendor management is everyone’s job. So, making sure every employee is paying attention and playing a part in your policy means you’re much more likely to prevent problems from ever occurring.

vendor management policy

Subscribe to AOTMP® Insights and receive technology’s most important news every month.