In the first half of 2023, 28.9% of all claims related to ransomware incidents involved an attack on a third-party vendor. This shift in focus by cybercriminals highlights the criticality of managing vendors and third-parties effectively.
Vendor management is often the result of limited visibility and ineffective controls that prevent you from staying ahead of the relationship.
This combination leads easily to increased risk, potential non-compliance, and penalties that can disrupt your business.
In this article, we'll explore how you can better manage your vendors throughout 2024 by exploring:
What vendor management is
How mature your current vendor management processes are
Examples of vendor management in regulated industries
Five vendor management processes you should focus on
How Gatekeeper customers improve their vendor management
What is vendor management?
Vendor management done well is a repeatable, effective method for developing and monitoring third-party providers of goods and services. It allows businesses to derive as much value as possible from contracts, get the most from renewals and build mutually beneficial, long-term relationships.
In this article, we're going to take you through five key areas of vendor lifecycle management, offering practical advice. You can also download our comprehensive guide that provides actionable checklists for your business.
How mature are your vendor management processes?
A business’s vendor relationship management (VRM) approach is generally looked at in terms of maturity.
A company with an immature approach to VRM would be characterised by:
- No central record or VRM solution to store all data
- No defined contract lifecycle management system
- No defined way of managing vendor relationships
- Lack of awareness or management of risks
- No awareness of vendor performance, spend or obligation fulfillment
- Manual approach to vendor onboarding
Companies at the opposite end of the scale of vendor relationship management strategies are characterised by:
- Clear documented processes at all stages of the contract and vendor lifecycle
- Quick identification, mitigation and resolution of vendor risks
- Automated vendor onboarding and data-delegation
- RAG statuses and risk-intelligence feeds used to monitor vendors
- Clear and honest communication and positive relationships with vendors
- The use of vendor scorecards to monitor performance
- Ability to capture spend and analyse costs across all vendors
The diagram below shows the path to maturity in vendor relationship management.
Take a moment to identify where you think your business sits on it.
Wherever you identify your organisation being along this continuum, there are likely to be improvements you can make.
Making these improvements generally depends on the use of Vendor and Contract Lifecycle Management (VCLM) software which allows your business to automate and standardise its processes.
Examples of vendor management processes in regulated industries
Finance Industry
- Risk Management: Financial institutions often assess vendor risk in terms of financial stability, cybersecurity, and compliance with regulations like GDPR or SOX.
- Due Diligence and Ongoing Monitoring: Continuous assessment of the vendor's performance, adherence to service level agreements (SLAs), and regular financial audits.
- Data Security and Privacy: Ensuring vendors comply with data protection laws and standards, such as PCI DSS for payment processing.
- Contract Management: Detailed contracts with clear terms, including penalties for non-compliance and clauses for dispute resolution.
- Regulatory Compliance: Ensuring vendors are compliant with financial regulations like Dodd-Frank, Basel III, or MiFID II.
Healthcare Industry
- HIPAA Compliance: Ensuring all vendors handling patient data comply with HIPAA regulations to safeguard patient privacy.
- Quality Assurance: Implementing standards like ISO 13485 for medical devices, ensuring vendors meet these quality benchmarks.
- Vendor Credentialing: Thorough vetting of vendors for qualifications, experience, and reputation in the healthcare sector.
- Supply Chain Transparency: Maintaining transparency in the supply chain to ensure the authenticity and safety of medical products.
- Emergency and Risk Planning: Developing contingency plans for critical supply chain disruptions.
Pharmaceutical Industry
- GMP Compliance: Ensuring vendors comply with Good Manufacturing Practices (GMP) for drug production and distribution.
- Regulatory Compliance: Adherence to regulations by bodies like the FDA (U.S.) or EMA (Europe) for drug safety and efficacy.
- Supply Chain Integrity: Ensuring the integrity of the supply chain to prevent counterfeit drugs.
- Auditing and Quality Control: Regular audits of vendor facilities and processes for quality assurance.
- Ethical Sourcing: Ensuring raw materials and products are sourced ethically and sustainably.
How to manage vendors: five areas to focus on
The Institute for Supply Management (ISM) has identified five categories of vendor management activity that should be measured and managed to achieve a level of excellence.
Let’s explore each one and see how this can help to manage vendors more effectively.
1. Spend Visibility
Information about the amount of money spent with each vendor on an annual basis is one key indicator of his importance to your business.
Data needs to be collected from all types of financial transactions, summarised and then classified in a way that makes sense to you, and from which you can draw conclusions to help identify your key suppliers.
Surprising results often come from interrogating and analysing controllable third-party spend.
You might find suppliers that you have limited awareness of are receiving more significant sums of money than other higher-profile ones.
If your business is struggling to capture this information or has the data buried away in Excel spreadsheets, it may be time to invest in vendor management software.
Using a dedicated solution can help you to visualise your spend data across vendors, analyse detailed reports, compare forecasted to actual spend and take greater control of your business’s outgoings.
The Gatekeeper Spend Dashboard
If your business is slightly further along the maturity scale and already using programs such as NetSuite to record spend-related data, it can still benefit from using VLM software. Gatekeeper offers a ‘Built For NetSuite’ SuiteApp - a native integration that allows you to see vendor spend data without ever having to leave NetSuite.
This level of visibility makes it easier for Finance teams to find the information they need, without needing to learn a new system. The integration eliminates the potential for double entries, human error and makes vendor spend information accessible within a platform that users are already familiar with.
2. Vendor Segmentation
There is no one perfect way to segment vendors, choose a method that works for you. The key to this exercise is centralising your data into a spreadsheet or ideally, a dedicated vendor management solution. The latter will provide a secure repository that houses all vendor agreements and additional information.
Having all your vendor information in one place will allow you to create accurate segments more efficiently. Managing vendors doesn’t need to involve high levels of administration such as searching for agreements or chasing colleagues to understand a vendor's strategic importance.
Many companies allocate their vendors into three groups by type:
- Strategic (key) vendors: High value, low volume and sole-source.
- Important vendors: Mid-value, there are alternative sources of supply
- Tactical vendors: Low value, high volume, lots of options
Once you have allocated third parties into these groups, you can start to focus on vendor relationship management.
Naturally, your business may want to dedicate more time to strategic vendors to ensure your business continues to operate with little disruption."
Tactical vendors can be checked in on every so often - depending on the level of resources available in your team.
If your business is at the low end of vendor management maturity, it may take some time to gather all the information you need before you start to define your categories.
It’s often easiest to start with a simple method of vendor categorisation by type to guide your activities. This will help you to prioritise your time and focus when managing vendors.
See vendors by Type in Gatekeeper to prioritise your time and effort.
3. Collaboration
Many organisations have a problem with working openly with vendors thinking that sharing operational and financial information leaves them in a weaker negotiating position. The opposite may be the case.
Sharing of new technologies and innovative ideas can lead to added value and cost savings for both parties. Strengthening existing relationships is one of the best ways to manage vendors and it helps to establish trust.
By keeping lines of communication and collaboration open, all involved parties can have confidence that they are working together to achieve the best possible outcomes.
Best practice is to develop relationships at many levels, both corporate and operational, ensuring overall visibility into the supplier’s wider organisation."
Collaboration can sometimes be hard to measure. However, it can be inferred from the number of vendor reviews you complete, weekly phone calls or even how many times you have messaged your vendors.
Don't forget that collaboration also goes beyond communicating. When your business starts thinking about how to manage vendors, it should also consider how easy it makes life for them. Think about areas such as vendor onboarding, data collection and automating processes such as performance reviews.
Implementing a Vendor Portal can take your business and its relationships with third parties to the next level of maturity. You can deploy a branded portal to your third parties to offer a personalised and centralised area where they can be onboarded automatically, update their information via self-serve and use Public Forms to submit mandatory data.
4. Vendor Management KPIs
Where there is poor or no focus on managing performance, all actions are reactive and unlikely to help improve delivery. If there are no agreed measures in place and no way of tracking what went well or what failed (and why), the chance of improvement is low and you will find it difficult to improve the way you manage your vendors.
Best practice is to define, agree and implement Vendor KPIs which provide measurements based on actual historical performance."
These KPIs can form part of a Vendor Scorecard covering areas key to the value delivered by your third parties. The Key Performance Indicators you should focus on include:
- Vendor compliance with contractual obligations, recorded at regular reviews
- User satisfaction, as measured by surveys of key relationship personnel
- Business risk based on vendor criticality and market/regulation changes
- Obligation fulfilment such as deliveries, quantities and quality of goods
Balanced Scorecards from Gatekeeper help you to measure, analyse and collect the performance data you need. By tracking vendor performance against a set of KPIs, your business will gain insights into whether outcomes are likely to be achieved. It gives you leverage to act early if performance is not as expected and improves the relationship.
Measurement and reporting of KPIs should also:
- Be tracked period-on-period
- Highlight repeated occurrences of the same performance issues over time
- Contain a threshold for triggering an assessment of chronic underperformance in any particular measurement area
- Help develop an approach for improving a relationship that is under stress
- Include measures that report the direct and indirect implications of supplier performance on the business
There should also be periodic reviews of the relevance of each KPI, its measurement approach and its target values to ensure it’s still relevant.Process improvements can only happen if evaluation reports are made available to both parties. Mature organisations publish scorecards and conduct formal performance reviews with suppliers at pre-defined intervals to promote best practices and enhance relationships.
At mature levels, the focus is on alignment and improving communication channels.
5. Vendor Risk Management
Best practice in vendor risk management is defined by continually monitoring and having contingency plans for each risk area.
There are many ways of categorising vendor risk depending on the industry you are in and, in most cases, the stakes are high for ignoring it.
For example, high on the agenda in financial services are risks related to cyber security breaches, bribery and corruption, and exchange rate volatility.
69% of enterprise companies spend 1,000 or more annually managing risk, but two in five lack proper staff and resources to thoroughly screen third parties and vendors in a timely manner."
Conversely, in manufacturing, supplier fraud, logistics costs, product theft and environmental issues may be most important. All companies have financial, technology, security, contract and reputational risks.
One hopes that there is at least a rudimentary risk management plan in place in all organisations. At the very least, you should be aware of the risks that are of relevance to you, especially those that are based on availability and price. Mature organisations apply weight factors to each type of risk and develop contingency plans.
In addition, consider the advice of John Brown, a risk expert at Deloitte.
“The big question is the frequency and level of assessments”.
Brown says it’s a leading practice to assess riskier suppliers more frequently than those considered less risky. He adds that any time there’s a need to increase business from a supply-chain partner, or if a partner experiences a problem, it’s a good idea to reassess the risks of that supplier.
The best risk plans define all possible scenarios and provide one or more solutions or mitigation strategies for each. The plan must be constantly monitored for any changes in the external environment and adapted as required. Any sole-source contract should have a plan B in place that can be activated with immediate effect.
Gatekeeper helps businesses to monitor their risk with the Market IQ Suite. It offers integrated risk intelligence feeds relating to vendors’ financial and cyber health. Your business can receive notifications on potential risks such as changes in credit score, allowing stakeholders to take early action and make informed decisions about the future of the relationship.
Vendor Management Case Study: How Gatekeeper helps its customers
Funding Circle improved their vendor management significantly by implementing Gatekeeper.
Prior to using Gatekeeper, they faced challenges in tracking vendor due diligence and compliance, poor visibility and control of contract commitments, and issues with missed renewal deadlines.
Gatekeeper provided a centralised repository for vendor and contract records, which enhanced organisation and governance. It also offered automated workflows for supplier due diligence, improving the tracking and response rates from suppliers.
As a result of these improvements, Funding Circle achieved better control and visibility of spend, leading to cost savings of around £1 million by terminating contracts that were no longer required.
If you want to know more about how to manage your vendors, book a Gatekeeper demo today.