A story of evolution and challenges with Vendor Management, a critical discussion with Becky Newton, Director of Global Vendor Relationship Management

 



    How we manage our critical vendors has changed over the course of many years and so have the roles that use to support it. In the past, many roles such as IT Asset Analysts, Business Analysts and Project Managers would typically help in managing vendors and vendor agreements. However, this has changed significantly as the industry evolved overtime and realized a need for specialists who can readily identify risks a vendor may pose to an organization and manage that relationship through its full lifecycle. Vendor Managers and Sourcing Managers operate very closely but in parallel streams, both with two different mandates. As technology is becoming ever more complex, organizations are now starting to realize the need for specialists who can manage critical third parties, while also being a liaison between the business and technology teams. This requires specialists to have good negotiation skills, ability to handle competing priorities, shift easily between the technical and operational aspects of business and have a strong knowledge of Risk, Compliance and Governance. Ultimately, enabling organizations to effectively manage their third-party relationships.

    In conversation with Becky Newton, Director of Global Vendor Relationship Management at Ansys, she noted the importance of understanding how the vendor management function can grow with the organization. Becky mentions, how different organizations have different levels of maturities and regulatory requirements when it comes to vendor life cycle management.  A vendor management function that incorporates extensive technical reviews and onsite compliance audits for an organization that is not highly regulated and has limited understanding of audit and controls may appear to be overly cumbersome bringing little value to the overall procurement process.  In those cases, the organization will eventually find another solution to address vendor management.  Knowing the regulatory expectations and where the organization is in its governance, risk and compliance maturity is crucial to right sizing the vendor management function and gaining executive management support. 

    As Becky moved forward in her career and joined Arvest Bank, she quickly realized the importance of Third-Party Risk Management and Vendor Management Life Cycle and how it plays a critical role in the financial services industry. Considerations of access to customer data and/or systems, the type of data accessed, and the criticality of the services provided became the building blocks of the Bank’s Third-Party Risk Management program and spoke directly to the regulatory principles of keeping the Bank safe and sound. This approach to vendor management requires specialists to have key understanding of Vendor Management principles, in order to onboard vendors through a risk-based approach.  Additionally, Becky noted these same principles were transferable and could be leveraged for vendor management programs across any industry.

     As managing technology vendors is becoming more complex, so are the changes in the regulatory requirements. This evolving regulatory landscape requires the vendor management specialists to be more aware of those changes than ever before. As an example, each country mandates its own laws and regulations with regards to the privacy of data. Further, with in the United States the privacy laws and expectations are vastly different between state to state and managing compliance can become complex for any organization operating in countries such as United States. The question now becomes how do we make sure the Vendor Management process remains up to date and compliant with such complexity? Becky mentions that understanding the regulatory requirements of the countries your business is operating or selling in can assist in creating a manageable approach.  She recommended identifying the countries with the highest threshold or stricter rules and structuring the vendor management approach to initially comply with those requirements; layering all the small deviations for other regions will become easier from there.  

    When it comes to Cyber breaches, according to Cybersecurity Ventures, ransomware will cost organizations close to $265 Billion dollars annually by the year 2031. (Source: Cyber Security Ventures). Security Ventures also indicates that in the past, in 2021, ransomware costed approximately $20 Billion dollars, as hackers were able to use sophisticated technologies to exploit critical and vulnerable systems of organizations.  In order to combat the constant barrage of cyber attempts, Becky recommends working closely with the Cyber Security professionals within the organization.  Know your information/Cyber Security Officer’s risk tolerance, the minimum cyber controls or implementation paths she/he will accept. She also reminds us that every organization has business owners that regardless of the vendor’s identified control deficiencies, they want to continue with the contract.  In those instances, she advocated having a documented exception process that incorporates cyber security, compliance, and legal executive leadership.

    According to Becky, while regulatory compliance and cyber security are very important, these are not the only challenges that Vendor Relationship Managers face. Vendor Managers have to make sure that all vendors, with in the VRM scope, are assessed carefully for all types of risks associated with the service/product provided and any associated (4th party) suppliers. It may not be enough to simply assess the risk and controls of the vendor you wish to engage, but depending on the depth and level of integration between the organization and its vendor, you may also need to understand the risk and controls of your vendor’s vendors.

    There are many Sourcing and Vendor Management challenges facing organizations today. The shifting sand of regulatory expectations, the seemingly never-ending cyber-attacks, and the unrelenting onboarding and contract renewal requests can become frustrating and overwhelming for even the most experienced vendor management specialists.   Perhaps the hardest of the challenges facing vendor managers today is navigating through the internal politics of their own organization.; here are key recommendations provided by Becky in order to address some of these challenges:

  •   One size fit all approach does not work, try to tailor your approach with the right size program based on your organization’s appetite; do not just push for maturity.
  •   Know what is expected of the Vendor Management Program, what are you looking to address immediately (i.e., regulatory requirements, spend management, expectations of board/management etc.)
  •   Focus on the basic requirements with a simplified process first, do not overcomplicate and/or overengineer the process when it comes to managing critical vendors, processes and risk assessments.
  •   Full support from management is a must in order to enable an effective program across the enterprise
  •   Have annual check-ins with management to assess how we are doing and propose further progress in the program

    Stay in your lane, the Third-Party Risk/Vendor Management programs should be developed to empower the business executives, those authorized to accept risk for the organization, to make informed risk-based decisions regarding vendor selection and ongoing risk management activities. If you are establishing your Vendor Management practice now, it is critical to understand the breadth and impact this community will have with Sourcing, Contract Management and Legal professions in any organization. Becky, acknowledged that the Vendor Management community is inquisitive, flexible and adaptable. Managing vendors is changing day by day, and not every day will be the same. Patience is key here with strong critical thinking skills required to understand your key suppliers with vendor risks and criticalities in mind. This definitely requires individuals with significant knowledge and experience.

    If you are looking to get in touch with Becky, here is a link to her LinkedIn profile or you can email her at becky.newton@ansys.com. We would like to extend our gratitude to Becky for her time with us to discuss the changes and challenges in the Vendor Management community.


Image courtesy: Jack Sloop, Unsplash

Post a Comment

0 Comments