How we
manage our critical vendors has changed over the course of many years and so
have the roles that use to support it. In the past, many roles such as IT Asset
Analysts, Business Analysts and Project Managers would typically help in
managing vendors and vendor agreements. However, this has changed significantly
as the industry evolved overtime and realized a need for specialists who can readily
identify risks a vendor may pose to an organization and manage that
relationship through its full lifecycle. Vendor Managers and Sourcing Managers
operate very closely but in parallel streams, both with two different mandates.
As technology is becoming ever more complex, organizations are now starting to
realize the need for specialists who can manage critical third parties, while
also being a liaison between the business and technology teams. This requires
specialists to have good negotiation skills, ability to handle competing
priorities, shift easily between the technical and operational aspects of business
and have a strong knowledge of Risk, Compliance and Governance. Ultimately,
enabling organizations to effectively manage their third-party relationships.
In
conversation with Becky Newton, Director of Global Vendor Relationship
Management at Ansys, she noted the importance of understanding how the vendor
management function can grow with the organization. Becky mentions, how
different organizations have different levels of maturities and regulatory requirements
when it comes to vendor life cycle management.
A vendor management function that incorporates extensive technical
reviews and onsite compliance audits for an organization that is not highly
regulated and has limited understanding of audit and controls may appear to be
overly cumbersome bringing little value to the overall procurement process. In those cases, the organization will
eventually find another solution to address vendor management. Knowing the regulatory expectations and where
the organization is in its governance, risk and compliance maturity is crucial
to right sizing the vendor management function and gaining executive management
support.
As Becky moved
forward in her career and joined Arvest Bank, she quickly realized the
importance of Third-Party Risk Management and Vendor Management Life Cycle and
how it plays a critical role in the financial services industry. Considerations
of access to customer data and/or systems, the type of data accessed, and the criticality
of the services provided became the building blocks of the Bank’s Third-Party
Risk Management program and spoke directly to the regulatory principles of
keeping the Bank safe and sound. This approach to vendor management requires
specialists to have key understanding of Vendor Management principles, in order
to onboard vendors through a risk-based approach. Additionally, Becky noted
these same principles were transferable and could be leveraged for vendor
management programs across any industry.
As
managing technology vendors is becoming more complex, so are the changes in the
regulatory requirements. This evolving regulatory landscape requires the vendor
management specialists to be more aware of those changes than ever before. As an
example, each country mandates its own laws and regulations with regards to the
privacy of data. Further, with in the United States the privacy laws and
expectations are vastly different between state to state and managing
compliance can become complex for any organization operating in countries such
as United States. The question now becomes how do we make sure the Vendor
Management process remains up to date and compliant with such complexity? Becky
mentions that understanding the regulatory requirements of the countries your
business is operating or selling in can assist in creating a manageable
approach. She recommended identifying
the countries with the highest threshold or stricter rules and structuring the
vendor management approach to initially comply with those requirements; layering
all the small deviations for other regions will become easier from there.
When it
comes to Cyber breaches, according to Cybersecurity Ventures, ransomware will
cost organizations close to $265 Billion dollars annually by the year 2031.
(Source: Cyber Security Ventures). Security
Ventures also indicates that in the past, in 2021, ransomware costed
approximately $20 Billion dollars, as hackers were able to use sophisticated
technologies to exploit critical and vulnerable systems of organizations. In order to combat the constant barrage of cyber
attempts, Becky recommends working closely with the Cyber Security
professionals within the organization. Know
your information/Cyber Security Officer’s risk tolerance, the minimum cyber
controls or implementation paths she/he will accept. She also reminds us that
every organization has business owners that regardless of the vendor’s identified
control deficiencies, they want to continue with the contract. In those instances, she advocated having a
documented exception process that incorporates cyber security, compliance, and
legal executive leadership.
According
to Becky, while regulatory compliance and cyber security are very important, these
are not the only challenges that Vendor Relationship Managers face. Vendor
Managers have to make sure that all vendors, with in the VRM scope, are
assessed carefully for all types of risks associated with the service/product
provided and any associated (4th party) suppliers. It may not be enough
to simply assess the risk and controls of the vendor you wish to engage, but
depending on the depth and level of integration between the organization and
its vendor, you may also need to understand the risk and controls of your vendor’s
vendors.
There are many
Sourcing and Vendor Management challenges facing organizations today. The
shifting sand of regulatory expectations, the seemingly never-ending cyber-attacks,
and the unrelenting onboarding and contract renewal requests can become
frustrating and overwhelming for even the most experienced vendor management specialists. Perhaps
the hardest of the challenges facing vendor managers today is navigating
through the internal politics of their own organization.; here are key
recommendations provided by Becky in order to address some of these challenges:
- One size fit all approach does not work, try to tailor your approach with the right size program based on your organization’s appetite; do not just push for maturity.
- Know what is expected of the Vendor Management Program, what are you looking to address immediately (i.e., regulatory requirements, spend management, expectations of board/management etc.)
- Focus on the basic requirements with a simplified process first, do not overcomplicate and/or overengineer the process when it comes to managing critical vendors, processes and risk assessments.
- Full support from management is a must in order to enable an effective program across the enterprise
- Have annual check-ins with management to assess how we are doing and propose further progress in the program
Stay in
your lane, the Third-Party Risk/Vendor Management programs should be developed
to empower the business executives, those authorized to accept risk for the
organization, to make informed risk-based decisions regarding vendor selection
and ongoing risk management activities. If you are
establishing your Vendor Management practice now, it is critical to understand
the breadth and impact this community will have with Sourcing, Contract
Management and Legal professions in any organization. Becky, acknowledged that
the Vendor Management community is inquisitive, flexible and adaptable.
Managing vendors is changing day by day, and not every day will be the same.
Patience is key here with strong critical thinking skills required to
understand your key suppliers with vendor risks and criticalities in mind. This
definitely requires individuals with significant knowledge and experience.
If you are
looking to get in touch with Becky, here is a link to her LinkedIn profile or
you can email her at becky.newton@ansys.com. We would like to extend our
gratitude to Becky for her time with us to discuss the changes and challenges in
the Vendor Management community.
Image courtesy: Jack Sloop, Unsplash
0 Comments