Vendor Management Process/ Third Party Risk Management

This paper does not attempt to define or discuss Vendor Management or Third-Party Risk Management.

The objective of writing this paper is to bring out the fact that Vendor/ Third Party Risk Management is not only an important task in a Resilient Organisation but also mammoth too!

Our supply chains have grown long, deep, and complex. Our dependency on third parties has increased due to multiple reasons e.g. cost effectiveness, technological advancements and dependencies, automation in product and services development and delivery, specialization in process, product, technology, etc.

Some organisations have hundreds and thousands of suppliers.

The following section describes the type and amount of data that needs to be collected from and about vendors.

S. No.

Vendor Data

1. Basic Vendor Information:

• Vendor name

• Vendor type

• Legal business name

Contact information (primary) –

• Address

• Phone

• email

Contact information (primary) –

• Address

• Phone

• email

2. Financial Data:

• Payment terms and conditions

• Billing and payment history

• Pricing details and rate cards

• Creditworthiness and financial stability

• Tax identification numbers

3. Contractual and Legal Data:

• Contracts and agreements

• Terms and conditions

• Legal documentation (licenses, permits, certifications)

• Non-disclosure agreements

4. Performance Metrics:

• Delivery times and reliability

• Quality of goods or services

• Defect rates and returns

• Repeat offenders

• Compliance with specifications

5. Inventory and Stock Data:

• Inventory levels and stock availability

• Lead times for restocking

• Forecasted demand and supply

6. Risk Management:

• Risk assessment and mitigation plans

• Business continuity plans

• Supplier sustainability and ethical practices

• Other plans like Incident Management, Crisis Management, IT Disaster Recovery, Information/ Cybersecurity, etc.

7. Compliance and Regulatory Data:

• Regulatory compliance (industry standards, government regulations)

• Environmental and safety certifications

• Product labeling and documentation requirements

• Other management systems Operational Resilience

8. Communication and Interaction Data:

• Communication history (emails, calls, meetings)

• Issue resolution and escalations

• Feedback and complaints

• Improvements based on feedback and complaints

9. Vendor Relationships:

• Relationship history and engagement

• Account management and points of contact

10. Market Intelligence:

• Market trends and competition analysis

• New product or service offerings

11. Geographic and Demographic Data:

• Vendor location(s)

• Geographic reach and distribution capabilities

12. Intellectual Property and Proprietary Information:

• Protection of sensitive data and intellectual property

• IP ownership and licensing agreements

• Papers/ articles/ copyrights/ patents developed/ achieved

13. Performance Benchmarks:

• Vendor performance against industry benchmarks

• Key performance indicators (KPIs) comparison

14. Sustainability and Corporate Social Responsibility:

• Environmental impact and sustainability initiatives

• CSR practices and compliance

• Money spent v/s achievements

15. Innovation and R&D Collaboration:

• Collaborative innovation projects

• Joint research and development initiatives

• CoEs (centers of excellence) established

16. Analytics and Reporting:

• Data analysis on vendor performance

• ustom reports and dashboards for decision-making

17. Emerging Technologies and Trends:

• Adoption of emerging technologies (e.g., blockchain, AI) by vendors

18. Contractual Compliance:

• Monitoring adherence to contractual terms and SLAs

19. Employee and Resource Allocation:

• Key personnel and resources dedicated to vendor management

20. Change Management:

• Vendor-related organizational changes (mergers, acquisitions)

• Total number v/s successfully implemented changes

• Improvements based on changes (effectiveness check)

21. Data Security and Privacy:

• Data protection measures for sensitive vendor data

• Information security assessments and certifications

• Training and awareness interventions, budgets, etc.

22. Regulatory Compliance:

• Adherence to industry-specific regulations and standards

• Compliance with data protection and privacy laws

23. Health and Safety:

• Compliance with health and safety regulations

• Occupational safety practices for vendor employees

24. Environmental Impact and Sustainability:

• Carbon footprint and emissions data

• Sustainable sourcing and production practices

• Commitment to UN SDGs

25. Customer Delight:

• Customer satisfaction surveys related to vendor performance

• Alignment of vendor services/products with customer needs

• NPS

26. Employee Satisfaction:

• Treatment of vendor employees

• Work conditions and fair labor practices

• NPS

27. Ethical Business Practices:

• Business ethics and transparency

• Anti-corruption measures and policies

28. Innovation and Continuous Improvement:

• Vendor contributions to innovation and product/service enhancement

• Continuous improvement initiatives

29. Crisis Management and Business Continuity:

• Vendor's crisis response and business continuity plans

• Redundancy and backup strategies for critical supplies/services

• Link with Risk Management (6) above

30. Other Management Systems

• Preparedness/ plans for Quality, Information, Cybersecurity, Environment, Energy, etc.

• Link with Risk Management (6) above

31. Digital Transformation:

• Vendor's digital capabilities and technological integration

32. Social Responsibility:

• Community Involvement and Social Impact Initiatives

33. Accessibility and Inclusion:

• Accessibility considerations for products/services

• Inclusive practices for diverse customer bases

34. Product Quality and Safety:

• Quality control measures and product safety certifications

35. Training and Development:

• Training programs for vendor employees

• Professional development opportunities

• Competency needle movement

36. Intellectual Property Protection:

• Protection of proprietary information and IP rights

37. Corporate Governance:

• Vendor's governance structure and practices

38. Dispute Resolution:

• Mechanisms for resolving conflicts and disputes

39. Political and Social Stability:

• Assessment of potential political and social risks in vendor's operating regions

40. Energy Efficiency:

• Energy consumption and efficiency initiatives

41. Waste Management:

• Waste reduction and recycling practices

42. Lawsuits and Legal Issues:

• Past or ongoing legal disputes involving the vendor

• Penalties – number and amounts

43. Insurance Coverage:

• Vendor's insurance coverage and liability – types (including business interruption, cybersecurity, ransomware) and amounts

44. Economic Viability:

• Vendor's financial stability and solvency

45. In-country or Local Regulations:

• Compliance with regulations specific to the vendor's operating country/region

46. Supply Chain Visibility:

• Transparency into upstream and downstream supply chain partners

• Existence of up-to-date supply chain maps

47. Vendor Reputation and Brand Image:

• Public perception and reputation of the vendor

48. Materiality Assessment:

• Identification of material aspects

• Quantitative and qualitative evaluation

• Risk and opportunity analysis

• Stakeholder perspective

• Scalability and feasibility

• Ranking and prioritization

• Continuous review and adjustment

49. Supply Chain Data (vendor’s vendors):

• Tiered supplier relationships

• Supply chain disruptions and risk assessment

• Almost all of the above (1-48) will be applicable/ repeatable

I propose a new post of the Chief Vendor Data Manager to collect, manage, analyse, and use such a huge amount of data. He/ she will have close association with the Third Party Risk Management (TPRM), Vendor Onboarding, and Vendor Management processes. Managing the comprehensive Vendor Data would require a skilled and knowledgeable professional who possesses a combination of strategic, analytical, and organizational skills.

Here is a possible and detailed JD (job description for this person):

Title: Chief Vendor Data Manager

Role Overview: The Chief Vendor Data Manager is responsible for overseeing and optimizing the entire Vendor Data Management process for the organization's key vendors. This role involves collecting, analyzing, and managing data across various aspects of vendor relationships to ensure compliance, quality, efficiency, and sustainability. The Chief Vendor Data Manager collaborates with cross-functional teams, vendors, and stakeholders to drive strategic vendor management initiatives.

Qualifications and Skills:

• Educational Background: A bachelor's or master's degree in business administration, supply chain management, procurement, or a related field. Advanced degrees or certifications in vendor management or data analytics could be beneficial.

• Experience: Minimum 10 years of experience in vendor management, supply chain management, procurement, or a related field, with a track record of successfully managing complex vendor relationships and data-driven initiatives.

• Analytical Skills: Strong analytical abilities to interpret data, identify trends, and extract meaningful insights to drive decision-making and strategic initiatives.

• Communication and Collaboration: Excellent communication and interpersonal skills to effectively interact with internal teams, vendors, and stakeholders. Collaboration is essential to align vendor data management with organizational goals.

• Project Management: Proficiency in project management methodologies to oversee the entire data management process, from data collection to analysis and reporting. A relevant certification will be advantageous.

• Regulatory and Compliance Knowledge: Understanding of industry-specific regulations, compliance standards, and best practices related to vendor management and data privacy.

• Technical Proficiency: Familiarity with data management tools, analytics software, and technology solutions used for data collection, analysis, and reporting.

• Negotiation Skills: Ability to negotiate contracts, terms, and conditions with vendors to ensure mutual benefit and compliance.

• Strategic Thinking: A strategic mindset to align vendor data management with the organization's objectives and long-term goals.

• Attention to Detail: Meticulous attention to detail to ensure accurate data collection, analysis, and reporting.

• Ethical and Transparent: Commitment to ethical business practices and transparency in vendor interactions.

• Leadership and Influencing: Leadership skills to guide cross-functional teams and influence stakeholders in adopting data-driven vendor management strategies.

Responsibilities:

• Develop and implement a comprehensive Vendor Data Management strategy aligned with the organization's goals and values.

• Collect, monitor, and analyze data across the 49 data points outlined in the case study.

• Conduct materiality assessments to prioritize data collection and analysis efforts.

• Collaborate with vendors to ensure compliance, quality, and sustainability in vendor relationships.

• Regularly review and update vendor contracts, terms, and conditions based on data insights.

• Provide data-driven insights and recommendations to senior management for informed decision-making.

• Drive continual improvement initiatives to enhance vendor relationships and operational efficiency.

• Oversee crisis management and business continuity plans in collaboration with vendors.

• Monitor market trends, emerging technologies, and regulatory changes that impact vendor management.

• Build and maintain strong relationships with key vendors and stakeholders.

• Ensure data security and privacy compliance throughout the vendor data management process.

Application process: Please submit an updated CV with a case written of your own depicting as many as possible skills out of those mentioned above – what and how did you do in Vendor Data Management. The case will be given weightage over the CV and will also form the main part of pre-employment discussions.

The rest of the paper focuses on one of the most important tasks in Vendor Management i.e. NDAs – non-disclosure agreements (and you may like to include this skill in the JD above).

One of the first tests to enhance the Resiliency of your vendor Program is to ensure that the NDAs with all (or at least the key vendors) are up-to-date.

The big question is how this Chief Vendor Data Manager can be sure that the vendor is in compliance with NDA. This can be a big challenge as there is no Thermometer to gauge this and the assessment is based on trust and monitoring.

I add another challenge to this non-disclosure – the most (and easily) we think is about data (leakage or theft), but there is a lot of non-data information that the vendors have access to while they are providing services to you. The bigger or more critical a vendor is the more they have access to your information (data and non-data) and the bigger is the risk! While NDAs are common and standard for all vendors! NDAs do mention the non-data information e.g. proprietary processes, intellectual property, trade secrets, and other forms of confidential information beyond just data, but these mostly get transferred to systems (data). The portion that remains in the human brain is a big risk.

There are multiple defense mechanisms with respect to NDAs with vendors:

1. Initial (signing the NDA itself) - this is the first wall and is non-negotiable.

2. Preventive - training & awareness (at both sides), audits, reviews etc will fall in this.

3. Detective – the most difficult one where the intention is to catch a possible breach or a breach that has taken place. I will write a little more about this.

4. Corrective - legal course, penalties, etc. will fall in this category.

NDA compliance can be ensured through the following:

Physical Audits: All securities start with Physical Security. Conduct physical audits or inspections of the vendor's facilities or operations to detect any unauthorized access or handling of confidential information. Look for any signs of tampering or misuse.

Access Controls: Check that the vendors have implemented access controls and security measures for all assets. This can include surveillance cameras, secure storage, restricted access areas, role based access to information/ data, least privilege access, maker-checker, and other information/ cybersecurity related good practices.

Visitor Logs: Check that the vendors maintain visitor logs for vendor sites. Analyze these logs to identify any unapproved access to confidential information by external parties.

Document Tracking: Check that the vendors use tracking mechanisms like barcodes or RFID tags on physical documents and assets covered by the NDA. Regularly audit the location and use of these assets.

Recruitment, onboarding of employees: Check that the vendors have good recruitment (including BGC – background check) and onboarding processes for their employees.

Intellectual Property Audits: Check that the vendors have intellectual property management processes. Periodically assess these processes and inventory to verify that your confidential information is appropriately safeguarded.

Interviews and Questioning: Check that the vendors have an efficient exit process. As part of exit interviews or vendor assessments, ask specific questions related to confidential information covered by the NDA. Employees leaving the vendor may provide insights into potential breaches.

Whistle Blowing: Check that the vendors’ employees can use your while blower arrangements to provide certain intelligence.

Behavioral Indicators: Monitor vendor employees' behavior and any changes that might suggest potential breaches of confidential information, such as unusual interest or attempts to access proprietary processes.

Supplier Audits: All the above could be covered through or under these audits.

Most of the above measures are Detective in nature. Adapt these measures to the specific type of confidential information covered by your NDA agreements and work closely with legal counsel to ensure compliance with the terms of your NDAs and applicable laws (as these are detective in nature).

The vendor may have to tweak its exit process to let the clients be in the interview or have access to that information. Also, to remind leaving employees of the continued applicability of the NDA (this is rarely done in any organization currently).

You may have to tweak your whistle blower process to allow vendors’ employees to use it.

Conclusion:

In conclusion, effective Vendor and Third-Party Risk Management is an indispensable component of a Resilient Organization. The paper underscores the vast and intricate landscape of vendor relationships, emphasizing that managing vendor data is an increasingly complex task, encompassing both data and non-data confidential information. It introduces the pivotal role of a Chief Vendor Data Manager and outlines a comprehensive job description to address this mammoth responsibility.

NDAs, which play a critical role in safeguarding confidential information, are a cornerstone of vendor management. However, ensuring NDA compliance goes beyond mere paperwork; it necessitates a multifaceted approach that encompasses preventive, detective, and corrective measures. The detective category, as discussed, presents an array of strategies to identify potential breaches or risks, not only pertaining to data but also to the non-data elements that often reside in the minds of vendor employees.

By combining these measures, organizations can enhance their resilience and foster robust partnerships with vendors. The synergy of trust, monitoring, and the strategic insights provided by a dedicated Chief Vendor Data Manager forms a powerful defense against the ever-evolving challenges of third-party risk. In an era where vendor relationships are pivotal to business success, these efforts are paramount to secure, protect, and thrive in an environment of growing complexities and dependencies.