We now live in an outsourced world. The ability (and scalability) it allows our businesses by outsourcing functions of our business and IT infrastructure continues to increase each day. That is why vendor management has become a very important practice among CIOs and risk management teams. And just because you outsource the function does not mean you can outsource the risk. The risk is still on you and your board of directors! Here are three ways to manage your vendors:
1. Risk Assess and Prioritize Your Vendors
Each business has its own risk appetite and what they are and are not willing to outsource. Begin by recording all your vendors on a spreadsheet and prioritizing them based off of the criticality to the organization. Ask yourself "If that vendor closed its doors tomorrow, how hard will it be to still support our customers today?" This will help you prioritize who you need to know the most about and to make sure those vendors can support you for years to come. Here are some other ways to prioritize the risk of your vendors:
- Annual monetary spend
- Access to customer information
- Number of employees impacted
- Age of technologies used
- Uptime percentage
There are many more ways to assess risk, but ultimately it's about taking the first step to identify the criticality of each vendor.
2. Tiered Vendor Documentation Collection
Most organizations use a three or five level tiered scale to establish the protocols for vendor management. Once the tiers are defined, create a document collection request list for each tier (they would waterfall down off each other) with high tier one vendor requiring the most documentation (like your outsourced MSP for example) to less documents required for tier five (like the janitorial staff). But just because you hired someone to come through the office twice a month to clean up doesn't mean that individual isn't a high risk vendor. Why? Depending on what that individual has access to in the office and what they do with trash at the end of the night, they may still be considered a high-risk vendor because confidential files are being thrown into the dumpster.
3. Automate and Update
Setting up systems to automate vendor management operates similar to monthly accounting. You can use project management tools like Sharepoint or Basecamp, or if your vendor list is small enough Google Calendar will work for your needs. You will want to setup a few reminders:
- Contract expiration dates
- Annual vendor check-in (including document request lists)
- Reporting findings to management (quarterly)
We like to batch vendor reviews when possible and report our updates to the management teams at least quarterly. While some have monthly reminders and others only do it annually, the main thing is to have a plan and follow it! Pro tip: if you have a way in your vendor directory or files to also track issues you've run into with your vendors during normal operating times and show them that during renewal times, that may lend itself to a better deal next time. It will at least get you the negotiating high ground. It works!
Vendor Management is going to be easier for some than others but ultimately it's about getting started by building a prioritized list based on risk. Then, you'll have control and awareness over your ever-increasing outsourced vendor environment. #bevalasecure