Vendors provide goods and services as both suppliers and sellers. Smartsheet defines
a vendor as:
a. A seller in the supply chain of a specific piece of equipment that a
company needs. For example, an aircraft manufacturer might employ a company
that makes ball bearings as a vendor.
b. An individual who sells his or her services to a company (for a one-time
or ongoing need). For example, a copywriter might contract with an advertising
agency to write copy for website pages for a fixed amount of money as a onetime project.
c. Anyone who provides a good or service to an organization. This can be
those who provide office supplies, legal services, employee benefits, consulting,
and any number of other hard or soft goods or services.
Vendor management is the process that permits organizations to take suitable actions
for controlling vendor selections, negotiating contracts, costs, relationships, jobs, and
reducing vendor-related risks and securing service delivery. A typical vendor
management process looks like:
a. Vendor Selection
b. Contract Negotiation
c. Vendor On-boarding
d Vendor Performance Monitoring
e. Risk Monitoring and Management
Vendor management is very important because it plays a substantial role when it
involves selecting the right vendor for a specific organization’s needs. Organizations
use vendor management to achieve such goals as opportunities for cost saving, as
well as taking the proper procedures to mitigate risks.
VENDOR RISK MANAGEMENT
According to Gartner, Vendor Risk Management (VRM) is the process of ensuring
service providers and IT suppliers do not create a negative impact on business
performance. VRM helps reduce risk by evaluating vendors prior to starting a contract.
It identifies potential risks that an organization would face when allowing a vendor
access to their sensitive data.
Vendor Risk Management improves an organization’s security posture in various ways.
Some of these include:
a. Helping to evaluate a third-party vendor by identifying and addressing any
vulnerabilities they may have within their networks.
b. Accurately measuring and prioritizing risk that can aid in ranking the
vulnerabilities found during the risk assessment. It is recommended to rank the
vulnerabilities based on the overall risk posed towards the organization. This can
be achieved by monitoring security matrices.
Vendor Off-boarding is the not-so-common process of closing out a contract with a
third-part vendor. This process involves ending all administrative, financial, network and
data access, and also the return of property. However, you only want to conduct a
vendor off-boarding AFTER the vendor has fulfilled all his required contractual
Vendor off-boarding is just as important on-boarding vendors. Not following the
proper protocols for off-boarding can pose a high risk and exposure to your
organization such as compliance breaches, data breaches, loss of property, and
ongoing dispute. A vendor off-boarding checklist looks like:
✗ Track equipment returns
✗ Review contract completion and close it out carefully
✗ Disable network and data access
✗ Finalize payment
✗ Update vendors profile
✗ Review security policies
Organizations interact with countless vendors all the time. But many of these
businesses do not have a robust Vendor Risk Management strategy in place. Without
such a strategy, vendors could continue to have access to data, systems or facilities
they no longer service, thereby creating a huge threat to data security.