A reference guide to the Chief Vendor Officer on existing software tools
Vendor Management’s objective is to provide more value to the company via the integration of Vendor products.
It happens at different phases:
- Discovery. Finding the relevant vendors that respond to company needs.
- Vendor evaluation and selection. Look at the response to the need, price, integration with other solutions, customer support level, compliance, security, etc.
- Implementation. Optimized vendor on-boarding and track vendor performance.
- Vendor culture. Fostering the culture of requesting and using outside solutions.
This process is in general triggered by the leading company department when the need occurs. However, the Chief Vendor Officer (CVO) may want to propose solutions if relevant. It is a serious advantage for the CVO to have a large culture of existing domains and which tools are already present. It accelerates both the Vendor culture and the Discovery phases by providing rapidly answers.
This guide details for Vendor-facing departments which relevant tool family exists around Vendor Management. It does not include the names of specific vendors. Online vendor comparison reports allow an in-depth analysis of specific products. This guide details the solution fields with a brief description of the vendor relevancy.
- Risk Assessments. Selecting a Vendor requires to ensure this Vendor is compliant and secure. Risk assessments are questionnaires submitted to Vendors at this end. These platforms are collaborative and should include many standards questionnaires.
- Third-Party / Vendor Risk Management (TPRM / VRM). IT Vendors have an intrinsic risk that must be managed (think about data breach, business disruption, privacy compliance). These platforms use the assessments to evaluate the risk zones and to apply measures to mitigate them.
The VRM solutions can be often found in Governance, Risk management and Compliance (GRC) or Integrated Risk Management (IRM) platforms.
- Vendor News monitoring. This service gets the latest news about vendors on various subjects (financial, data breach, lawsuits, change in legal and executive structure) to reassess the vendor risks.
- Contract Lifecycle Management (CLM). Access to the contract content is critical to track signed vendor performance. The contract clauses give elements to evaluate the vendor value, e.g., upon contract renewal period. CLM platforms reference all the contracts and their clauses.
Compliance & Privacy
- Consent and Data Subject Request Management. When submitting a request, the data subject expects to receive all the personal data information, also from the third-party vendors.
- Website scanning. The website scanning allows to find automatically all the Third-party and Fourth-party vendors present on the company website pages. They look also for vulnerabilities and privacy compliance (e.g., privacy and cookie policies referencing third-party vendors).
- Vendor sanctions. Before receiving any service from a vendor, a company must ensure there is no sanctions preventing any collaboration, possibly automatically.
The main security risk is about data breaches and the vendor additional attack surface.
- Vulnerability Management. Adding products and libraries increment the attack surface. These tools allow to scan for existing known vulnerabilities.
- Cybersecurity Risk Rating. As part of the Digital Risk Protection domain, the security risk ratings give a complement to the assessments to evaluate the vendor risk. These ratings do not come from customer declarations but from external evaluation.
- Cybersecurity Incident Response Services. Most data breaches come from third-party vendors. Getting prepared to a possible data breach must include a response when its source is a vendor.
Shared Data Management
As seen with data breaches, the shared data with vendors require a special handling. Many data management tools are relevant here for the data shared with vendors:
- Data mapping. Mandatory by regulatory compliance (e.g., GDPR), the data flows must be mapped and recorded. In financial sector, the data transformations must be also documented in a data lineage document.
This data mapping details which data (e.g., personal data) is shared with Vendors. Data catalogs and API catalogs tools may be useful for the documentation.
- iPaaS (integration Platform as-a-Service). These platforms allow to interface with many APIs without developing complex software.
- De-identification / pseudonymity. These solutions allow to ensure the privacy of the data subject while still sharing the data (with vendors) for insights.
The IT department plays a large role in vendor on-boarding and performance tracking. They provide much value about the effective usage and value provided by the vendor to the company.
- Software Asset Management. These platforms track for installed & cloud-based software solutions the number of paid licenses and the effective usage for potential cost reduction. They track also the deadline for end of support and patch availability.
- Application Performance Management. These tools provide the effective performance of the applications and its user experience.
Some fields involving vendors are not mentioned. For example, Procurement systems are a good source of information at Vendor discovery phase. Or Knowledge Management solutions can record processes and how to on-board vendors.
The mapping of all the useful tools highlights another dimension in the Vendor economy, the importance of the ecosystem. Solutions interfacing with one another allow integrated processes and provide more value to the company.
The complete Vendor Management solution is required to be technological and integrative. It provides a single vendor view with all the elements to optimize the vendor ROI.