The CVO playbook for a successful vendor adventure — Part 1 / 2

“Congratulations! You will be our first CVO! Unclear what it means, but you will guess it out, right? You start on Monday. By the way, ‘V’ for Vendors.”

So, here we are. Monday morning. A bit lost. Where do I start?

We already defended why a new CVO role is critical in our new Vendor economy. Vendors, in particular IT Vendors such as SaaS services, are omnipresent. Their usage steadily increases. They access some of the company’s data. They provide specialized services to manage tasks more efficiently. Their products can be called tools, platforms, or solutions. And companies need to manage them.

Even if the vendor subject is not gathered by a full-time employee but by a committee, they still need to go through the same steps.

Build a Vendor strategy

The first step of a CVO is to build a Vendor strategy. What do we want to achieve, and on what timeline? This vendor strategy provides key metrics and a clear roadmap. The Vendor strategy answers who will own each part of the vendor relationship and what the vendor lifecycle management looks like.

The Vendor strategy will also include all the roadmap elements as detailed here—both the defensive and offensive lines. Given this roadmap, an efficient tool providing all the aspects of Vendor Management with a Single Vendor View is critical.

The CVO will not manage all aspects of the vendor’s relationship. He is a key figure in establishing a vendor-centric culture and processes. As we will see, the CVO must collaborate closely with many other departments, including: Legal, Compliance, Privacy, Security, IT, and Procurement.

The Defensive line— Vendor discovery first

Before being able to manage our vendors, we need to know who they are. Building a vendor catalog requires a vendor discovery, i.e., retrieving all the vendors. Vendor discovery is not easy; the vendors are not all referenced in a single source of truth. Use a system to find all the vendors. Some SaaS companies automate the process as much as possible.

If that is not enough, you should not restrict yourself only to third-party vendors , i.e., the vendors you have signed an agreement with. You should also find out about their vendors, the so-called fourth parties, since they are also a liability.

Where do we get all these vendors from? Different sources must be considered in parallel:

  • The third-party and fourth-party vendors present on your websites can be retrieved automatically. There are excellent tools out there for this.
  • The Legal department has all the signed contracts.
  • The Finance department knows who was paid.
  • The Compliance department may have already set up a Third-Party Risk management program.
  • The IT department may have a list of applications and companies present in the organization (e.g., via an application manager).

Still on the Defensive line: Compliance, Privacy and Security

Once most vendors are found, it is time to set up a process to ensure any new vendor will be registered in your system, preferably automatically.

You must ensure different processes are already in place or fill the gap quickly:

  • Legal: ensure the contract lifecycle management (CLM) is managed well, including contract renewals (already in place in general).
  • Compliance: set up a Vendor Risk management (VRM) program to reduce the vendor’s risk. Decide the vendor criticality criteria (3–5 tiers) and track mainly the critical ones. Choose your vendor risk methodology and evaluate the maturity from time to time (e.g., with the VRMMM model).
  • Privacy: ground-breaking privacy regulations that involve vendors have been  passed recently. They are called “data processors” by EU GDPR or “service providers” by California CCPA. Ensure the presence of contracts with strict clauses about personal data protection and assessment questionnaires to better understand the vendor’s data handling.
  • Security: the CISO must validate the vendor and their practices in depth to avoid data breaches in accordance with the vendor criticality (e.g., with an assessment questionnaire). The CISO may require you to insert some clauses in the contract (like the Dropbox team).

The defensive line should aim to evaluate vendors and give their go/no-go at business speed. It is not always that simple. Automation and clearly defined processes help a lot.

The CVO should focus only on the defensive line, at least during the first year or two. Having a solid infrastructure to handle efficiently the “must-do” regulatory aspects is a must before creating value (part 2).