The CVO playbook for a successful vendor adventure — Part 1 / 2
“Congratulations! You will be our first CVO! Unclear what it means, but you will guess out, right? You start on Monday. By the way, ‘V’ for Vendors.”
So, here we are. Monday morning. A bit lost. Where do I start?
We already defend why a new CVO role is critical in our new Vendor economy. Vendors, in particular IT Vendors such as SaaS services are omnipresent. Their usage steadily increases. They access some of the company data. They provide specialized services to manage tasks more efficiently. Their product can be called tools, platforms or solutions. And companies need to manage them.
Even if the vendor subject is not gathered by a full-time employee but by a committee, they still need to go through the same steps.
Build a Vendor strategy
The first step of a CVO is to build a Vendor strategy. What do we want to reach, and in which timeline? This vendor strategy provides key metrics and a clear roadmap. The Vendor strategy answers who will own each part of the vendor relationship and what the vendor lifecycle management looks like.
The Vendor strategy will include also all the roadmap elements as detailed here – both the defensive and offensive lines. Given this roadmap, an efficient tool providing all the aspects of the Vendor Management with a Single Vendor View is critical.
The CVO will not manage all the parts of the vendors relationship. He is a focal point how to have vendor-centric culture and processes. As we will see, the CVO must collaborate closely with many other departments, including: Legal, Compliance, Privacy, Security, IT and Procurement.
The Defensive line — Vendor discovery first
Before being able to manage our vendors, we need to know who they are. Building a vendor catalog requires a vendor discovery, i.e. retrieving all the vendors. Vendor discovery is not easy: the vendors are not all referenced in a single source of truth. Use a system to find all the vendors. Some SaaS companies automates the process as much as possible.
If not enough, you should not restrict yourself only to third-party vendors , i.e. the vendors you have signed an agreement with. You should find out also their vendors, the so-called fourth parties since they are also a liability.
Where do we get all these vendors from? Different sources must be considered in parallel:
- The third-party and fourth-party vendors present on your websites can be retrieved automatically. There are excellent tools out there for this.
- The Legal department has all the signed contracts.
- The Finance department knows who was payed.
- The Compliance department may have already set a Third-Party Risk management program.
- The IT department may have a list of applications and companies present in the organization (e.g., via an application manager).
Still Defensive line: Compliance, Privacy and Security
Once most vendors are found, it is time to setup a process to ensure any new vendor will be registered in your system, preferably automatically.
You must ensure different processes are already in place or fill the gap quickly:
- Legal: ensure the contract lifecycle management (CLM) is managed well, including contract renewals (already in place in general).
- Compliance: set up a Vendor Risk management (VRM) program to reduce the vendor risk. Decide the vendor criticality criteria (3–5 tiers) and track mainly the critical ones. Choose your vendor risk methodology and evaluate from times to times the maturity (e.g., with the VRMMM model).
- Privacy: ground-breaking privacy regulations have passed recently that involves vendors. They are called ‘data processors’ by EU GDPR or ‘service providers’ by California CCPA. Ensure the presence of contracts with strict clauses about personal data protection, and assessment questionnaires to understand better the vendor data handling.
- Security: according to the vendor criticality, the CISO must validate in depth the vendor and their practice (e.g., with an assessment questionnaire) to avoid data breach. The CISO may require to insert some clauses in the contract (like the Dropbox team).
The defensive line should aim to evaluate vendors and give their go / no-go at business speed. It is not always simple. Automation and clearly defined processes help a lot.
The CVO should focus only on the defensive line at least during the first year(s). Having a solid infrastructure to handle efficiently the “must-do” regulatory aspects is a must before creating value (part 2).