A Complete Toolkit for a 360-Degree Vendor Management

Vendor Manangement

A reference guide to the Chief Vendor Officer on existing software tools

Vendor Management’s objective is to provide more value to the company via the integration of Vendor products.

It happens at different phases:

This process is generally triggered by the leading company department when the need occurs. However, the Chief Vendor Officer (CVO) may want to propose solutions if relevant. It is a serious advantage for the CVO to have a large culture of existing domains and tools that are already present. It accelerates both the Vendor culture and the Discovery phases by providing rapid answers.

This guide informs vendor-facing departments about the various tool families available for Vendor Management. It does not include the names of specific vendors. Online vendor comparison reports allow an in-depth analysis of specific products. This guide details the solution fields with a brief description of the vendor relevancy.

Risk Management


Compliance & Privacy


The main security risks are about data breaches and the vendor’s additional attack surfaces.

Shared Data Management

As seen with data breaches, the shared data with vendors requires special handling. Many data management tools are relevant here for the data shared with vendors:

Information Technology

The IT department plays a large role in vendor on-boarding and performance tracking. They provide information about the effective usage and value provided by the vendor to the company.

Some fields involving vendors are not mentioned. For example, Procurement Systems are a good source of information during the Vendor discovery phase. Or, Knowledge Management solutions can record processes and how to on-board vendors.

The mapping of all the useful tools highlights another dimension in the Vendor economy: the importance of the ecosystem. Solutions interfacing with one another allow integrated processes and provide more value to the company.

The complete Vendor Management solution is required to be technological and integrative. It provides a single vendor view with all the elements to optimize the vendor’s ROI.

17 Disturbing Statistics Justifying the Vendor Management Imperative

Vendor Management Imperative

A bleak picture emerges when looking at the numbers. It is time for a change.

The following 17 statistics show us a bleak picture. The presence of third parties and vendors has increased drastically, including the vendor risk. The vendor risk can be either privacy non-compliance, performance disruption, or a data breach risk. These risks are quantitatively present.

To reduce these risks, vendor management is critical when managing these numerous vendors. Vendors are evaluated, e.g., with risk assessments. This Vendor Management has a measurable cost.

Of course, the following statistics do not reveal the full picture. Besides, proactive decisions can change the course of action.

Vendor Management Importance

Large companies have many third-party vendors, some with direct access to the company’s network.

An average of 89 vendors access a company’s network every week — link

18 percent of respondents indicated their companies work with more than 1,000 third parties, and another 16 percent said they work with more than 10,000— link

Vendor Risk

However, most companies cannot guarantee good personal data protection.

60 percent of companies admit they lack the resources to monitor the security and privacy practices of vendors with whom they share sensitive or confidential information — link

74 percent of businesses are unaware of all the third parties who handle their data and personally identifiable information (PII) — link

The data breach risk is also very present.

66 percent of security professionals think that it’s possible or definite that they suffered a breach through third-party access — link

And there are certainly other risks too.

87 percent of organizations have experienced a disruptive incident with a third-party vendor within the last three years — link

82 percent were not confident or unsure if they have identified all the third party risks their organization is exposed to — link

Cost Evaluations

Managing the vendors has a real cost, but the cost of not managing them is even higher.

Third-party breaches are more expensive than in-house breaches, costing $13 more per compromised record — link

The average cost of managing 100 third-parties is slightly more than $26,000 — link. 23 percent of organizations do not evaluate third parties at all — link

The average cost of addressing a Data Subject Access Request (DSAR) is $1,400 per request — link

For example, managing assessments has a high cost due to a lack of automation:

A single FTE (Full-Time Employee) can manage approximately 350 third-party information security risk assessments and decisions annually — link

71 percent of companies are still using a custom questionnaire — link

Prioritized Vendor Management

Given these numbers, it is not a surprise why Vendor Management is a priority today.

Ensuring third parties have appropriate security practices to protect sensitive and confidential data was the first governance priority for 2019 — link

40 percent of organizations have a fully mature vendor risk management process in place — link

The Vendor Risk Management Market is expected to exceed US$ 7 billion by 2024, with a CAGR (compound annual growth rate) of 13 percent — link

In our Vendor economy, we don’t always realize the value and the risk that vendors bring to the company. Companies have many vendors, some with privileged access.

Both the vendor value and the risk are real, with a measurable cost. Due to the cost, it is tempting to avoid managing the vendors. However, it only increases the risk and the cost, while missing opportunities.

Planning the Vendor Management while adopting a vendor culture is the key to gaining from vendors deeply and responsibly.