A reference guide to the Chief Vendor Officer on existing software tools
Vendor Management’s objective is to provide more value to the company via the integration of Vendor products.
It happens at different phases:
- Discovery. Finding the relevant vendors that respond to the company’s needs.
- Vendor evaluation and selection. Look at the response to the need, price, integration with other solutions, customer support level, compliance, security, etc.
- Implementation. Optimize vendor on-boarding and track vendor performance.
- Vendor culture. Fostering the culture of requesting and using outside solutions.
This process is generally triggered by the leading company department when the need occurs. However, the Chief Vendor Officer (CVO) may want to propose solutions if relevant. It is a serious advantage for the CVO to have a large culture of existing domains and tools that are already present. It accelerates both the Vendor culture and the Discovery phases by providing rapid answers.
This guide informs vendor-facing departments about the various tool families available for Vendor Management. It does not include the names of specific vendors. Online vendor comparison reports allow an in-depth analysis of specific products. This guide details the solution fields with a brief description of the vendor relevancy.
- Risk Assessments. Selecting a Vendor requires ensuring this Vendor is compliant and secure. Risk assessments are questionnaires submitted to Vendors at this end. These platforms are collaborative and should include many standard questionnaires.
- Third-Party / Vendor Risk Management (TPRM / VRM). IT Vendors have an intrinsic risk that must be managed (think about data breaches, business disruption and privacy compliance). These platforms use the assessments to evaluate the risk zones and to apply measures to mitigate them.
The VRM solutions can be often found in Governance, Risk management and Compliance (GRC) or Integrated Risk Management (IRM) platforms.
- Vendor News Monitoring. This service gets the latest news about vendors on various subjects (financial, data breach, lawsuits, changes in legal and executive structure) to reassess vendors’ risks.
- Contract Lifecycle Management (CLM). Access to the contract content is critical to tracking signed vendor performance. The contract clauses give elements to evaluate the vendor’s value, e.g., upon contract renewal period. The CLM platforms reference all the contracts and their clauses.
Compliance & Privacy
- Consent and Data Subject Request Management. When submitting a request, the data subject expects to receive all the personal data information, including from the third-party vendors.
- Website scanning. The website scanning allows users to automatically find all the Third-party and Fourth-party vendors present on the company’s website pages. They also look for vulnerabilities and privacy compliance (e.g., privacy and cookie policies referencing third-party vendors).
- Vendor sanctions. Before receiving any service from a vendor, a company must ensure there are no sanctions preventing any collaboration, possibly automatically.
The main security risks are about data breaches and the vendor’s additional attack surfaces.
- Vulnerability Management. Adding products and libraries increases the attack surface. These tools allow us to scan for existing known vulnerabilities.
- Cybersecurity Risk Rating. As part of the Digital Risk Protection domain, the security risk ratings give a complement to the assessments to evaluate the vendor risk. These ratings do not come from customer declarations but from external evaluation.
- Cybersecurity Incident Response Services. Most data breaches come from third-party vendors. Getting prepared for a possible data breach must include a response when its source is a vendor.
Shared Data Management
As seen with data breaches, the shared data with vendors requires special handling. Many data management tools are relevant here for the data shared with vendors:
- Data mapping. The data flows must be mapped and recorded as mandatory by regulatory compliance (e.g., GDPR). In the financial sector, the data transformations must also be documented in a data lineage document.
This data mapping details which data (e.g., personal data) is shared with vendors. Data catalogs and API catalogs, for example, may be useful for the documentation.
- iPaaS (Integration Platform as a Service). These platforms allow users to interface with many APIs without developing complex software.
- De-identification/pseudonymity. These solutions allow users to ensure the privacy of the data subject while still sharing the data (with vendors) for insights.
The IT department plays a large role in vendor on-boarding and performance tracking. They provide information about the effective usage and value provided by the vendor to the company.
- Software Asset Management. These platforms track for installed & cloud-based software solutions the number of paid licenses and the effective usage for potential cost reduction. They also track the deadlines for end of support and patch availability.
- Application Performance Management. These tools provide the effective performance of the applications and their user experience.
Some fields involving vendors are not mentioned. For example, Procurement Systems are a good source of information during the Vendor discovery phase. Or, Knowledge Management solutions can record processes and how to on-board vendors.
The mapping of all the useful tools highlights another dimension in the Vendor economy: the importance of the ecosystem. Solutions interfacing with one another allow integrated processes and provide more value to the company.
The complete Vendor Management solution is required to be technological and integrative. It provides a single vendor view with all the elements to optimize the vendor’s ROI.