Vendor Management: The Complete Guide

The rapid evolution that digital transformation has triggered in the technology space has meant that organizations need to innovate quickly in order to survive. But — since no enterprise is self-sufficient — there is always a need to engage external parties to provide the platforms, services, and resources required to stay ahead.

For instance, the current GenAI hype has businesses scrambling to prove to customers that they are on top of this technological revolution, by interfacing with AI platforms provided by other companies. Be it software, hardware or people, the capabilities provided by vendors offer a formidable competitive advantage in this fast-moving sector.

Managing vendors is an exercise that has significant value to a service provider. Failure to effectively manage one’s suppliers may impact the ability to seamlessly provide quality products and services.

What is vendor management?

The end goal of vendor management is the realization of desired outcomes for both parties, while also satisfying the end customer of the IT services delivered and minimizing any risks.

Vendor management covers the entire lifecycle of any relationship with a vendor:

• Sourcing
• Onboarding and integration
• Review
• Offboarding

In the following sections, we will look at these four key elements that organizations should focus on across this joint journey.

(Related reading: third party risk management.)

Vendor sourcing

One of the critical success factors spelled out in ITIL 4 guidance is ensuring that the vendor sourcing strategy and guidelines effectively support the organization’s strategy.

By approving a supplier policy that aligns to business strategy, the leadership effectively communicates:

• The principles and criteria by which a vendor should be sourced.
• Guidance for categorization, requirements, and relationship management.

Regardless of the procurement approach, the sourcing strategy ensures that vendor requirements are formally outlined, formal approval is required based on business needs and budget, and standardized qualification and evaluation criteria should be deployed to choose the right vendor to provide IT services and components.

The organization should enter into a formal contractual agreement with the selected vendor that spells out the following elements as per ISO 20000 guidance:

• The scope of what is being delivered by the vendor.
• Specifications or a statement of work of what the vendor is providing.
• Service level targets to be met by the vendor.
• Other contractual obligations, such as possible incentive or penalty schemes and reports.
• A clear overview of authorities and responsibilities for both parties.
• Other items as required such as subcontracting, charging, reviews, reporting, and exception conditions.

Adherence to the sourcing strategy and entering into a formal contract provides the best foundation to ensuring that the vendor brought onboard will provide value for money and support the organization to achieve its goals through quality IT services.

Contracting also ensures that both parties are at a win-win situation and can navigate disputes in a structured manner should issues arise in the future.

Once a vendor has been contracted, it is crucial to record their details — including categorization, associated configuration items, contacts, expiry dates, and escalation matrixes — within the vendor management module of your IT service management (ITSM) solution.

This ensures effective tracking of their project or support activities, so as to facilitate contract and performance reviews. Assigning of a contract manager from the technology unit that will work directly with the vendor is also a good practice, as this individual or team can maintain oversight of all critical aspects throughout the vendor journey.

Vendor integration

As technology functions in larger organizations grapple with the challenge of managing multiple vendors, one way of handling them effectively is the use of a specially established integrator to facilitate coordination between the vendors so as to ensure the enterprise gets maximum value from them.

Service integration and management (SIAM) is one such management methodology that helps vendors understand where they fit in the big picture through the concept of a single logical entity held accountable for the end-to-end delivery of services and the business value that the organization receive.

SIAM Ecosystem (Source: SIAM Foundation Body of Knowledge)

The integrator sits between the organization and the vendors, providing operational governance and coordination that directs all the vendors to contribute to the end-to-end service quality. The integrator can be:

• An individual
• An internal function
• Outsourced to a contracted third-party 

The essence of SIAM is to implement a trust-based approach among vendors that values collaborative outcomes over strict contract terms, while saving the organization from the operational headache of managing numerous vendors. SIAM requires the organization to adopt a culture that values collaboration and cooperation and cedes rigid command and control.

The benefits from adopting SIAM include:

• Improved service quality
• Optimized costs and increased value
• Improved governance
• A scalable, flexible supply network

Vendor reviews

The performance of vendors should be monitored and reported on at planned intervals or project milestones, based on the organization’s policies and the criticality of the vendor.

While performance is tied to the service level targets spelled out in the contractual agreement, customer satisfaction and service experience should be the ultimate guide for quantifying whether the supplier is adequately providing value to the organization.

Performance issues should be dealt with by determining the root cause and agreeing corrective actions or appropriate improvements. Where there are serious disputes, these should be formally recorded and managed to closure as per contract terms.

In addition, the enterprise should review the contractual agreements regularly to see if they are still valid in the current service environment. Should there be significant changes to the organization’s context — such as strategic direction or technology evolution — there would be need to trigger updates or terminations to vendor contracts as appropriate. For example, the migration from on-premises to cloud would imply that vendors engaged to support the in-house infrastructure have to be transitioned.

Compliance audits and risk assessments of the supply chain and associated services should also be regularly carried out to inform if they introduce material threats or vulnerabilities that cannot be mitigated and require a review of contractual terms. An organization’s reputation, security posture, or quality of services may be compromised by the actions of a vendor — hence the need to regularly review contracts whenever such instances occur.

(Related reading: GRC governance, risk, compliance.)

Vendor relationships

The type of relationship and level of trust informs the approach for handling a vendor. In a cooperative or partnership type of relationship, organizations need to create and maintain close ties due to the significant level of dependency and criticality that the vendor holds.

To ensure there is seamless provision of services, there has to be effective visibility, coordination, collaboration, and conflict resolution. To develop good vendor relationships, consider the following points from VeriSM guidance:

• Understand the entire supply chain in terms of value and costs.
• Work on and expect honesty in the relationship.
• Communication is critical whenever there is disruption or change.
• Leverage a partnership where both parties work together towards common benefit.

Vendor relationships need to be transparent and personalized if the organization is keen on deriving maximum benefit from this union. Expectations should be managed through clarity, elimination of assumptions, and establishing contingencies through risk mitigation.

Continual improvement initiatives should be jointly championed and supported by both parties throughout the life of the contractual relationship.

Vendor offboarding

Once the vendor contract has come to an end, prematurely or otherwise, proper steps have to be taken to ensure that the separation is done amicably and smoothly to prevent:

• Disruption to IT services
• Compliance issues
• Data loss risks

Offboarding should be informed by the contractual terms and be carried out collaboratively with the vendor and key internal stakeholders including legal, procurement, IT security, and finance. A proper plan and checklist can ensure that all bases are covered, and that the offboarding is managed effectively. Areas to be covered include:

• Handover or transfer to internal teams or third parties
• Stipulated contractual termination notice periods
• System access disabling and return of physical access cards
• Return of intellectual property and physical devices including erasure of data
• Finalizing of pending payments
• Capturing of attestations that vendor offboarding complies with applicable policies and terms

A formal report of the vendor offboarding should be documented and shared with internal stakeholders for approval. It should cover the following items:

• Rationale of the offboarding
• A final risk assessment
• Completion status of the offboarding plan
• A summary of the lifecycle including past performance, disputes, and any other pertinent matters

With a proper vendor management practice in place, your organization will maximize value and trust from these vendors, ultimately delivering more value directly to customers.