Policy, Program and Procedures

Hello everyone,

Does anyone have a perspective, policy or guidelines within your TPRM program in regards to how your defining a vendor owner or stakeholder?

These questions come up in our organization on who should be a vendor owner or business owner for a vendor and we don't really have a particular guideline in place to define that ownership.

For example, do you define a vendor owner as someone who is at least an Assistant Manager or above? An AVP or above? How do you define ownership if multiple departments have a relationship with the same vendor or even the same contract/agreement? 

Any advice or guidance would be greatly appreciated. Thank you!

Hi there,

Let's start with a basic description of a vendor owner.

These individuals own the relationship with the third party/vendor. Accountable for the effective and timely execution of all required TPRM/VRM lifecycle activities, including planning for the relationship, identifying appropriate third-party/vendor exit strategies, identifying the risks inherent to the product/service, ensuring the third party/vendor is responsive to all TPRM/VRM requests, managing the risk and performance of their third-party/vendor relationships, and the management and remediation of any third party/vendor issues.

As every organization is unique, the requirements for a vendor owner will differ. Moreover, your organization has vendors with varying degrees of risk, so the necessary skill sets and experience needed to manage them will also vary. For instance, you can safely assign a less experienced employee to take responsibility for low-risk vendors requiring little to no third-party risk management. However, as the risk of the product or services increases, you will need to assign someone with more experience and a broader skill set to manage those relationships effectively. In the case of a critical vendor relationship, for example, you should appoint someone with deep knowledge and experience with the product or service being offered and a comprehensive understanding of your organization's risk management processes, tools, and expectations. They would also need the ability to make decisions, collaborate with subject matter experts, and have a fair amount of influence, authority, and visibility in the organization so they can address any issues or concerns promptly and effectively.

In most organizations, there may not always be enough alignment between the required skill set and specific organizational titles, such as AVP or manager, to use that as criteria for determining who should manage a vendor or own a particular relationship. The size of the organization, alignment of the internal department, promotion cycles, and restrictions might mean that an AVP in one department isn't always the same as another from a skills and experience level. Instead, I would focus on defining the skills and experience necessary to manage vendor types by risk level and criticality.

Suppose your organization deals with vendors offering multiple products or services and having various relationships with different teams. In that case, it is recommended to appoint an "Enterprise Vendor Owner" who can manage the vendor relationship holistically instead of managing multiple separate engagements. However, the enterprise vendor owner should not manage all the individual engagements by themselves. Instead, they should collaborate with respective vendor owners who deal with the same vendor. This approach can provide a consolidated view of the relationship, including risks, performance, and overall value to the organization. It also ensures that the vendor is held accountable for the same service and performance level for all products and services offered. Although the enterprise vendor owner is viewed as the ultimate manager of the vendor relationship, they rely on the outputs of individual vendor owners who use the vendor.

Those are my thoughts on these matters, but I would love to hear the perspectives of other members, too.

My simple approach: The vendor owner is the individual in the organization with the authority to fire (replace) the vendor.