One of the questions I hear a lot from companies looking to formalize a vendor management function is “Where should it live?” The simple answer is... it depends.
The vendor (or third-party) management function is still a relatively new concept to many organizations. However, as companies have begun formalizing this function within a Vendor Management Office, we are finding that no two VMO’s are alike.
Some VMO's are staffed with just a few people while others have an entire team of people performing critical roles covering all areas of the vendor management lifecycle. Some companies have their VMO perform all functions in house, while others co-source certain functions like due diligence and contract audits.
However, regardless of the size or scope of your VMO, its ultimate success may depend on where it lives within your organization. So, if you’ve decided to take a serious approach to vendor management, and you are trying to determine the best home for your VMO, there are three key questions to consider:
1. What was the primary driver for the creation of your VMO?
The primary driver for the creation of the VMO has a strong correlation with the area of the business the VMO ultimately resides in. In many cases, organizations will make the decision to create a VMO out of necessity in response to some outside factor. Some examples are:
Changes in regulations relating to third-party management (VMO may end up under Compliance)
Some type of major data/cybersecurity event such as a system breach (VMO may end up under IT)
Reaction to a failure or poor performance with a critical vendor (VMO may end up under Operations)
2. What does your organization consider to be its greatest third-party risk factor?
The areas of the business that are exposed to the highest level of third-party risk are also good to consider when determining VMO placement. Even if your vendor management program is enterprise-wide rather than department-specific, your VMO may end up being placed in an area of the business that has the highest concentration of third-party risk. Here are two examples:
If an organization in a highly regulated industry considers compliance risk to be its greatest third-party risk factor, the VMO might end up finding a home within the organization’s Risk or Compliance department.
If an organization relies heavily on third-parties for management/storage of its confidential and sensitive data (or uses a lot of vendors who otherwise have access to their nonpublic data), they may consider information security risk to be their greatest third-party risk factor. In this scenario the VMO may end up residing under the Information Technology department.
3. Who is your Executive Sponsor for the VMO?
The answers to questions #1 and #2 above will help to determine who the executive sponsor within your organization should be. Once an Executive Sponsor is assigned, your VMO’s home within your organization should be clear.
It is important to remember that a successful enterprise-wide VMO interacts with all areas of the business. So even if your VMO reports up to a Chief Information Officer, that does not mean that the VMO’s scope should be limited to IT vendors. The VMO should assess and manage all third-party relationships consistently.
Having an Executive Sponsor is key to the success of a VMO, not only internally by having the authority to drive participation among internal stakeholders, but also externally by showing your third-parties that you take vendor management seriously.
There isn’t a “right” or “wrong” when it comes time to decide where your VMO will live. Every organization is different when it comes to the placement of VMO’s. When you are determining where your VMO should live, be sure to consider the three key topics covered in this article and you will already be on your way to a successful vendor management program.