Breathing New Life into Traditional Vendor Management

Vendor risk management is part of effective governance.

SIG University Certified Third Party Risk Management Professional (C3PRMP) Program graduate David England has noticed a decline in vendor management teams. He shares his thoughts on how the adoption of third-party risk management strategies by vendor management teams can help position them as a key asset and reverse their decline.

In the C3PRMP program, students focus on best and emerging practices to identify, assess, manage and control third-party risk throughout the lifecycle of relationships, and learn how to align risk fundamentals and frameworks with risk culture to develop the essential tools and controls for effective governance.


There is a growing awareness within the mainstream business community of the importance associated with effective third-party risk management – a capability that has been nicely incubating and maturing within heavily regulated industries, such as banking and financial services, for eons. This increased exposure and attention could be just what is needed to revitalize the flagging vendor management movement.

Many F500 organizations have well-established vendor management capabilities that spawned several decades ago with the onset of strategic process outsourcing and continue today as an effective operational strategy. Many organizations I have consulted with over the past 15 years benefit from these capabilities, which has helped them achieve the value intended from these important vendor relationships. These key capabilities include:

  • Contract Deliverable and Obligation Management – The ability to establish alignment between both parties regarding commitments, reaching agreement on the evidence required to ensure compliance, and working together to manage compliance both on a periodic (i.e., monthly, quarterly, annual) and ad-hoc (i.e., major incident) basis. The ability to hold all stakeholders accountable for their commitments is essential in the development of the trust that makes for successful, long-term relationships.
  • Service Level Monitoring and Verification – The ability to ensure service commitments are met is fundamental to service level agreement-based relationships. Ensuring that the agreed methodologies are being applied appropriately and calculated correctly is important and often more difficult than organizations anticipate – such as, ensuring exceptions are properly documented, approved and reflected within the calculations. Organizations that don’t perform this well are often victims of the “watermelon effect,” in which performance reports show “green,” but the service customers feel “red” with respect to supplier performance.
  • Financial Monitoring and Verification – Ensuring that the company is paying the appropriate and agreed to amount for services rendered. With the complex and dynamic pricing schedules that are commonly associated with these services, this requires the ability to verify the accuracy of invoices and supporting data, ensuring that service credits are being properly applied to prevent what can amount to significant monetary leakages if overlooked.
  • Change Management – Ensuring that the agreement remains aligned to the needs of the business and ensuring new service requests are effectively screened to confirm that requested services are not already covered within the agreement scope – another common source of value leakage.
  • Relationship Management – The ability to effectively close issues, and actions to address non-conformances or anticipated innovation and service improvement objectives is important to unlocking the full potential value of strategic outsourcing relationships.

Despite possessing these valuable capabilities, a disturbing trend has emerged in the vendor management community – many F500 organizations don’t appreciate or understand their vendor management groups and are openly questioning the value of these organizations. Over the past few years, there are more cases in which organizations have dismantled or downsized their vendor management teams, only to realize the value they delivered once they are gone.

The emergence of third-party risk management into the mainstream business could be just what vendor management groups need to reassert and position themselves as a critical business capability for their organizations to support effective third-party risk management.

High-performing vendor management teams that have matured their capabilities possess many of the essential skills required to effectively deliver third-party risk management support for the organization.

However, many of these teams will need to expand their capabilities to address the following areas:

  • Third-Party Segmentation – A robust third-party risk management capability requires the ability to manage a broad portfolio of third-party relationships and ensure that an appropriate level of governance is being applied – also referred to a “risk adjusted” risk management. Teams will need to develop the ability to segment their suppliers based on the risk profile associated with each relationship.
  • Third-Party Risk Monitoring and Assessments – Administering the process to verify that information previously provided by third-party organizations about their control environment is unchanged;  determining if there are new or emerging threats in the landscape; having the controls you required changed, and if so to test them as well. This is a new effort for them to apply the disciplined focus that has been a beneficial part of their vendor management program.
  • Remediation – Applying the closed-loop contract issue and action item management to remediate third-party control deficiencies is usually no more than extending capabilities that they have used to address contractual compliance matters.
  • Relationship Management – Dealing with issues, actions to resolve non-conformances, or address innovation and service improvement objectives can be applied to closing third-party risk management issues and actions.

Growing awareness of the importance of third-party risk management could just be what many high-performing vendor management groups need to demonstrate value and to be recognized as a key asset for their organization’s success.


The Certified Third Party Risk Management Professional Program is a video-based program designed for the time-constrained professional. Get more information on enrollment to join your colleagues in the virtual classroom!

David England, Director, Governance Services at ISG

David England, Director, Governance Services with ISG is a seasoned executive with deep expertise in global sourcing management, strategic relations management and third-party risk management. 

David is among ISG's most accomplished experts in vendor governance for global sourcing relationships and has extensive outsourcing expertise spanning all aspects of information technology. David has been responsible for developing, implementing and delivering vendor governance solutions as well as providing outsourcing advisory and third party risk management consulting. David’s clients benefit from his long-term experience in sourcing advisory, transition and transformation services in which David has delivered advice on strategy and delivery to senior executives and has been responsible for the execution of services for more than 25 years. Prior to Alsbridge, David was a Managing Consultant with A.T. Kearney and worked in the Asia Pacific region for 11 years. Prior to A.T. Kearney, David’s experience includes Account Management positions at EDS and supported multiple accounts at General Motors and Delphi.