Skip to content

Vendor Management: Whose Job Is It?

January 21, 2008

The issues of compliance and regulation are of growing significance worldwide. Yet it is evident that there is a continuing mismatch between contract terms and supplier capabilities. In today’s environment, can we rely on the old approach of simply ignoring or paying lip service to performance standards that go beyond product and service quality and tackle wider aspects of company performance or ethics?

In recent years, we have witnessed a steady expansion of the terms that buyers seek to impose – expanding from areas like Most Favoured Customer and levels of insurance to embrace political, social or ethical values. But for both sides, there has typically been little monitoring. However, now we see sophisticated software tools that will enable more rigorous oversight. Will this simply generate increased conflict in negotiation, or will some suppliers see an opportunity to create competitive advantage? And are these incremental commitments something for which buyers are prepared to pay, or simply ‘a price of entry’? 

What new terms or contracting practices might this trend generate? This article offers a few ideas. Let’s start with an example of the problem that was sent by one of our members in New Zealand (just demonstrating the universal nature of the issues now facing us as a community):

“My company provides consultancy and software services to businesses, giving visibility and best practice processes to their vendor governance. At the moment we are focusing on IT and FMCG companies and we are seeing an upward trend towards compliance requirements being imposed by their customers although virtually zero awareness from stakeholders within these businesses of those compliance requirements. An excellent example is with one company in the FMCG sector where we reviewed their top 21 suppliers which accounted for more than 80% of their spend, 11 of these suppliers required Food Safety Authority compliance or the equivalent and we were staggered to discover 9 suppliers did not comply. Had they been audited, the site would have been closed down and operations terminated immediately until compliance was achieved. 

We have also noted that awareness amongst executives, management and stakeholders is low, to the extent that someone else is expected to have completed appropriate due diligence associated with each external supplier engagement which includes SLA/ KPI  and contract negotiation prior to execution. However, in its simplest form, we are finding the business representatives are committing the organisation to almost anything so long as it meets the buyer’s immediate criteria of what is it, how much does it cost and when can I have it. Ultimately this occurs through a lack of visibility and governance responsibility and awareness training.

We are introducing to these companies stakeholder awareness and supplier surveys that consider various elements of supplier excellence, such as performance, communication, responsiveness, flexibility, ROI, technology or service capability and competence.

Significantly, we are also seeing in some businesses that whilst the executive and finance areas generally support greater visibility and management of their suppliers, some procurement teams and/or long serving individuals (especially where they have operated in silos) are approaching such change as a threat to their controls or perceived power over suppliers and have been very resistant.” 

I replied to this note with the following observations and suggestions: 

“Your findings certainly mirror the lip-service that is frequently paid to compliance obligations. Obviously the rigor with which review is occurring depends significantly on the jurisdiction and the extent of corporate governance oversight. The other – and increasing – driver is summed up by ‘reputation risk’ – and this is probably more powerful right now in most jurisdictions than any government oversight. As highly publicized cases like Mattel, BP or some of the financial services exposures demonstrate, the speed and extent to which governance failures become evident has been transformed by today’s networked economy. Global information flows mean instant awareness and a growing inability to blame others.

Certainly, such exposure can have a range of negative impacts, both long and short term, such as loss of stock price, loss of customers and potential for litigation or fines. However, as you indicate, management in many companies appears to prefer to turn a blind eye and hope for the best, rather than spend the time and money to develop effective oversight. IACCM recently ran an Ask The Expert call on this subject. While the focus was information security, the conversation applied to pretty much any aspect of compliance – and the case studies confirmed the reluctance of senior management to develop a policy that goes far beyond “Let’s hope for the best”.

So what can be done? 

Clearly the work of consultants and software providers can be fundamental in spreading awareness and perhaps having management consider the risks they face by failing to monitor their obligations. As a customer, if I feel it is worth requiring a commitment, it would certainly seem smart to then monitor compliance.

Another approach to this might be to cite significant consequences for non-compliance – and to include as a requirement that the supplier self-certifies on a periodic basis (failure to self-certify being a cause for the specified consequences to come into effect). The advantage of this approach is that it places responsibility and cost at the door of the organization making the commitment.

Otherwise, I am seeing early development of software tools to support compliance monitoring. Aravo ( is a leading example and IACCM featured their CEO on an interview just before Christmas. Others – for example, from the Legal compliance area – are also developing applications and I have encountered several more (including in Australia and New Zealand.

I think the key to improvement is the need to offer realistic and actionable solutions to management, so they can make a balanced decision on the relative costs of effective versus ineffective oversight. The two methods I mention could bring us to this point, where either suppliers or their customers could estimate the cost of implementing a program versus the risk of not having one. But cost avoidance is never an easy sale and I suspect that we will need more exposés – and perhaps more regulatory involvement – before the majority of companies take action.

In Summary: Think The Opposite?

Technology is a key element in any solution, but it must be an integrated application. There are just so many partial solutions out there and either they represent an integration and maintenance nightmare, or they require groups like Procurement to flop between multiple systems both for data entry and extraction.It seems to me that much of the responsibility for compliance needs to be pushed back onto the supplier and we need to think more creatively about their overall certification of performance and the consequences if a) they cannot certify or b) they are found to falsely certify.

At present, many ‘commitments’ are just empty promises because everyone knows they won’t be monitored and if they are, then either a) fault can be disputed or b) there are no tangible consequences (‘sorry, won’t do it again’).

It seems to me that a requirement for periodic certification compliance with tangible consequences for failures might attract the interest of management at suppliers and change their attitudes. And if those consequences were even more severe if they were found to be untrue, or if they failed to submit the certification, they might actually start to monitor and ‘systems assure’ their performance. The point here is that it might shift the responsibility for checking performance back to the person who made the promise, rather than as it is today – on the recipient of the promise.

Liquidated Damages are a good example. Our research suggests pervasive use, but that collection occurs in a minority of cases. There are many reasons for this – but key is the fact that it is up to the customer to monitor, call out failures and battle for collection. But maybe the onus should be the other way round, with rights of audit on a selective basis and consequences then doubled or trebled for either failure to provide accurate information or for dishonest reporting – in other words, let’s reward honesty and punish dishonesty and evasion.

  1. Great Tim, I am glad you have raised this important topic. As mentioned to you earlier we as a contract management software provider saw after 18 years in the business, an increasing need of linking better vendor management information to contract management practices. Our customer base started to demand this kind of insight. This resulted in that we together with our biggest customer Total E&P developed a solution integrated both with our contract management solution (Contiki ECM)and their Supplier Relations Management solution SAP. It resulted in the solution Contiki SPM (Supplier Performance Management). What have we learnt from this? We have together found some clrear benefits by keeping a closer look at the global vendors:

    Benefits By Measuring Vendor/Supplier Performance:

    Take advantage of the Vendor information shared with the other departments, other affiliates, other operators, etc… → increase operation efficiency.

    Vendor list to investigate (new Vendors, local Vendors, emerging Vendors,…) → ethical aspects: sound and fair competition.

    Optimization the Vendor panel to increase competition between the Vendor → money saving.

    Availability of the bidder list with Vendor already prequalified according to standards→ time saving.


    Tom-I Aas, CEO CMA Contiki (

  2. Great Article! We engage on a daily basis with many relationship managers and compliance officers from F1000 clients in highly regulated industries. I would agree that the reputational and financial risk of not monitoring vendor compliance with company controls and contract terms poses a growing threat especially as more and more sensitive data is being shared with third parties. It appears that regulators are starting to “wake up” since several federal and state laws such as the Gramm-Leach-Bliley Act mandate that corporate control activities extend to third party relationships. However, there are significant costs to performing the required assessments for both the vendor and client.

    Fortunately, we are seeing companies starting to incorporate vendor compliance into their normal business processes. Programs such as BITS FISAP (Financial Institution Shared Assessments Program) is helping to create industry standard self-assessment and audit procedures which will decrease the cost of effectively monitoring and compliance. Additionally, we are seeing companies using software to effectively and efficiently compile all certification results tied back to contract/SLA terms and automatically generate scores and action items which pinpoint potential problems.

    Thanks for the information … spot on!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: