Creating a Vendor Management Policy

Folder entitled "your policy folder" Creating a vendor management policy is an essential part of an effective IT risk management plan. A vendor management policy is also a requirement under several regulatory compliance models which affect colleges and universities in addition to corporations.

It began to occur to me in recent weeks while writing about the new service provider audit program SSAE 16 and my last post on help desk outsourcing companies there may be a large number of institutions operating without any formal IT controls in place to manage IT vendor related risks. If this is the case it would be very problematic for those institutions dependent on vendors for mission critical functions or high risk operations. And for me it would be particularly troubling given how often I mention using vendor management programs in various posts.

Vendor Management Policy Sample

So I decided to pull together a vendor management policy sample and make it available here. The Vendor Management Program sample is available here free to subscribers via a secure link that will be emailed to you for immediate download.

Subscribe & Download
Vendor Management Program

The Vendor Management Program sample is modeled after a comprehensive vendor management policy for regulated industries such as banking, healthcare, and higher education.

The sample includes:

  • Standard Policy framework
  • Roles and responsibilities
  • Classification of vendor criticality rating model
  • Vendor risk management approach
  • Vendor selection criteria
  • Contract recommendations
  • Ongoing vendor monitoring

The Vendor Management Program is intentionally very detailed and includes several vendor management policy templates and samples so you can quickly setup a vendor management program of your own with the confidence it should satisfy your compliance objectives.

The Vendor Management Program is a MS Word document so you can easily make changes as you adjust the template to fit you policy model and specific needs.

This approach was chosen in order to support the diversity of compliance landscapes found in higher education which includes several consumer protection and healthcare regulations and be useful to corporate CIO readers of this blog.

Implementing Vendor Management

Depending on the existence or thoroughness of other policies or procedures at your institution related to procurement, purchasing, enterprise governance and compliance simply delete the unnecessary sections or simplify the language to fit your organization’s policy framework. You may even want to discuss with your CFO the option to broaden the program to all vendors, not just IT vendors, which is advisable since it would only change a few elements while the basic model should still work.

I realize this can seem overwhelming at first because there is a lot to take in especially if you don’t have anything in place today. So consider starting with reading through the sample a few times noting the policy areas that sound useful to you right of the bat. Have a discussion with your CFO and compliance officer to develop a shared strategy which may be to get something simple started based on your immediate concerns or the vendors that are more critical to your operations then build upon it once you gain some comfort.

Start by taking an inventory of all IT vendors and assigning a criticality rating to each of them. If you don’t already have BIA/BCP data, work with your peers to gather an initial recovery time objective (RTO) for each vendor to help validate the classification. Next focus on the most critical vendors or those representing the greatest risk to the institution. This gives you immediate benefits while allowing you to solidify your vendor management program before applying it to all vendors.

If your institution has additional compliance exposures or special circumstances be sure to incorporate those into your vendor management program. The areas where that is likely to be the case would be from vendors handling payment processing or other forms of financial transactions and from functions which constitutes status as a ‘covered entity’ or ‘business associate’ under HIPAA and HITECH.

I will certainly be referring back to vendor management policies and vendor management programs in the future as part of revisiting cloud computing service providers and IT outsourcing vendors and ways to improve performance and reduce risk. Meanwhile, don’t hesitate to drop me a note if something isn’t clear or if I have missed something.

This entry was posted in IT Outsourcing, IT Performance Management, IT Risk Management and tagged , , , , . Bookmark the permalink.

12 Responses to Creating a Vendor Management Policy

  1. I like the program and hate no being able to read adequately the phony word to download it
    I guess difficulty in reading drawings was the test to secure the Management Program!!!
    Jean Paul CajolaisPhD.Emeritus Columbia U. Ambassador USA ,Canada, “higher Education”

  2. Mary says:

    I was able to download this very easily by clicking on the ‘view on slide share’ link and selecting download now.

  3. Pingback: Will ABC News Made In America Examine College IT Purchasing

  4. AeJ says:

    hi there,

    How can I download the program?


  5. AeJ says:

    Hi Mary,

    I am trying to download the program, but i do not see any ‘view on slide share’ link. Please help…
    Could you mail me the program?


  6. The Higher Ed CIO says:

    You can download it from, but I will send it to you via email directly.

  7. Pingback: Help Desk Outsourcing

  8. Pingback: Questions on the Sale of BlackBoard

  9. Pingback: Social Influence: Measuring and Monitoring Social Influence

  10. Pingback: Facebook Privacy Policy: Will Changes End Facebook for Colleges

  11. minette says:

    I am struggeling to download the Vendor management policy. Please can you send it to me e-mail direct. i think its nice that u re helping us. thanks

  12. The Higher Ed CIO says:

    Just sent you the file and hope it meets your needs.

Comments are closed.