A vendor is a general term used to describe any supplier of goods or services. A vendor sells products or services to another company or individual. A manufacturer that turns raw materials into a finished good is a vendor to retailers or wholesalers. Some vendors, like food trucks, sell directly to customers.

Then there is the IT vendor who we should be familiar with. To further expand the definition, we have Vendors and Partners.

A Partner is a firm that has critical expertise and resources. They are aligned, integrated, and committed to their client’s success.

A Vendor is a firm that agrees to provide expertise and resources around a set of agreed upon services. In exchange, there is an agreed upon financial transaction.

Without being too pedantic with the semantics of vendor, in particular to IT vendor definition, suppliers/providers of any IT goods and services, including IT Security/Cybersecurity Consultants, will be generically termed as an IT Vendor, for the purposes of this article. 

Vendor Definition in The IT Industry

In the IT-related business world, there are the Vendor (the sellers) and the End Users (the clients, the customers, the buyers).

Do note that there is a slight difference between a User and an End User.

You are provided with the necessary devices, such as a smartphone, laptop or earphones to do your job. In this situation, you are an end user.

Simply put, the main difference between these terms is that a customer purchases and consumes a particular product as a user, while an end user only uses it.

In short, a User owns and uses whilst an End User uses only.

What do you know about your vendor?

I won’t be very far off the mark to say that not many organisations really know their vendors. There are many cases of vendors that have gone wrong and reasons why organisations should know who they are conducting business with.

Cases have shown working with the wrong vendors can put an organisation’s reputation and financial stability at risk. In order to minimise such risks, organisations should know who they are dealing with. One way a company can do this is by conducting due diligence or screening of their vendors. This, unfortunately, is not carried out or adhered to by many organisations. Costs and time are commonly the main reasons, and in other instances, the smooth/sweet talking from the vendor sales representative securing the trust of the organisation’s person(s)-in-charge.

In order to ensure the integrity of a vendor, due diligence or checks to be carried out, should cover at least the following areas on vendors:

• IT (softwares, systems, and platforms, are current and up-to-date)
• Compliance and Privacy (adherence to PDPR and GDPR with respect to vendor’s data privacy, and what measures are in place regarding anti-bribery)
• Insurance (have adequate insurance to cover liabilities, breaches, and other risks)
• Legal (types of legal standards)
• Employees (how are candidate screening conducted and what screening standards are adopted and practised?)
• Last but not least, Quality (how is quality managed?)

Third-Party Vendor Risk

Third-Party Risk ie. managing vendor risks is critical for organisations to have in place as the focus on vendor relationships and the risks and responsibilities associated with them, is evolving at a fast rate.

Vendor Management reached new heights of importance when regulations were formulated in recent years and compliance became the new motivator to control these relationships.

The increased practice of sharing private and vulnerable data with vendors, the risk is now the main motivator and concern, as organisations began to observe the risks presented by their vendors in a holistic manner. In order to evaluate such risks correctly, risk assessments must be performed on every vendor because the knowledge of vendors falling victim to the data breach, is a great concern to organisations dealing with many vendors and suppliers.

Vendor Management

Data breaches have certainly drawn more and more attention towards vendor management over the past years or so, and for good reason. Regulators have been attempting to ensure organisations have the tools (such as SOC for Cybersecurity) to deal with this, as well as the means to proactively mitigate vendor risks. However, this is but one of many areas that vendors present risk to an organisation. 

We will list some of the others below:

1. Cybersecurity 

With cyber threats growing in speed and sophistication, it is more important than ever that the vendor’s cybersecurity posture is monitored.

2. Compliance 

Risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with company business standards. This type of risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.

3. Reputational

Risk arising from negative public opinion or public perception. 3rd party relationships that result in dissatisfied customers, interactions inconsistent with policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of laws and regulations.

4. Financial

Risk arises when vendors are unable to meet the fiscal performance requirements set in place by the organisation (the customer/client). For vendors, there are 2 forms of financial risks: excessive costs and loss of revenue.

5. Operational 

Risk occurs when there is a shutdown of vendor processes ie. risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.

6. Transactional

Risk arising from problems with service or product delivery. SLA ie. service-level agreement which is a commitment between a service provider and a client, the aspects of the service – quality, availability, responsibilities, as agreed between the service provider and the service user, failed to achieve the agreed and expected service level commitment.

7. Strategic 

Risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with stated strategic goals. In other words, risks arise when vendors make business decisions that are not align with the client organisation’s strategic objectives.

In conclusion, Vendor Management is an important process that empowers an organisation to take appropriate measures for controlling cost, reducing potential risks related to vendors, ensuring excellent service deliverability and deriving value from vendors in the long-run.

Remember these quotes about Vendors: