Back to Vendor Management

Vendor Management Governance Playbook

Establish right-sized governance proportionate to vendor risk and strategic importance. This playbook defines ownership models, review cadences, and escalation procedures aligned with third-party risk management best practices.

📖 30 min read 🤝 Vendor Management v1.0 💎 Pro Tier

Governance Structure

Vendor management requires cross-functional governance involving procurement, risk, finance, and business stakeholders. Over-governance creates procurement bottlenecks that drive shadow IT. Under-governance exposes the organization to financial, operational, security, and compliance risks.

Vendor Management Governance Committee

Role Responsibility Meeting Attendance
Chief Procurement Officer (Chair) Strategic sourcing direction, policy decisions All meetings
TPRM Manager Risk assessment oversight, risk acceptance decisions All meetings
Contract Manager Contract lifecycle governance, terms standardization All meetings
Finance Representative Budget oversight, spend analytics All meetings
Security Representative Vendor security assessments Monthly

Data Ownership Matrix

Clear data ownership ensures accountability for data quality, completeness, and currency across all object types.

Vendor Object Type

Aspect Owner
Data Steward Vendor Manager
Update Authority Vendor Managers, Procurement Analysts
Validation Owner TPRM Team
Archive Authority Vendor Management Lead

Contract Object Type

Aspect Owner
Data Steward Contract Manager
Update Authority Contract Administrators
Validation Owner Contract Owner (per contract)
Archive Authority Contract Manager
Governance Note: All contracts greater than $25,000 annual value must be registered. Contract records retained for 7 years after expiration.

Risk Approval Matrix

Vendor risk governance requires clear thresholds determining who can approve vendor engagement at different risk levels.

Risk Level Approval Authority Additional Requirements
Critical Governance Committee + Executive Sponsor Business case, documented risk acceptance, quarterly reviews
High TPRM Manager + Business Unit VP Documented risk acceptance, semi-annual reviews
Medium TPRM Analyst + Business Owner Standard mitigation tracking, annual reviews
Low/Minimal Vendor Manager Standard vendor management

Review Cadences

Daily Operations

  • Contracts expiring within 120 days review
  • Critical vendor issues triage
  • SLA breach alerts review

Weekly Reviews

  • Monday: Vendor Operations Meeting
  • Tuesday: New vendor onboarding pipeline
  • Wednesday: Contract renewal decisions
  • Thursday: Issue resolution progress
  • Friday: SLA performance summary

Monthly Reviews

Activity Owner Week
Vendor Governance Committee CPO (chair) Week 1
Risk assessment completeness TPRM Manager Week 2
Spend variance analysis Finance Week 2
SLA performance report Vendor Manager Week 3
Contract portfolio status Contract Manager Week 4

Quarterly Reviews

  • Vendor Portfolio Review by Governance Committee
  • Critical vendor business reviews (QBRs)
  • Risk assessment refresh for Critical vendors
  • Performance reviews for Critical/High vendors
  • Consolidation opportunity identification

Escalation Procedures

Issue Escalation Levels

Level Authority Response Time
L1 Vendor Manager Within SLA
L2 Vendor Management Lead 4 hours (Critical), 1 day (High)
L3 TPRM Manager / Contract Manager 1 day
L4 CPO / Governance Committee 2 days

Contract Renewal Escalation

Days to Notice Deadline Escalation Action
90 days Notify Contract Owner and Business Owner
60 days Escalate to Vendor Management Lead
45 days Escalate to CPO
30 days Emergency Governance Committee review

Data Quality Rules

Quality Targets

Object Type Quality Target Measurement
Vendor 95% pass all rules Monthly data quality scan
Contract 98% pass all rules Weekly renewal review
Risk Assessment 100% Approved before vendor activation Onboarding checklist
Spend 95% categorized within 5 days Monthly reconciliation
Previous Document
← Quick Start Guide
Next Document
Forms Specification →