Vendor governance is the process that enables your organisation to get more value from your vendors by trackable artefacts that align to policy and procedure.
Effective vendor governance requires formal structure aligned to a set standard. This standard must be monitored for quality and control compliance, which is difficult and time-consuming.
The governance structures are typically aligned to legislation as well as internal standards. Organisations must have a provable process that details the required artefacts to ensure they meet certain requirements or privacy standards such as the GDPR, industry standards such as PCI DSS, and international legislation such as the Foreign Corrupt Practices Act (FCPA).
Ensuring all vendors comply with your governance requirements is challenging. The sheer volume of assessments, reporting and tracking makes this task near impossible over the lifetime of the vendor relationship – and yet monitoring is crucial because your organisation could be held accountable should any legislation be breached.
However, should you have proof that you are not responsible for any breaches and did everything in your power to enforce compliance, your risk of liability is reduced (for example, the process defined in Article 28(3) in the GDPR.)
The problem is, organisations lack the skills and resources to implement, monitor and improve vendor governance.