Manage Suppliers

Purpose:

Manage IT-related services provided by all types of suppliers to meet enterprise requirements, including the selection of suppliers, management of relationships, management of contracts, and reviewing and monitoring of supplier performance for effectiveness and compliance.

Objective:

Minimize the risk associated with non-performing suppliers and ensure competitive pricing.

Description:

<?>

Inputs:

  • High-level acquisition/development plan
  • Approved acquisition plans
  • Results of third-party risk assessments
  • Risk analysis and risk profile reports for stakeholders

Outputs:

  • Supplier significance and evaluation criteria
  • Supplier catalog
  • Potential revisions to supplier contracts
  • Supplier requests for information (RFIs) and requests for proposals (RFPs)
  • RFI and RFP evaluations
  • Decision results of supplier evaluations
  • Supplier roles and responsibilities
  • Communication and review process
  • Results and suggested improvements
  • Identified supplier delivery risk
  • Identified contract requirements to minimize risk
  • Supplier compliance monitoring criteria
  • Supplier compliance monitoring review results

Controls:

  • Supplier contracts

Task Instructions:

Identify and Evaluate Supplier Relationships and contracts

    1. Establish and maintain criteria relating to the type, significance, and criticality of suppliers and supplier contracts, enabling a focus on preferred and important suppliers.
    2. Establish and maintain supplier and contract evaluation criteria to enable the overall review and comparison of supplier performance in a consistent way.
    3. Identify, record, and categorize existing suppliers and contracts according to defined criteria to maintain a detailed register of preferred suppliers that need to be managed carefully.
    4. Periodically evaluate and compare the performance of existing and alternative suppliers to identify opportunities or a compelling need to reconsider current supplier contracts.

Select Suppliers

    1. Review all RFIs and RFPs to ensure that they:
      • Clearly define requirements
      • Include a procedure to clarify requirements
      • Allow vendors sufficient time to prepare their proposals
      • Clearly define award criteria and the decision process
    2. Evaluate RFIs and RFPs in accordance with the approved evaluation process/criteria, and maintain documentary evidence of the evaluations. Verify the references of candidate vendors.
    3. Select the supplier that best fits the RFP. Document and communicate the decision and sign the contract.
    4. In the specific case of software acquisition, include and enforce the rights and obligations of all parties in the contractual terms. These rights and obligations may include ownership and licensing of intellectual property, maintenance, warranties, arbitration procedures, upgrade terms, and fit for purpose, including security, escrow, and access rights.
    5. In the specific case of acquisition of development resources, include and enforce the rights and obligations of all parties in the contractual terms. These rights and obligations may include ownership and licensing of intellectual property; fit for purpose, including development methodologies; testing; quality management processes, including required performance criteria; performance reviews; the basis for payment; warranties; arbitration procedures; human resource management; and compliance with the enterprise’s policies.
    6. Obtain legal advice on resource development acquisition agreements regarding ownership and licensing of intellectual property.
    7. In the specific case of acquisition of infrastructure, facilities, and related services, include and enforce the rights and obligations of all parties in the contractual terms. These rights and obligations may include service levels, maintenance procedures, access controls, security, performance review, the basis for payment, and arbitration procedures.

Manage Supplier Relationships and Contracts

    1. Assign relationship owners for all suppliers and make them accountable for the quality of service(s) provided.
    2. Specify a formal communication and review process, including supplier interactions and schedules.
    3. Agree on, manage, maintain, and renew formal contracts with the supplier. Ensure that contracts conform to enterprise standards and legal and regulatory requirements.
    4. Within contracts with key service suppliers include provisions for the review of supplier site and internal practices and controls by management or independent third parties.
    5. Evaluate the effectiveness of the relationship and identify necessary improvements.
    6. Define, communicate, and agree on ways to implement required improvements to the relationship.
    7. Use established procedures to deal with contract disputes, first using, wherever possible, effective relationships and communications to overcome service problems.
    8. Define and formalize roles and responsibilities for each service supplier. Where several suppliers combine to provide a service, consider allocating a lead contractor role to one of the suppliers to take responsibility for an overall contract.

Manage Supplier Risk

    1. Identify, monitor, and, where appropriate, manage risk relating to the supplier’s ability to deliver service efficiently, effectively, securely, reliably, and continually.
    2. When defining the contract, provide for potential service risk by clearly defining service requirements, including software escrow agreements, alternative suppliers, or standby agreements to mitigate possible supplier failure; security and protection of intellectual property (IP); and any legal or regulatory requirements.

Monitor Supplier Performance and Compliance

    1. Define and document criteria to monitor supplier performance aligned with service level agreements and ensure that the supplier regularly and transparently reports on agreed-on criteria.
    2. Monitor and review service delivery to ensure that the supplier is providing an acceptable quality of service, meeting requirements, and adhering to contract conditions.
    3. Review supplier performance and value for money to ensure that they are reliable and competitive, compared with alternative suppliers and market conditions.
    4. Request independent reviews of supplier internal practices and controls, if necessary.
    5. Record and assess review results periodically and discuss them with the supplier to identify needs and opportunities for improvement.
    6. Monitor and evaluate externally available information about the supplier.
  1.