Creating a procedures document isn’t really the kind of task that’s performed in one sitting. The time, energy and resources required to complete it strongly depends on the size and complexity of what you’re trying to document. But, regardless of the size of your organization, the method for capturing your daily tasks in written form follows the same approach.
So, where to begin with your vendor management procedures?
Like any writing assignment, it’s good to start with your outline, right? Luckily, (or should I say, hopefully), you already have a policy in place to provide you the perfect outline to start with. I would argue to say that the most well-written and organized procedures are those which align in structure with their associated policies.
While the policy can serve as your frame, you may not want to put all the procedures for one policy into a single document. For example, your third-party risk management policy may include guidance on performing risk assessments, conducting due diligence, contract management, vendor remediation and escalations, reporting, etc. Each one of these topics may have one or more associated procedures, and that’s okay. The important thing is to have an appropriate reference to the applicable policy guidelines for each of your procedures, however you choose to organize them.
Understandably, not all sections of your policy require procedures, like “scope and accountability” for example. In fact, the particular areas that require procedures are really contingent upon the needs of your team and organization.
Some processes that I find really benefit from well written procedures include:
- Onboarding a new vendor
- Creating a vendor record in your system or database
- Kicking off a periodic vendor assessment
- Creating an executive report
It’s also important to consider the tasks that seem to have the most mistakes, require the most attention to detail, produce important control objectives/deliverables or tasks that other areas might assist with performing.
4 Vendor Management Policy and Procedure Best Practices
Here’s a few other tips to help with the creation and alignment of your procedures and policies:
1. Add a narrative.
I’ve found that the most valuable procedures paint a coherent story of the process. Remember, procedures act as guidance for someone who needs instructions on how to conduct the work. All of my procedures begin as a flow chart or checklist. When necessary, they can be expounded upon with a “how-to” narrative.
Pro-tip: If you’re documenting a process that you’re not intimately familiar with, be sure to sit with someone who performs the task and interview them. Have them train you on what to do as if you’re a new hire, or performing the task for the first time, and take good notes. Then, build upon those notes to develop the procedures.
It’s important to note, there are different styles for procedures you can chose from. Depending on what works best for the task, team, department, management, regulators, industry, etc., you may decide to explain how things are done in paragraph format or a detailed list of instructions. Screenshots associated with the procedures are also a great add-in. Some procedures are labeled section-by-section in congruence with the policy document, or to match the different steps of a flow chart.
2. Check your work.
The best way to validate that you have a good procedures document is to have someone who is unfamiliar to the process use the procedures to try and perform the task. This is a great way to get some outside perspective and see if they work as desired. With any document, especially policies, programs and procedures, it’s important to have another set of eyes check your work before submitting for approval.
3. Verify control objectives.
Once you start to have your key processes written out in procedure documents, it’s a good idea to re-check your policies and make sure the controls and requirements are clearly addressed in the procedures. For example, if your policy states that a report on vendor metrics is provided to the risk committee on a monthly basis, be sure your procedures state how that is accomplished. If the policy states that all high-risk remediation items will be reported to the committee as well, be sure the procedures for creating that report include the like.
Pro-tip: Policies tell you what has to be done, and procedures explain how to do it, so the best governing documents clearly state how they relate to each other.
4. Assure procedures are properly maintained.
Unlike policies, changes to procedures should not require senior-level approval every time. Ideally, your procedures should be a living, breathing aid that is updated any time a change is made to the way things are done. It is, however, important to keep version control, and assure the procedures are at least reviewed on an annual basis to assure they’re still relevant and continue to align with the associated policy.
With these tips in mind, you should be well on your way to creating procedures which seamlessly align with your comprehensive policy.