What are Vendor Performance Reviews?

Published August 13, 2020 • 3 min read

Vendor performance reviews help you periodically assess the quality of vendor and supplier performance throughout your organization’s supply chain, ensuring that you’re getting the most “bang” for your buck and avoiding poor performance and that your enterprise avoids exposure to third-party risks.

Essential to good vendor management, vendor performance reviews enable you to track and assess the products and services your third parties supply and to engage in proactive performance management in all your supplier relationships for continuous improvement and ongoing customer satisfaction.

Why conduct vendor performance reviews?

For many entities, organizational performance management is intricately linked with supplier performance management. Without third-party suppliers’ providing essential parts or services, some enterprises wouldn’t be able to function. Entity-supplier relationships are symbiotic, and when the vendor doesn’t meet expectations the contracting organization may suffer, too.

Vendor performance reviews can help your organization to:

  • Track and monitor suppliers’ compliance with contracts;
  • Know when the vendor is falling short of expectations, and in what areas;
  • Work with the vendor to improve performance issues;
  • Compare and contrast vendors’ performance;
  • Proactively resolve issues to avoid harm to your own productivity or services;
  • Ensure that your entity is making the best use of vendors’ services.

Start with the basics

Vendor performance reviews start by measuring whether your entity’s third-party vendors or third-party suppliers are meeting the goals established by key performance indicators (KPIs) and service level agreements (SLAs) in your contract with your vendors or suppliers.

So at the very beginning of each vendor relationship, it’s important to have KPIs and SLAs mutually agreed upon as benchmarks against which to measure vendor performance.

What kind of professional characteristics are an important part of your vendor relationships?  Do you need quick responses to your requests? Must they be compliant with certain regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or with industry standards such as System and Organization Controls for Service Organizations 2 (SOC 2) or the International Organization for Standardization (ISO) 9001 (quality management) or 27001 (information security management)?

Your criteria may differ depending on a variety of factors, including:

  • Company size
  • Amount and sensitivity of your information handled
  • Type of business
  • Compliance requirements—yours and theirs
  • Complaint history
  • Financial stability.

If you’re dealing with multiple vendors, you may want to classify and rank them according to their criticality for your business and the sensitivity of the information they handle for you. Then you can devise supplier performance criteria for each classification rather than creating a separate review for each individual vendor.

Decide when to review, and how often

The time to initiate reviews of a third-party vendor’s performance is about 90 days after contracting with them. Then, at about six months before the contract renewal date, conduct another review.

This timetable varies, however, depending on the vendor’s level of criticality and the sensitivity of the information they are handling, as demonstrated by the following best practices: 

  • High-risk vendors whose performance could affect your customers: quarterly reviews
  • Medium-risk (back-office) vendors posing only an indirect risk to your customers: reviews every six months
  • Low-risk including information technology (IT), human resources (HR), and vendors posing no risk or threat to your customers: annual reviews

A good vendor management solution can help you classify your vendors and alert you when it’s time for review.

Adopt or design a review method

A number of good vendor review templates are available for you to use when writing your vendor questionnaire and creating your scoring system, important first steps in the supplier evaluation process.

Vendor risk management software can also be helpful when designing your supplier performance review, and may even conduct your reviews, collect and collate answers, and present vendor performance in user-friendly dashboards so you can see where the gaps are in your vendor risk management program and how to fill them.

As your team writes, conducts, and assesses vendor performance reviews, it could also be stimulated to discuss, and refine, its use of the vendor including:

  • What the company purchases from the vendor, and why
  • What the company will need in the longer-term, and whether the vendor can meet those needs
    • Who the vendor’s competitors are, and whether to switch.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo