Vendor Management

Introduction

For security, compliance, and ethical reasons, Catalyst is dedicated to maintaining firm control of its vendor relationships.

Scope

This policy will govern goods or services provided to Catalyst by a vendor, and the relationship that Catalyst maintains with those vendors.

Roles

Business Owners of vendors are responsible for maintaining Catalyst's relationship with the vendor and the controls for the risk that relationship poses to Catalyst. Business Owners must recognize when the nature of vendor relationships change and submit "new risks" accordingly.

Policy

  • All vendors will have an assigned Business Owner who is responsible for ensuring proper controls, supply chain consideration, and oversight are in place for the vendor.
  • Catalyst will maintain a vendor database according to the following criteria: access, service type, importance, and risk score.
  • Vendors categorized as "Critical" should have a designated backup vendor.
  • All vendors not categorized as "Supplier-Only" must have a Non-Disclosure Agreement with Catalyst.
  • If a vendor intends to subcontract any portion of the services that Catalyst uses, it must be a qualified and accepted risk.

New Vendors

  • All new vendors of Catalyst will undergo a "New Risk" evaluation as defined by the Risk Management Policy.
  • The Security and Compliance Committee must qualify new vendors unless they are medium or low importance supply-only vendors. The SCC reserves the right to require a Business Operations and Strategy committee vote on any new vendor.

Existing Vendors

  • High risk vendors should be re-evaluated if the conditions of their business change and/or annually.
  • If the risk score changes from the previous assessment, a vendor should be re-submitted for qualification and approval as defined by the Risk Management policy.

Compliance

Violations of the policy will be met with corrective action with the possibility of disciplinary action up to, and including, termination of access to Catalyst facilities and systems, or other actions as defined in the contract with the Vendor.

Department Directors are responsible for the regular oversight of their department's vendor engagement.

Exceptions

There are no exceptions to this policy.

Colophon

Owner: Security and Compliance Committee

$Date: 2018-07-18 08:27:51 -0600 (Wed, 18 Jul 2018) $

$Revision: 468889 $

results matching ""

    No results matching ""