Vendor management
Vendor management
The auditors want your third-party risk posture by Friday. Procurement wants to know which contracts auto-renew this quarter. The CFO wants vendor spend by cost centre. Today, answering any one of those takes a day of spreadsheet archaeology. This schema answers all three from a single query.
Vendor Management (v2.0) extends Core Schema with the full vendor governance lifecycle: governance profiles, contacts, contracts, products and services, risk assessments, performance reviews, SLA monitoring, spend tracking, and issue management. The vendor record itself lives in Core Schema; this schema wraps the discipline around it.
What you get
| Object Type | Purpose | Key Attributes |
|---|---|---|
| Vendor Profile | Governance profile extending a Core vendor record | Name, Vendor, Strategic Importance, Data Access Required, System Access Required, Status |
| Contact | Key contacts at vendor organisations | Full Name, Vendor, Role, Email, Status |
| Contract | Vendor contracts and agreements | Contract Name, Vendor, Contract Type, Total Value, Start Date, End Date, Owner, Status |
| Product/Service | Products and services provided by vendors | Name, Vendor, Type, Category, Annual Cost, Business Owner, Status |
| Risk Assessment | Vendor risk evaluations | Assessment Name, Vendor, Assessment Date, Overall Risk Level, Assessor, Status |
| Risk Factor | Specific risk items identified in assessments | Risk Name, Assessment, Category, Risk Score, Mitigation Owner, Status |
| Performance Review | Periodic vendor performance evaluations | Review Name, Vendor, Review Period, Overall Score, Reviewer, Status |
| SLA | Service level agreements with vendors | SLA Name, Contract, Metric, Target, Measurement Period, Status |
| SLA Performance | Tracking of SLA compliance over time | Period Name, SLA, Period, Actual, Target Met |
| Spend | Vendor spending records | Description, Vendor, Period, Amount, Category, Cost Center, Status |
| Issue | Vendor-related issues and incidents | Issue Title, Vendor, Issue Type, Priority, Reported By, Status |
11 object types · 10 reference types · extends Core Schema
Pro tip: Deploy Core Schema first. Every type in this schema links to Core objects: vendors, people, and cost centres all live there. Without Core in place, the required references have nowhere to point.
The Vendor Profile pattern
In v2.0 the vendor master record moved to Core Schema. There is no local Vendor type any more; instead, the schema ships a Vendor Profile type that extends a Core Vendor record through a required Vendor reference (reference type Profile Of).
The split works like this:
-
Core Vendor holds identity and commercial basics: Name, Type, Website, Relationship Owner, Account Manager details, support channels, Account Number, Payment Terms, Status, Risk Level, and Last Review Date. Any schema in your workspace can reference it.
-
Vendor Profile holds the governance layer: Strategic Importance, Industry, Engagement Description, Estimated Annual Spend, Data Access Required, and System Access Required. Create one profile per vendor you actively govern.
All seven vendor-facing types (Contact, Contract, Product/Service, Risk Assessment, Performance Review, Spend, Issue) reference the Core Vendor directly, not the profile. That means a vendor referenced by your Standard CMDB servers and your Software Asset Management licences is the same object your risk assessments point at.
People and funding references also resolve to Core: contract owners, business owners, assessors, reviewers, mitigation owners, and issue reporters are all Core Person objects, and spend records link to Core Cost Center objects.
If you used Vendor Management v1.x: the local Vendor type's Vendor Name attribute is simply Name on the Core Vendor. Two enum sets narrowed in the move: vendor Type no longer offers Staffing or Other, and vendor Status no longer offers Blocked (Active, Inactive, and Under Review remain).
When to use this schema
Deploy Vendor Management if your organisation:
-
Works with five or more external vendors and needs structured tracking of contracts, performance, and risk
-
Runs periodic vendor reviews or due diligence processes and needs a data trail
-
Has compliance or audit requirements around third-party risk (SOC 2, ISO 27001)
-
Manages contracts with overlapping renewal dates and wants proactive expiry management
-
Needs to report on vendor spend by category or cost centre
Core Schema is a prerequisite, not an option: this schema extends it and its required references resolve to Core objects. If your vendor relationships are primarily software licences, Software Asset Management may be a better fit; it shares the same Core Vendor records.
Schema at a glance
Vendor (CORE) ◀──(Profile Of)── Vendor Profile
Vendor (CORE) ◀──(Provided By)── Contact
Vendor (CORE) ◀──(Governed By)── Contract
Vendor (CORE) ◀──(Provided By)── Product/Service
Vendor (CORE) ◀──(Assessed For)── Risk Assessment
Vendor (CORE) ◀──(Assessed For)── Performance Review
Vendor (CORE) ◀──(Related To)── Spend
Vendor (CORE) ◀──(Related To)── Issue
Contract ◀──(Governed By)── SLA
SLA ◀──(Related To)── SLA Performance
Risk Assessment ◀──(Related To)── Risk Factor
Person (CORE) ◀──(Owned By)── Contract, Product/Service, Risk Factor
Person (CORE) ◀──(Assessed By)── Risk Assessment
Person (CORE) ◀──(Reviewed By)── Performance Review
Person (CORE) ◀──(Reported By)── Issue
Cost Center (CORE) ◀──(Funded By)── Spend
Eleven object types, structured around the Core Vendor as the central record. From a single vendor you can see the governance profile, contracts, contacts, risk status, performance history, spend, and open issues, alongside everything else in your workspace that references the same vendor.
Documentation
Quick Start Guide Deployment guide covering the Vendor Profile pattern, contract setup, risk assessment configuration, and performance review workflows.
Governance Playbook (part of LaunchPad IP) Vendor review cadence, contract renewal management, risk reassessment practices, and performance benchmarking.
Forms Specification (part of LaunchPad IP) Form layouts for all eleven vendor management object types.