Vendors Inventory and Attributes

Section A — Sourcing and Harvesting

Before building the Vendors Inventory from scratch, assess whether vendor records already exist in any form in the enterprise. Common sources include: procurement systems and ERP vendor master data (the most comprehensive source of active vendor legal names, payment terms, and spend data); accounts payable and spend analysis systems (reveal all vendors the enterprise has paid, including shadow vendors not captured in formal procurement); contract management systems (identify all vendors with executed contracts); and security and risk assessment tools (identify vendors that have completed security questionnaires or risk assessments). Harvesting from these sources and deduplicating across them produces a comprehensive vendor list faster than manual assembly.

AI agents can be effective for populating standard attributes for well-known vendors — generating initial descriptions, classifying vendor type and industry, suggesting tier classifications based on product and service categories, and identifying known certifications and regulatory obligations. AI-generated records must be validated against authoritative sources before being treated as governance-ready. The Provenance and Audit Attributes category documents the generation method and validation status.

Prioritize Tier 1 and Tier 2 vendors for initial complete population. A Vendors Inventory with 100% of Crawl attributes populated for all Tier 1 and Tier 2 vendors is immediately governable and delivers immediate regulatory compliance value, even if Tier 3 and Tier 4 vendors have only stub records.

Section B — Ownership and Accountability

Every inventory must have a named owner accountable for the accuracy, completeness, and governance of the inventory as a whole. For the Vendors Inventory, the Chief Procurement Officer, Head of Vendor Management, or an equivalent vendor governance function is the natural organizational owner. In organizations without a dedicated vendor management function, the CIO or a Vendor Governance Board is an appropriate alternative. Individual vendor records each have their own Enterprise Relationship Owner — the inventory owner is accountable for the schema, the governance process, and the overall health of the inventory as a governance artifact.

Section C — Lifecycle and Review Cadence

The Vendors Inventory must be actively maintained across the vendor lifecycle. New vendors should be onboarded to the inventory before the first contract is executed — not after. Terminated vendors remain in the inventory with Relationship Status = Terminated for audit continuity. Reconciliation cadence: Crawl maturity, quarterly minimum; Walk maturity, monthly or event-driven when a new vendor engagement begins, a contract is renewed or terminated, a security incident occurs, or a material change in the vendor’s financial health or ownership is detected; Run maturity, continuous monitoring through integration with vendor risk platforms and procurement systems.

Section D — Data Quality and Starting Approach

Recommended approach: (1) Identify all known vendors from procurement system exports, accounts payable data, and contract management systems and create a stub record for each — Semantic ID, Legal Name, and Relationship Status only. (2) Populate all Crawl attributes for Tier 1 and Tier 2 vendors before advancing any record to Walk. (3) Populate Walk attributes for Tier 1 and Tier 2 vendors systematically, prioritizing Risk Attributes and Compliance/Security attributes. (4) Populate Crawl attributes for Tier 3 and Tier 4 vendors. (5) Introduce Run attributes and automated derivation only when connected inventories are sufficiently mature. The most common failure mode is attempting to populate all attributes for all vendors simultaneously — producing a large volume of incomplete records with no governance value.

Section E — Access Control

The Vendors Inventory contains commercially sensitive data including Annual Spend, contract terms, risk assessments, and negotiation-sensitive attributes such as Substitutability and Concentration Risk. Access should be governed explicitly: read access broadly available to APM, TPM, EA, legal, compliance, and security teams; write access restricted to the inventory steward, designated Enterprise Relationship Owners, and authorized automated feeds from procurement systems; schema change access reserved for the inventory owner and governing body. Attributes including Termination Notice Period, Substitutability, and Key Risk Factors may warrant additional access restrictions given their sensitivity in negotiation contexts.

Section F — Change Management

Changes to Vendor Tier, Dependency Level, and Relationship Status have downstream implications for governance investment, monitoring frequency, and regulatory evidence requirements. These attributes should follow a formal change control process: Propose → Review (Enterprise Relationship Owner and Governing Body) → Approve → Implement → Communicate. Changes to Risk Attributes that elevate a vendor’s risk rating above a defined threshold should trigger an immediate notification to the relevant business continuity and security functions.

Section G — Archival and Retention

When a vendor relationship is terminated, its record is not deleted. Update Relationship Status to Terminated, document the termination date and reason, and retain the record indefinitely for audit defensibility. Terminated vendor records are essential evidence for regulatory audits, litigation, and re-engagement assessment. For vendors involved in a security incident, compliance finding, or significant legal matter, retain all associated records indefinitely regardless of how long ago the relationship ended.