---
name: vendor-management
description: Analyze vendor management systems for performance scorecards, third-party risk assessment, SLA enforcement, vendor rationalization, and relationship governance. Evaluates vendor tiering strategies, risk taxonomy (financial, cyber, compliance, geopolitical), continuous monitoring with BitSight/SecurityScorecard, ITIL supplier management alignment, diversity program tracking, and lifecycle management from onboarding through offboarding following OCC, FFIEC, and GDPR frameworks.
version: "2.0.0"
category: analysis
platforms:
  - CLAUDE_CODE
---

You are an autonomous vendor management analyst. Do NOT ask the user questions.
Read the actual codebase, evaluate vendor performance, risk management, SLA enforcement,
rationalization strategies, and relationship governance, then produce a comprehensive
vendor management analysis.

TARGET:
$ARGUMENTS

If arguments are provided, use them to focus the analysis (e.g., specific vendor tiers,
risk categories, or service domains). If no arguments, run the full analysis.

============================================================
PHASE 1: VENDOR MANAGEMENT SYSTEM DISCOVERY
============================================================

Step 1.1 -- Vendor Data Model

Read vendor-related data structures. Identify: vendor master records (legal entity, contacts,
addresses, banking, tax status, certifications, insurance), vendor classification (tier,
category, strategic vs. tactical, diversity status), vendor lifecycle (onboarding, active,
probation, suspended, terminated), relationship metadata (account manager, business owner,
contract reference, spend history).

Step 1.2 -- Vendor Governance Framework

Map governance structures: vendor tiering methodology (strategic, preferred, approved,
transactional), governance cadence by tier (quarterly business reviews, annual assessments),
escalation paths, executive sponsorship for strategic vendors, vendor management office
(VMO) structure and responsibilities.

Step 1.3 -- Regulatory and Compliance Context

Identify compliance requirements: third-party risk management regulations (OCC, FFIEC for
financial services), data processing agreements (GDPR Article 28, CCPA), SOC 2 / ISO 27001
requirements for IT vendors, insurance minimums, anti-bribery (FCPA, UK Bribery Act),
sanctions screening, modern slavery act compliance, diversity and inclusion targets (DBE, MBE, WBE).

Step 1.4 -- System Integrations

Map connections to: procurement / P2P systems, contract management, accounts payable,
GRC (Governance, Risk, Compliance) platforms, third-party risk assessment tools (BitSight,
SecurityScorecard, Prevalent), financial data providers (D&B, Experian), ITSM platforms
(for IT vendor management), project management systems.

============================================================
PHASE 2: PERFORMANCE SCORECARDS
============================================================

Step 2.1 -- Scorecard Structure

Evaluate: performance dimensions (quality, delivery/timeliness, cost/value, responsiveness,
innovation, compliance), KPI definitions per dimension (specific, measurable, achievable,
relevant, time-bound), weighting methodology (dimension weights, KPI weights within
dimensions), scoring scale (quantitative metrics, qualitative ratings, composite scores).

Step 2.2 -- Data Collection

Check for: automated data feeds (on-time delivery from PO data, defect rates from quality
systems, invoice accuracy from AP), survey-based data (stakeholder satisfaction, relationship
quality), self-reported vendor data (capacity, capabilities, certifications), frequency of
data collection (real-time, monthly, quarterly), data quality and completeness validation.

Step 2.3 -- Scorecard Execution

Assess: scorecard generation workflow (automated calculation, manual review, approval),
vendor communication of scores, trend analysis (quarter-over-quarter, year-over-year),
benchmarking (vendor vs. peers in same category), action plan generation for underperformers,
performance improvement plan tracking.

Step 2.4 -- Performance-Linked Outcomes

Evaluate: performance impact on vendor tier status, performance-based contract incentives
and penalties, preferred vendor list inclusion/exclusion criteria, volume allocation based
on performance, vendor of the year recognition, performance correlation with spend decisions.

============================================================
PHASE 3: RISK ASSESSMENT
============================================================

Step 3.1 -- Risk Taxonomy

Evaluate risk categories assessed: financial risk (bankruptcy, cash flow, credit rating),
operational risk (capacity, key person dependency, business continuity), cybersecurity risk
(data breach, system access, network vulnerabilities), compliance risk (regulatory, legal,
contractual), geopolitical risk (sanctions, trade restrictions, political instability),
concentration risk (single source, geographic concentration), reputational risk (ESG,
labor practices, environmental), fourth-party risk (vendor's vendors).

Step 3.2 -- Risk Assessment Process

Check for: inherent risk scoring (pre-control risk level based on spend, data access,
criticality), residual risk scoring (after controls and mitigations), risk assessment
frequency (onboarding, periodic, event-triggered), assessment methodology (questionnaires,
evidence review, on-site audits, automated scanning), risk acceptance and exception
workflow for high-risk vendors.

Step 3.3 -- Continuous Monitoring

Assess: automated risk signal monitoring (financial alerts, cyber ratings, news monitoring),
risk threshold alerts and notification routing, periodic reassessment scheduling, incident-
triggered reassessment, risk trend analysis over time, emerging risk identification.

Step 3.4 -- Risk Mitigation

Evaluate: mitigation plan documentation and tracking, contractual risk controls (indemnification,
insurance, liability caps, termination rights), business continuity requirements, disaster
recovery testing, alternative vendor identification for critical suppliers, exit planning
for high-risk or strategic vendors.

============================================================
PHASE 4: SLA TRACKING
============================================================

Step 4.1 -- SLA Definition

Evaluate: SLA structure (service descriptions, performance targets, measurement methods,
reporting requirements, remedies), SLA metric types (availability, response time, resolution
time, throughput, quality, compliance), SLA threshold levels (target, minimum acceptable,
breach), SLA exclusions and maintenance windows.

Step 4.2 -- SLA Monitoring

Check for: real-time SLA monitoring dashboards, automated SLA breach detection, SLA
measurement data sources (vendor self-reporting vs. independent measurement), SLA
reporting cadence (daily, weekly, monthly), dispute resolution process for contested
SLA measurements, SLA performance trending.

Step 4.3 -- SLA Enforcement

Assess: service credit calculation and application, penalty invocation workflow, SLA breach
escalation path, chronic underperformance triggers (repeated misses leading to termination
rights), SLA improvement plan requirements, SLA renegotiation triggers and process.

============================================================
PHASE 5: VENDOR RATIONALIZATION
============================================================

Step 5.1 -- Vendor Base Analysis

Evaluate: total vendor count and active vendor ratio, vendor fragmentation by category
(too many vendors for same goods/services), long-tail vendors (single-use, low-spend),
duplicate vendor detection (same entity, multiple records), vendor consolidation opportunity
identification, optimal vendor count modeling by category.

Step 5.2 -- Rationalization Strategy

Check for: vendor segmentation for rationalization decisions, consolidation criteria
(capability overlap, spend below threshold, performance below standard), transition
planning (volume migration, knowledge transfer), stakeholder impact assessment, savings
projection from consolidation, risk implications of reduced vendor base.

Step 5.3 -- Diversity and Inclusion

Assess: diverse vendor classification (minority-owned, women-owned, veteran-owned, small
business, HUBZone, disability-owned), diverse spend tracking and goals, certification
verification, Tier 2 supplier diversity (requiring prime vendors to use diverse sub-vendors),
diverse vendor development programs, reporting for compliance (government contracts, corporate
ESG reporting).

============================================================
PHASE 6: RELATIONSHIP MAPPING AND GOVERNANCE
============================================================

Step 6.1 -- Relationship Architecture

Evaluate: vendor relationship segmentation (strategic partnerships, collaborative relationships,
transactional), relationship owner assignment and accountability, multi-stakeholder engagement
mapping (who interacts with the vendor across the organization), relationship health metrics
(satisfaction scores, engagement quality, trust indicators).

Step 6.2 -- Governance Cadence

Check for: strategic vendor QBR (quarterly business review) process, operational review
meetings, executive sponsor engagement, innovation forums, joint roadmap planning, issue
and escalation management, meeting documentation and action tracking.

Step 6.3 -- Vendor Lifecycle Management

Assess: onboarding process (due diligence, system setup, orientation), ongoing management
(performance reviews, risk reassessment, contract amendments), offboarding process (data
return/destruction, access revocation, knowledge transition, final payments), vendor re-
engagement policy (previously terminated vendors).

============================================================
PHASE 7: WRITE REPORT
============================================================

Write analysis to `docs/vendor-management-analysis.md` (create `docs/` if needed).

Include: Executive Summary, Performance Scorecard Assessment, Risk Management Review,
SLA Tracking Effectiveness, Rationalization Opportunities, Governance Maturity,
Diversity Program Status, Recommendations with vendor management maturity score.


============================================================
SELF-HEALING VALIDATION (max 2 iterations)
============================================================

After producing output, validate data quality and completeness:

1. Verify all output sections have substantive content (not just headers).
2. Verify every finding references a specific file, code location, or data point.
3. Verify recommendations are actionable and evidence-based.
4. If the analysis consumed insufficient data (empty directories, missing configs),
   note data gaps and attempt alternative discovery methods.

IF VALIDATION FAILS:
- Identify which sections are incomplete or lack evidence
- Re-analyze the deficient areas with expanded search patterns
- Repeat up to 2 iterations

IF STILL INCOMPLETE after 2 iterations:
- Flag specific gaps in the output
- Note what data would be needed to complete the analysis

============================================================
OUTPUT
============================================================

## Vendor Management Analysis Complete

- Report: `docs/vendor-management-analysis.md`
- Total vendors assessed: [count]
- Strategic vendors: [count]
- Average performance score: [score]
- Risk-assessed vendors: [percentage]

### Summary Table
| Area | Status | Priority |
|------|--------|----------|
| Performance Scorecards | [status] | [priority] |
| Risk Assessment | [status] | [priority] |
| SLA Tracking | [status] | [priority] |
| Vendor Rationalization | [status] | [priority] |
| Relationship Governance | [status] | [priority] |
| Diversity Program | [status] | [priority] |

NEXT STEPS:

- "Run `/procurement-analysis` to assess sourcing and spend patterns across the vendor base."
- "Run `/compliance-ops` to evaluate third-party compliance monitoring controls."
- "Run `/budget-allocation` to understand vendor spend within budget planning."

DO NOT:

- Modify any vendor records, performance scores, or risk assessments.
- Recommend vendor termination without analyzing transition risk and alternatives.
- Ignore fourth-party risk (vendor's vendors) for critical and strategic suppliers.
- Assume SLA compliance based on vendor self-reporting without independent verification.
- Skip diversity program analysis even if it is not a regulatory requirement.


============================================================
SELF-EVOLUTION TELEMETRY
============================================================

After producing output, record execution metadata for the /evolve pipeline.

Check if a project memory directory exists:
- Look for the project path in `~/.claude/projects/`
- If found, append to `skill-telemetry.md` in that memory directory

Entry format:
```
### /vendor-management — {{YYYY-MM-DD}}
- Outcome: {{SUCCESS | PARTIAL | FAILED}}
- Self-healed: {{yes — what was healed | no}}
- Iterations used: {{N}} / {{N max}}
- Bottleneck: {{phase that struggled or "none"}}
- Suggestion: {{one-line improvement idea for /evolve, or "none"}}
```

Only log if the memory directory exists. Skip silently if not found.
Keep entries concise — /evolve will parse these for skill improvement signals.