Vendor Management
0
Total Vendors
0
Active Vendors
0
High Risk
ZMW 0
Total Spend
Vendor ID Vendor Name Category Contact Status Risk Level Performance Compliance Actions

No Vendors Found

Add your first vendor to get started
Showing 0 to 0 of 0 vendors
Page 1 of 1

Vendor Management Guide

New: NAPSA now has a dedicated Vendor Portal at https://napsa.ontech.co.zm/vendor/login where vendors can self-register, manage their profiles, and complete risk assessments.
Overview

The Vendor Management module is part of Third-Party Risk Management within the ERM system. It helps you manage vendor relationships, track performance, conduct risk assessments, and ensure compliance with procurement and risk management policies.

The system includes both a Back Office Management System (this page) for NAPSA staff and a Vendor Portal for vendor self-service.

Key Features
  • Vendor Portal: Self-service portal for vendor registration, profile management, and assessments
  • Vendor Registration: Capture comprehensive vendor information including contact details, registration numbers, and banking information
  • Approval Workflow: Review and approve vendor registrations and profile updates
  • Contract Management: Track all vendor contracts with values, dates, deliverables, and SLA terms
  • Risk Assessment Wizard: Conduct formal due diligence assessments across 6 risk dimensions
  • Performance Evaluations: Regular vendor performance scoring and rating
  • Document Management: Store and track vendor documents with expiry monitoring
  • ERM Integration: Link vendors to risks, incidents, and controls in the risk register
Vendor Portal Features

The Vendor Portal allows vendors to interact with NAPSA's vendor management system directly:

Vendor Portal Access:
Vendor Capabilities:
  • Self-registration and profile creation
  • Update company, contact, and banking info
  • Complete risk assessment questionnaires
  • Upload certificates and documents
  • Receive notifications and messages
Important: All vendor profile updates require NAPSA approval before taking effect. This ensures data integrity and proper vendor vetting.
1. Managing Vendor Registrations from Portal

When vendors register through the Vendor Portal, they appear in this system with a status of Pending Approval.

Reviewing New Registrations:
  1. Check the Dashboard tab for vendors with "Pending Approval" status
  2. Click the icon to review vendor details
  3. Verify all required information:
    • Company registration number and tax ID (TPIN)
    • Contact person details and email address
    • Banking information for payments
    • Uploaded certificates and documents
  4. Conduct initial risk assessment if needed
  5. Click to edit vendor details
  6. Change status to Active to approve the vendor
  7. Or change to Inactive to reject
Tip: Currently, there is 1 pending vendor registration (Cybersecurity Solutions Zambia - VEN-2025-00014) awaiting approval since July 5, 2025.
2. Adding a Vendor Manually (Back Office)

NAPSA staff can also add vendors directly through the back office:

  1. Click the "Add Vendor" button in the top right
  2. Fill in vendor information across the tabs:
    • Basic Information: Name, category, risk level, description
    • Contact Details: Contact person, email, phone, address
    • Financial Information: Tax ID, payment terms, bank details
    • Compliance: Certifications, insurance, compliance status
  3. Click "Save Vendor" to create the vendor record
  4. Set initial status (usually Active for pre-approved vendors)
3. Approving Vendor Profile Updates

When vendors update their profiles through the portal, changes require approval:

  1. Vendor submits profile update through their portal
  2. Update appears in the Vendor Profile Updates system
  3. Review the proposed changes carefully
  4. Verify supporting documents if changes include:
    • Banking details (requires bank confirmation letter)
    • Company registration changes (requires updated certificate)
    • Tax ID updates (requires updated TPIN certificate)
  5. Approve or reject the update with comments
  6. System notifies vendor of approval/rejection
4. Viewing Vendor Details

Click the icon on any vendor to view comprehensive details across 6 tabs:

  • Overview: Basic vendor information and current status
  • Contracts: All contracts with the vendor including values and dates
  • Risk Assessments: Formal due diligence assessments and risk scores (includes portal submissions)
  • Evaluations: Performance evaluation history and ratings
  • Documents: Uploaded documents, certifications, and contracts (from back office or portal)
  • Linked Risks: Relationships between vendor and enterprise risks
Note: Vendor portal submissions (assessments, documents) appear automatically in the vendor details view for your review.
5. Managing Vendor Questionnaires & Assessments

Vendors can complete risk assessment questionnaires through their portal. As a back office user, you can:

  1. Create questionnaire templates for vendors to complete
  2. Assign specific questionnaires to vendors
  3. Review completed questionnaire responses
  4. Score and grade vendor responses
  5. Generate risk levels based on responses
Reviewing Vendor Questionnaire Responses:
  1. Navigate to the vendor's Risk Assessments tab
  2. View all completed questionnaires
  3. Click to review individual responses
  4. Score responses according to questionnaire template
  5. System calculates overall risk score automatically
  6. Update vendor risk level if needed
6. Managing Vendor Contracts
  1. Open vendor details and navigate to the Contracts tab
  2. Click "Add Contract" to create a new contract
  3. Enter contract details:
    • Contract title and type (Service, Goods, Consulting, Construction)
    • Contract value and currency
    • Start and end dates
    • Payment terms
    • Optional: Link to a risk in the risk register
  4. Click "Save Contract" to add to vendor record
7. Conducting Risk Assessments (Back Office)

NAPSA staff can perform formal vendor due diligence using the Risk Assessment Wizard:

  1. Open vendor details and navigate to the Risk Assessments tab
  2. Click "New Assessment" to launch the wizard
  3. Rate the vendor across 6 risk dimensions (scale 1-5):
    • Financial Risk: Vendor's financial stability
    • Operational Risk: Ability to deliver services
    • Compliance Risk: Regulatory and legal compliance
    • Reputational Risk: Impact on organization's reputation
    • Cybersecurity Risk: Data security and IT controls
    • Data Privacy Risk: Data protection capabilities
  4. Document key risks identified and recommended mitigation actions
  5. Click "Save Assessment" - overall risk score and level calculated automatically

Note: The system automatically calculates overall risk score and classifies as Low/Medium/High/Critical. This is separate from vendor portal questionnaires.

8. Evaluating Vendor Performance
  1. Click the icon on any vendor, or use the Evaluations tab
  2. Click "New Evaluation" to create a performance review
  3. Score the vendor across 4 dimensions (scale 1-10):
    • Quality Score: Quality of products/services delivered
    • Delivery Score: Timeliness and reliability
    • Cost Effectiveness: Value for money
    • Communication: Responsiveness and communication quality
  4. Add overall comments and recommendations
  5. Click "Submit Evaluation" - overall score calculated and vendor record updated
9. Linking Vendors to Risks

Create relationships between vendors and enterprise risks from your Risk Register:

  1. Open vendor details and navigate to the Linked Risks tab
  2. Click "Link to Risk" button to open the linkage modal
  3. Select Risk from Dropdown: Choose a risk from your Risk Register
    • Dropdown automatically loads all risks from the system
    • Shows risk ID, name, and risk level (e.g., "RISK-2025-0003 - Market Volatility Risk (Critical)")
    • Search by typing to filter risks
  4. Review Risk Details: When you select a risk, a details card appears showing:
    • Risk ID and Category
    • Risk Owner and Status
    • Current Risk Level
    • Department and Description
  5. Select Relationship Type: Choose how the vendor relates to the risk:
    • 🔴 Vendor Causes This Risk: Vendor actions may create the risk
    • 🟢 Vendor Mitigates This Risk: Vendor helps reduce the risk
    • 🔵 Vendor Monitors This Risk: Vendor is responsible for monitoring
    • 🟠 Vendor Affected By This Risk: Vendor is impacted by the risk
  6. Set Impact Level: Choose Low, Medium, High, or Critical based on vendor's impact
  7. Add Description: Explain the nature of the vendor-risk relationship
  8. Click "Link Risk" to create the relationship
  9. The linkage appears immediately in the Linked Risks tab showing:
    • Risk ID (clickable link to risk details)
    • Relationship type
    • Impact level (color-coded badge)
    • Description
    • Delete button to remove the linkage
Benefits: Risk linkages help you understand vendor dependencies, identify concentration risks, and track which vendors contribute to or mitigate specific enterprise risks.
Tip: You can link the same vendor to multiple risks. For example, an IT vendor might both "cause" cybersecurity risks and "mitigate" them through security controls.
10. Monitoring Vendor Portal Activity

Track vendor engagement and portal usage:

  • Total Vendors: 15 registered vendors
  • Active Vendors: 14 approved and active
  • Pending Approval: 1 vendor awaiting review
  • Recent Activity: Check vendor portal activity logs
Latest Registration:
  • VEN-2025-00015: HR Consulting Partners (July 25, 2025) - Active
  • VEN-2025-00014: Cybersecurity Solutions Zambia (July 5, 2025) - Pending Approval
Action Needed: Review and approve/reject the pending vendor registration (VEN-2025-00014).
Vendor Statuses
  • Pending Approval - Newly added vendors awaiting review
  • Active - Approved vendors in good standing
  • Suspended - Vendors temporarily suspended due to issues
  • Inactive - Vendors no longer in use
Risk Levels
  • Low - Minimal impact if vendor fails
  • Medium - Moderate impact, standard controls needed
  • High - Significant impact, enhanced due diligence required
  • Critical - Mission-critical vendor, extensive oversight needed
ERM Integration

The Vendor Management module integrates with the following ERM components:

  • Risk Register: Link vendors to risks via the Linked Risks tab
  • Contracts: Associate contracts with specific risks for tracking
  • Risk Assessments: Generate risks in the register from vendor assessments
  • Incidents: Track vendor involvement in incidents
  • Controls: Link vendor contracts to risk mitigation controls
Troubleshooting Common Issues
Issue: "No Vendors Found" in Dashboard
  • Cause: You may not be logged in or your session expired
  • Solution: Login at /auth/login and return to the vendors page
Issue: Risk Dropdown Shows "Error: Unable to load risks"
  • Cause: Not authenticated or Risk Register is empty
  • Solution: Ensure you're logged in and have risks in your Risk Register
Issue: "Failed to create risk linkage"
  • Cause: Required fields missing or network error
  • Solution: Ensure you've selected a risk, relationship type, and impact level. Check browser console (F12) for detailed error messages
Issue: Linked Risks tab shows "No Risk Linkages"
  • Expected: This is normal if you haven't created any linkages yet
  • Note: Risk linkages are stored temporarily during your session. For persistent storage, backend integration is required
Issue: Vendor Details Tabs Show Empty States
  • Evaluations, Contracts, Documents tabs showing "No X found": This is expected until you add data
  • Not an error: Gray informational text is correct behavior for empty tabs
Browser Cache Issues: If you see outdated data or errors, hard reload your browser with Ctrl + Shift + R (Windows) or Cmd + Shift + R (Mac).
Best Practices
  • Conduct thorough risk assessments before approving new vendors
  • Perform regular performance evaluations (quarterly for high-risk, annually for low-risk)
  • Monitor contract expiry dates and renewal requirements
  • Keep vendor documents current and verify certifications
  • Link high-risk vendors to corresponding risks in the risk register
  • Review and update vendor risk levels based on assessment results
  • Document all vendor interactions, issues, and resolutions
  • Maintain up-to-date contact information for all active vendors
  • Important: Create risk linkages to understand vendor dependencies and concentration risks
  • Tip: Use the dropdown search in the "Link to Risk" modal to quickly find risks by typing