DraftInternalISO 9001ISO 27001ISO 14001

SW-IMS-POL-003

Supplier Management Policy

Version

1.0

Owner

CEO

Effective Date

TBD

Review Date

TBD

Supplier Management Policy

1. Purpose

This policy establishes Swedwise AB's approach to selecting, managing, and monitoring suppliers and service providers. It ensures that suppliers meet our requirements for quality, security, environmental responsibility, and business continuity, supporting our commitment to delivering excellent customer service and maintaining our management system standards.

2. Scope

This policy applies to:

All suppliers providing goods or services to Swedwise
External service providers and subcontractors
Technology and cloud service providers
Software vendors and licensing partners
Professional service providers (legal, accounting, consulting)
Facilities and office service providers

Supplier Categories

Category	Description	Examples
Strategic	Critical to business operations; difficult to replace; high risk/value	Data center (Entiros), software partners (OpenText, Salesforce), Microsoft 365/Azure
Important	Significant impact on operations; moderate risk/value	Support tools, recruitment agencies, key subcontractors
Standard	Regular suppliers; lower risk/value; alternatives available	Office supplies, travel services, equipment vendors

This policy applies most rigorously to Strategic and Important suppliers, with proportionate requirements for Standard suppliers.

3. Supplier Management Objectives

Swedwise commits to:

Quality Assurance: Ensure suppliers meet our quality standards and customer requirements
Security & Compliance: Verify suppliers handle information securely and meet legal obligations
Environmental Responsibility: Prioritize suppliers with sound environmental practices
Business Continuity: Ensure supplier reliability and resilience for critical services
Fair Relationships: Build mutually beneficial, ethical supplier relationships
Risk Management: Identify and manage supplier-related risks
Value Optimization: Achieve appropriate balance of quality, service, and cost

4. Policy Statements

4.1 Supplier Selection

Suppliers are selected based on:

Mandatory Requirements

Legal Compliance: Valid business registration, appropriate licenses, compliance with applicable laws
Financial Stability: Demonstrated financial viability (for strategic suppliers)
Capability: Demonstrated ability to meet technical and service requirements
References: Satisfactory references or track record (for significant engagements)

Evaluation Criteria

Quality: Ability to meet quality requirements, certifications (e.g., ISO 9001)
Security: Information security practices, certifications (e.g., ISO 27001), data handling
Environmental: Environmental policies and practices, certifications (e.g., ISO 14001)
Pricing: Competitive pricing and total cost of ownership
Service: Support availability, responsiveness, SLA commitments
Innovation: Ability to support our evolving needs, technology roadmap
Location: Preference for Nordic/Swedish suppliers where appropriate for cultural/legal alignment

Selection Process

Requirements Definition: Clear specification of needs
Supplier Identification: Research and shortlist potential suppliers
Evaluation: Assess against criteria (RFQ, demonstrations, assessments)
Due Diligence: Verify credentials, references, compliance (especially for strategic suppliers)
Selection Decision: Documented rationale for supplier choice
Approval: Management approval for strategic suppliers and significant contracts

4.2 Contractual Requirements

Supplier contracts and agreements include:

Standard Terms

Scope of Work: Clear description of goods/services to be provided
Pricing and Payment: Rates, payment terms, invoicing procedures
Service Levels: Performance standards, availability requirements, response times (for service providers)
Term and Termination: Contract duration, renewal terms, termination conditions
Liability: Limitations of liability, indemnification, insurance requirements

Management System Requirements

Quality: Commitment to meet specified quality standards
Information Security: Confidentiality, data protection, security controls (see 4.3)
Environmental: Compliance with environmental laws, alignment with our environmental policy
Subcontracting: Restrictions on subcontracting without approval
Right to Audit: Swedwise right to audit compliance (for strategic suppliers)

Legal and Compliance

Data Protection: GDPR compliance, data processing agreements where applicable
Intellectual Property: IP ownership, licensing rights
Compliance with Laws: Adherence to applicable regulations
Code of Conduct: Alignment with ethical business practices

Contracts are reviewed by [TBD - legal counsel] for strategic suppliers and significant commitments.

4.3 Information Security Requirements for Suppliers

Suppliers with access to Swedwise information or systems must:

Access and Handling

Sign confidentiality/non-disclosure agreements before receiving confidential information
Handle information according to Swedwise classification requirements
Implement appropriate technical and organizational security measures
Restrict access to authorized personnel only (need-to-know principle)

Security Controls (Risk-Based)

For suppliers with significant access to Swedwise information or systems:

Access Control: Strong authentication, prompt access revocation when no longer needed
Encryption: Data encrypted in transit and at rest where appropriate
Backup and Recovery: Reliable backup arrangements for critical data/services
Incident Management: Defined process for security incident notification and response
Vulnerability Management: Regular patching and security updates
Business Continuity: Continuity arrangements for critical services

Compliance and Assurance

Maintain relevant security certifications (ISO 27001, SOC 2, etc.) where applicable
Provide evidence of compliance upon request or through periodic assessments
Allow security audits for strategic suppliers
Notify Swedwise promptly of security incidents affecting our data or services

Data processing agreements are established for suppliers processing personal data on behalf of Swedwise (GDPR Article 28).

4.4 Environmental Requirements for Suppliers

Swedwise encourages environmental responsibility in our supply chain:

Minimum Expectations

Compliance with applicable environmental laws and regulations
Appropriate handling and disposal of waste (e.g., e-waste for IT equipment)
Consideration of environmental impact in their operations

Preferred Suppliers

ISO 14001 certification or equivalent environmental management practices
Documented environmental policy and objectives
Sustainable product options (energy-efficient equipment, recycled materials, etc.)
Local suppliers to reduce transportation impacts (where other factors are equal)

Environmental considerations are included in supplier evaluations and discussed during supplier reviews.

4.5 Supplier Performance Monitoring

Supplier performance is monitored based on category and risk:

Strategic Suppliers

Formal Reviews: At least annually, or quarterly for critical services
Performance Metrics: Defined KPIs aligned with contract (e.g., uptime, response times, quality)
Continuous Monitoring: Ongoing tracking of incidents, service quality, relationship health
Structured Meetings: Regular business reviews with supplier management

Important Suppliers

Periodic Review: At least annually
Issue Tracking: Log and track issues, resolution effectiveness
Feedback Collection: Input from internal users of supplier services

Standard Suppliers

As-Needed Review: Triggered by issues or contract renewal
Basic Tracking: Major issues or complaints logged

Review Content

Performance against SLAs and contract commitments
Quality of deliverables and services
Security incidents or concerns
Business continuity capability
Environmental performance (for applicable suppliers)
Responsiveness and communication
Innovation and improvement initiatives
Relationship satisfaction
Pricing competitiveness

4.6 Issue Management and Improvement

Supplier issues are managed through:

Issue Identification: Problems logged by staff or identified in monitoring
Communication: Issue raised with supplier formally
Root Cause Analysis: Understanding cause for significant or recurring issues
Corrective Action: Supplier implements corrections
Verification: Swedwise verifies effectiveness of corrections
Escalation: Persistent issues escalated per contract escalation procedures

Serious issues may trigger:

Increased monitoring or audit
Remediation plans with milestones
Contract review or renegotiation
Alternative supplier evaluation
Contract termination (as last resort)

4.7 Supplier Risk Management

Supplier risks are assessed considering:

Risk Factors

Dependency: Extent of business reliance on supplier
Criticality: Impact if supplier fails or underperforms
Data Access: Type and sensitivity of information supplier accesses
Financial Stability: Supplier's financial health and continuity risk
Geographic Risk: Locations, political/natural disaster exposure
Compliance Risk: Potential for non-compliance affecting Swedwise
Reputational Risk: Supplier actions reflecting on Swedwise reputation

Risk Treatment

Higher-risk suppliers receive more rigorous selection, contracting, and monitoring
Contingency plans for critical suppliers (alternative suppliers, workarounds)
Regular reassessment of supplier risk profile
Risk factors considered in contract renewal decisions

4.8 Key Supplier Relationships

Strategic suppliers critical to Swedwise operations:

Entiros AB (Data Center Services)

Service: Infrastructure hosting for Swedwise Communications SaaS platform
Criticality: Critical - SaaS platform depends on their data center
Requirements: High availability SLA, security certification, business continuity capability
Management: Quarterly business reviews, continuous uptime monitoring, documented escalation procedures

OpenText

Service: Software licensing (Exstream/Communications, other OpenText products)
Criticality: Critical - core technology for Swedwise offerings
Requirements: Current licensing, support agreements, technical escalation path
Management: Regular license reviews, partner relationship management, support case tracking

Salesforce

Service: Software licensing and partnership
Criticality: Important - key offering for customers
Requirements: Current partner status, licensing compliance, support access
Management: Partner program participation, regular strategic reviews

Microsoft

Service: Microsoft 365, Azure cloud services, licensing
Criticality: Critical - core infrastructure and productivity tools
Requirements: Appropriate licensing, support agreements, security configuration
Management: Azure service health monitoring, subscription management, regular reviews

[TBD - Other Key Suppliers]

To be documented as relationships established (e.g., support ticketing, accounting, recruitment).

4.9 Supplier Offboarding

When ending supplier relationships:

Transition Planning: Ensure continuity (alternative supplier, transition period)
Data Handling: Return or secure destruction of Swedwise data
Access Revocation: Promptly remove access to systems and information
Knowledge Transfer: Document lessons learned, handover to new supplier
Contract Closure: Final invoices, close-out formalities
Records Retention: Maintain contract and performance records per retention schedule

5. Roles and Responsibilities

Chief Executive Officer (CEO)

Responsibilities:

Overall accountability for supplier management
Approve strategic supplier relationships and major contracts
Review supplier performance and risks in management reviews
Make decisions on supplier issues requiring executive action

Management Team

Responsibilities:

Approve supplier selections within their areas of authority
Monitor supplier performance for their functional areas
Participate in strategic supplier reviews
Escalate supplier issues requiring management attention
Allocate budget for supplier expenses

Procurement/Finance [TBD - role may not exist formally]

Assigned to: [TBD - who handles procurement/contracts]

Responsibilities:

Coordinate supplier selection processes
Negotiate contracts and pricing
Maintain supplier contract repository
Track contract renewals and expirations
Coordinate supplier performance reviews for strategic suppliers
Maintain supplier register and documentation

Information Security Officer (CISO)

Responsibilities:

Assess information security risks for suppliers with data access
Define security requirements for supplier contracts
Review and approve security aspects of strategic supplier relationships
Monitor supplier security incidents and compliance
Conduct or coordinate supplier security audits

Environmental Lead

Responsibilities:

Define environmental criteria for supplier evaluation
Assess environmental aspects of supplier relationships
Promote environmental responsibility in supply chain
Monitor environmental performance of key suppliers

Department Heads / Service Owners

Responsibilities:

Define requirements for suppliers supporting their areas
Participate in supplier selection for their needs
Monitor day-to-day supplier performance
Provide feedback for supplier reviews
Log and communicate supplier issues
Manage supplier relationships for their areas

All Staff

Responsibilities:

Follow procedures when engaging suppliers
Report supplier performance issues or concerns
Handle supplier information appropriately
Cooperate with supplier audits and reviews

6. Supplier Register

A supplier register is maintained including:

Supplier name and contact information
Supplier category (Strategic, Important, Standard)
Services/goods provided
Contract reference and key terms
Contract start date, expiration date, renewal terms
Key contacts at supplier
Swedwise owner/manager of relationship
Performance review schedule
Security assessment status
Certifications (ISO, etc.)
Last review date and outcome
Risk assessment summary
Notes and issues

The register is maintained by [TBD - Procurement/Finance/Admin] and reviewed at least annually.

7. Integration with Management System

Supplier management is integrated into the IMS:

Quality (ISO 9001): Suppliers evaluated for impact on product/service quality, included in process approach
Security (ISO 27001): Supplier security requirements aligned with ISMS, supplier access controls, third-party risk management
Environment (ISO 14001): Supplier environmental performance considered in life cycle perspective
Unified Audits: Supplier management reviewed in integrated internal audits
Management Review: Supplier performance and risks reviewed in management reviews

8. Exceptions

Exceptions to supplier management requirements may be granted when:

Emergency or urgent need requires expedited supplier engagement
Requirements are impractical for specific situation (e.g., standard supplier with minimal risk)
Compensating controls address risk concerns

Exceptions require:

Documented business justification
Risk assessment and acceptance
Approval by [TBD - CEO for strategic suppliers, Department Head for others]
Time limit and review date
Documented in supplier records

9. Review and Update

This policy is:

Reviewed at least annually by [TBD - CEO/Management Team]
Updated when significant changes occur in:
- Business operations or supplier dependencies
- Supplier-related risks or incidents
- Legal or contractual requirements
- Management system standards
Approved by CEO
Communicated to relevant staff following updates

Policies:

SW-IMS-POL-001: Integrated Management System Policy
SW-ISMS-POL-001: Information Security Policy
SW-EMS-POL-001: Environmental Policy
SW-IMS-POL-005: Business Continuity Policy

Procedures:

[TBD - SW-IMS-PRO-004: Supplier Selection and Evaluation Procedure]
[TBD - SW-IMS-PRO-005: Supplier Performance Review Procedure]
[TBD - SW-IMS-PRO-006: Contract Management Procedure]
[TBD - SW-ISMS-PRO-006: Third-Party Security Assessment Procedure]

Guidelines:

[TBD - SW-IMS-GUI-001: Supplier Selection Criteria and Scoring]
[TBD - SW-ISMS-GUI-004: Security Requirements for Suppliers]

Supporting Documents:

[TBD - Supplier Register]
[TBD - Standard Contract Templates]
[TBD - Non-Disclosure Agreement Template]
[TBD - Data Processing Agreement Template]
[TBD - Supplier Evaluation Form]
[TBD - Supplier Performance Review Template]

11. Document Control

Version	Date	Author	Changes	Approved By
1.0	[TBD]	[TBD]	Initial policy creation	[TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CEO

This policy is approved by Swedwise AB management and is effective from the date specified above. All staff involved in supplier selection and management are required to read, understand, and comply with this policy.

Swedwise AB | Make Time For The Good