Building a Proactive Vendor Risk Management Program
May 14, 2013
Over the past decade, all organizations have become increasingly reliant on 3rd parties to support growth and a wide variety of business functions that were previously handled internally. While this has led to cost savings and has enabled companies to focus on what they do best, it has also introduced new levels of risk that are often not realized until it is too late.
Vendor delay or inability to deliver the goods or services for which they were contracted can be disruptive and costly. Vendor quality issues can cause compliance problems, liability issues, and reputational damage. These are just a few of the risks, which vary widely by industry. While there has been a significant increase in discussion around Vendor Risk Management in recent years, many companies still operate within a reactive mode.
For most organizations, managing vendor risk is limited to vendor onboarding and depends on time-consuming, manual processes that are often inconsistent. As a result, vendor managers must handle issues after damage may have already occurred, picking up the pieces too late.
Overcoming Barriers to Adoption
Why aren’t more organizations enhancing their Vendor Risk Management programs? Our discussions with procurement professionals across different industries reveal the following barriers:
- There’s a lack of understanding of the business value of managing vendor risk
- Costs, resource requirements, and ROI are not well understood
- Misperceptions regarding supporting technology requirements
- Preoccupation with more conventional cost-reduction procurement activities
The good news is that Vendor Risk Management has evolved significantly in recent years. It is no longer merely a tactical set of procedures for onboarding vendors. It has grown into a mature discipline with embedded business processes and technologies for tracking, monitoring, and managing risk throughout the vendor relationship.
Insights on Strategies for Success
We are currently involved in the implementation of a comprehensive Vendor Risk Management program for a leading financial services institution. The following insights from this engagement may prove helpful if your organization is thinking about improving its Vendor Risk Management program.
Build your business case in broad terms: Vendor risk isn’t just a procurement problem. It’s a business resilience issue with significant enterprise-wide implications. Fundamentally, Vendor Risk Management addresses your company’s ability to respond to unanticipated changes, problems, or disruptions within its supply chain. Your business case for Vendor Risk Management should explore how these factors can negatively impact your company’s revenues, compliance, customer satisfaction, business continuity, and reputation. It should candidly assess the viability of current strategies, processes and technologies to proactively reduce or mitigate the business impact of these risks.
Gain buy-in from senior leadership: Vendor Risk Management impacts all facets of business operations. Getting the participation you need to build an effective enterprise-wide program will require active C-suite sponsorship and support.
Engage stakeholders early and often: Identify the stakeholders with the greatest external dependencies and engage them early on in the planning process. Once these stakeholders understand how vendor risk relates to their business mission, they will become important champions in the change management process.
Resist the temptation to over-customize: It’s easy to over-engineer Vendor Risk Management technology requirements, given the complex nature of vendor relationships and processes. But you may already have essential components of the “future state” infrastructure in place. This was what we discovered for our client in the financial services industry. By tweaking several components of the currently underutilized procurement infrastructure, we were able to cut 6 months from the design phase and reduce TCO by an estimated 30 percent over three years.
Vendor Risk Management will become increasingly crucial as companies become more closely integrated with–and dependent on–vendors through cyber ecosystems. Building a proactive strategy today can and will have significant benefits in the future. Not just in terms of risk avoidance but in helping vendor managers develop better, more informed relationships with vendors.
Manager, Procurement Optimization
The Shelby Group