February 4, 2014
If Vendor Risk Management isn’t on your ‘hot list’ of action items today, several factors may ensure it will be in the near future:
• Increased reliance on outsourced services
• Reverberating impacts of global climate events
• Cybersecurity threats that can emanate from any node within your supplier ecosystem
• More rigorous compliance requirements and greater regulatory scrutiny
These factors are all converging to make Vendor Risk Management a major concern in 2014 and beyond. Along with this concern comes increased program visibility and the need for greater collaboration with other C-suite stakeholders. Chief Risk Officers, Chief Security Officers and Chief Compliance Officers (or their functional equivalents) all have a share in the effectiveness and success of Vendor Risk Management.
If you are concerned about whether your Vendor Risk Management program is ready for the spotlight, the following 6 questions will help you conduct a quick assessment of program capabilities and readiness:
1. How will you evaluate vendors and measure the value of your Vendor Risk Management program? If you can’t identify, define, and prioritize the risks posed by vendors to your organization today, your program should align with the management of strategic, financial, and operational risks to your organization’s enterprise governance and risk management initiatives in order to be effective.
2. How will you ensure your organization and vendors comply with implemented processes? Vendor Risk Management is an ongoing process and not just a one-time event. Compliance to processes will provide a closed-loop circuit, which will drive long-term value and successful partnerships.
3. Do you have the resources needed for overseeing vendor risk? Procurement organizations are often stretched to manage multiple vendors on a day-to-day basis. Making sure you have adequate resources from Procurement and supporting departments will enable your organization to proactively identify, assess, mitigate, and monitor vendor risks in a consistent and sustainable manner.
4. What is your cadence for reviewing vendor risk? Assessing vendor risk is a continuous practice. Vendor Risk Management, without actions, improvements, follow-ups, and repeatable processes within a defined cadence, is futile. An organization needs to go beyond a one-time assessment of risk for the sake of defining a vendor’s risk profile. Repeating the assessment of vendor risk provides ongoing visibility into the overall danger to the organization. This allows your vendors to understand the criticality of their role in continuing to deliver value.
5. Do you have a proactive issue identification and resolution plan? If a vendor risk profile changes through continuous risk assessment, Vendor Risk Managers can proactively identify potential damage to the organization and mitigate effectively through resolution or performance improvement plans. Similar to managing an underperforming employee, Vendor Risk Managers can utilize a performance improvement plan to help the vendor course correct and enhance their total performance.
6. How will you communicate program results? Proving the value and worth of a Vendor Risk Management Program to the enterprise is key to success, just like any recently implemented program. Measuring and continuously communicating results to senior leadership provides a view into how Vendor Risk Management can create both top and bottom line value.
Ultimately, an organization should partner with their vendors to commit to developing and recognizing those who play a significant role in increasing total value and promoting the enterprise in a positive manner. A comprehensive Vendor Risk Management Program will provide the structure required to deliver sustainable, consistent, and efficient support to the organization’s enterprise risk initiatives. This will further translate into an optimal future of long-term strategic supplier performance and relationship management.
Manager, Procurement Optimization
The Shelby Group