Companies don’t have as many walls as they used to. In an effort to reduce costs, improve efficiency and flexibility, and leverage new technologies and expertise, most large companies today have engaged hundreds or even thousands of third-party vendors to provide products and services. From handling IT, payroll, and accounting to manufacturing, marketing, and selling a company’s products, third-party vendors are now woven deep into the fabric of companies’ most vital functions.
While all organizations monitor vendor performance against the terms of their contracts and service level agreements (SLAs), many fail to put adequate resources into assessing and managing the risks associated with those vendors. This can leave the organization open to service or supply-chain interruptions if a vendor fails, experiences a technical or process breakdown, or is impacted by a crisis event — like, for instance, last October’s Hurricane Sandy. The list of risks goes on an on, from data breaches to regulatory noncompliance to risks associated with security, stability, and operational or cultural practices in the vendor’s country of origin. Vendor risk is receiving ever-greater scrutiny from boards, regulators, auditors, and other stakeholders, and managing these risks effectively is a must, both to satisfy those stakeholders and as a matter of simple good sense: When you’re up a ladder, you want to know the person holding the bottom has a steady grip.
Effective vendor risk management takes a holistic, strategy-driven view across the universe of an organization’s vendor relationships. It sets up a structure to promote consistency, accountability, and effective controls over all stages of the vendor lifecycle, from the risk-assessment stage, to vendor selection and due-diligence, to contracting, to ongoing relationship management. The range of risks across this universe is potentially huge, as is the sheer number of vendors with which a large company might have relationships. Getting a consistent vendor risk management structure in place and then taking the reins might seem like a Herculean task. But it doesn’t have to be.
Start with the numbers. A global firm might have as many as 100,000 vendor relationships, but when you start examining the individual strategic value of those vendors, the core numbers drop precipitously. Office supply vendors? Not critical. Janitorial services? Not critical. Coffee and vending machine suppliers? Not critical, except maybe late at night. Once you strip away vendors whose products and services have negligible impact on the company’s strategic direction and operations, you’re left with a small number that are truly important, and maybe only half of those provide absolutely critical functions in which your organization cannot afford interruption: IT, legal, health and benefits, payroll, outsourced production of products or elements required in your production cycles, etc. These are the vendors on which you need visibility. What are they doing? How are they doing it? What are the risks to which they’re susceptible? Are they stable and secure? If they fail, what’s your plan for replacing them?
Now, how do you parse your list of vendors, separating the wheat from the chaff, documenting the differences, and moving toward effectively managing risks around your critical vendors? As in much else today, a big part of the answer lies within your ERP platform, which can become the source for data on your procurement, your supply chain, and your critical joint business relationships. Being able to pull and analyze that information within your ERP system can give you the first cut of data you’ll need to begin ranking your vendors by their importance to your organization. From there, you can begin leveraging a governance, risk, and compliance (GRC) tool to focus your resources toward comprehensively monitoring your most critical vendor relationships.
Conducting a spend analysis is a good first step. Such an effort will provide visibility into where the company’s vendor dollars are going, what services or products it’s getting for its money, where its vendors are located, whether a particular service or product is solely or primarily sourced from a single vendor, and so on. Such information, gathered and stored in a database, provides companies with a flexible tool with which to analyze vendor risk.
Initiating a spend analysis program involves first extracting spend data from your ERP system and any other relevant locations within the organization (procurement applications, expense reports, manual spreadsheets, etc.), aggregate this data into a single database, then clean and normalize the data to remove errors, standardize vendor names and abbreviations, and map services and products to a widely accepted set of classification codes (such as the United Nations Standard Products and Services Code, or UNSPSC). Analyzing this information will allow you to create a list of important vendors, from which point you can assign resources to make a deeper assessment and determine those that are absolutely critical to the organization.
Rankings of vendor criticality determine the frequency and scope of the due diligence each vendor relationship requires. Core vendors might be assessed annually, providing information on their financials, credit rating, insurance, performance metrics, and controls, and completing a due diligence survey/self-assessment that addresses questions of information and software security, physical security, data access, etc. Adding this information to your database provides the raw material from which to generate risk insight and rankings. Examining vendors by industry classification or product, for instance, can show which vendors might be susceptible to certain industry-specific risks (talent shortages, commodity supply issues, etc.). Examining by geographies may show a concentration of critical vendors in a region prone to political instability or natural disaster. Examining by security protocols may point up vendors with inadequate data privacy controls, or where the security of physical assets is soft.
In addition to vendor surveys, information might also come from internal performance data, public external sources, and elsewhere, so doing the legwork to assemble, clean, normalize, and populate this data will be no simple task, even after you’ve pared your focus down to your critical vendors. But technology can help, providing tools to manage and automate your vendor GRC processes and your ongoing vendor relationships.
The use of automated vendor analysis is growing. Using tools that automatically extract data from source systems helps you classify and enrich data in your database and makes it easy to leverage dashboards to analyze spend data, contract compliance, performance against pre-determined service or delivery metrics, and compliance with standards related to labor practices, environmental impacts, supplier management, and so on.. Complete vendor risk management software solutions are available that can help companies:
- Assess and analyze vendor risks, define controls, track key risk indicators, and get visibility into risks via scorecards and dashboard reports.
- Create and manage comprehensive vendor profiles, execute vendor surveys/self-assessments (and track responses), manage vendor policies, and manage information on vendor cost, innovation, quality, customer complaints, loss incidents, etc.
- Measure vendor performance against the company’s business goals and rate them for comparative analysis vis-à-vis competing vendors.
- Achieve automation of various processes, including generating e-mails to vendors asking them to fill out surveys, etc.
- Achieve early detection and proactive management of developments such as missed SLAs, unfulfilled contractual commitments, deteriorating vendor financial condition, market events that might affect the vendor, and vendor practices (e.g., use of child labor) that could open up your organization to reputational risk by association.
Collating the vendor information stored in company ERP/procurement systems and using vendor risk management software to mine and enrich that data allows companies to more easily narrow their risk management focus to critical vendors, monitor the overall health and performance of those vendors, and make sure everything is proceeding according to plan, contract, and SLAs — or not. The goal is securing an early and more complete understanding of your company’s vendor relationships, which may help to reduce unanticipated costs related to regulatory fees, reputational damages, and unintended natural events.
- Assisting our clients to optimize their risk and internal control activities, including SOX readiness/optimization activities, through assessing the effectiveness of internal controls, ensuring alignment with the organizations business objectives and risks and using control activities to drive process improvement and enhanced business value
- Custom developing and deploying solutions for clients to facilitate various processes not captured in the core ERP environments.
- Ensuring IT is aligned to organizational strategy, responsive to a changing business climate, with clearly defined policies and procedures that take into account legal and regulatory compliance requirements
- Enhancing the process of developing robust controls around pre- and post-implementation system reviews through a clearly defined project management methodology that emphasizes the importance of benefits management
- Performing third-party and other opinion-level services in response to service organization requests from customers for information about internal controls or requests for access to audit (generally in accordance with contractual agreements)
- Assisting ERP clients to optimize and sustain a real-time controls environment at an enterprise level. We evaluate the effectiveness of current controls and develop a plan to rationalize financial and operationally significant controls. We subsequently design and implement a full range of simplified, standardized controls within core business applications that enables the company to document, monitor and continuously assess the effectiveness of those controls in a real-time environment