No one, especially in these days and times, should discount the importance of vendors to their organization. Even if it were possible to handle everything internally, attempting to do would spread any company’s people way too thin.
Regardless of the industry, geographic location, or sector, vendors represent an external dependency that consists of both upstream “suppliers” and downstream “distributors.” Disruption to any link in this supply chain can lead to a wide array of financial, reputational, or strategic consequences beyond any products or services themselves.
(See here and here for examples on what these consequences can look like.)
Therefore, vendors, or rather the risks around them, require diligent effort to prevent any disruptions. A previous article, Using an ERM Assessment Process to Understand Vendor Risks, explored one point along this life cycle, specifically risk assessment.
This article takes the topic of vendor risks a step further by providing a process for overlaying a holistic ERM process throughout the entire vendor management life cycle, similar to how ERM can integrate into strategic planning, project management, operations, and other areas.
It’s not that companies have been doing zero due diligence around vendor contracts, at least I hope not. But as internationally-acclaimed GRC pundit Michael Rasmussen states:
“Performing periodic due diligence or relying on superficial assessments is no longer sufficient. Modern risk management requires a deeper, more holistic understanding of the risks involved and a proactive, integrated approach to managing them. This involves leveraging technology, data analytics, and cross-departmental collaboration [emphasis added] to comprehensively view the risk landscape and respond effectively.”
I highlight “cross-departmental collaboration” because, like ERM in general, holistic vendor risk management really boils down to eliminating siloes between business units, the benefits of which should become abundantly clear as we move along.
The 4 steps below represent a general, top-to-bottom process for breaking down silos and ensuring peak efficiency and effectiveness of managing vendors.
Step #1: Vendor Management Policy
Any formal policy document must spell out, at a high-level, the company’s stance of how relationships with vendors will be managed and how much risk the company is willing to take. Keep in mind that the process, which will require much trial and error to make it a smoothly functioning process, should be kept out of the policy.
It’s important to point out that this integration or focus isn’t just about risks in the typical (negative) context of the word, but opportunities in the form of streamlined operations, improved financial performance, reputational benefits, and more.
A silo-based approach to the important practice call vendor risk management leads to the company having multiple vendors for the same type of service or product, some of which can be totally redundant. For example, one company used four different project management software tools! All because the different business functions didn’t collaborate on sourcing a tool that could work for all of them, resulting in paying more money than necessary and the company managing projects differently by department.
Ouch – to both the wallet and operational effectiveness!
Taking a few minutes to go to the Vendor Management department or the functional area responsible for managing contracts to explain what you’re looking for and ask if there is a contract already in place can create economies of scale that give your company a competitive edge.
Consider this – instead of opening up a new relationship with a new vendor, why not leverage existing contracts? Even if there is an incremental increase in cost, it will pale in comparison of having to go through the entire vetting process outlined below.
The reason for pointing this out is the last thing anyone wants is to have a list of 500 vendors to manage.
Now there are instances where a niche vendor will be needed, so this article isn’t intended to convince you to set aside a specific need that a tool or vendor is not equipped to provide effectively.
Before jumping into evaluating actual vendors, some groundwork has to be laid in the form of…
Step #2 – Understanding the company’s biggest risk(s) and establishing thresholds and action plans
No company has one big risk. To understand the “biggest risks” for the purposes of managing vendors, you need to look at the highest priority strategic or business objective(s) and the risk(s) connected to them.
From here, the tool of risk appetite and tolerance should be applied to see which risks are within acceptable limits and which are not. You can likely surmise that the risk connected to your most important strategic objective AND that is outside acceptable limits (see graphic) is your company’s biggest risk for the purpose of vendor management.
From here, you have to know how much risk your company is willing to take, which ideally means using performance metrics linked to the designated objective to know at what point you should be concerned, and when you need to take action.
Let’s use an example to walk through this part:
A manufacturer is using Days of Inventory as a key metric, which is currently running around 35 days. Executives want to keep this at 30 days (Target). If this number were to drop to 28 (Threshold), management will need to investigate why and develop, not execute, a business plan, but management wants the action plan executed when the metric drops to 25 days of inventory (Trigger).
Even if you don’t have concrete business metrics to use, a general statement setting some loose boundaries (I like to call it drawing lines in the sand, with the lines being as narrow or broad as management is comfortable) gives you some guardrails to work within.
Step #3 – Prescreening potential vendors
Once you’ve identified your company’s top risks and established boundaries around what is acceptable and what isn’t, you’re ready to go vendor shopping.
Similar to scenario planning and “good” general decision-making processes, there is a generic list of questions you can be asking about the vendor, with the first ones being:
- What are we trying to do as a company that we need a vendor for?
- What exactly is the vendor going to do?
- Do we already have a relationship with a firm who can meet this need?
These answers, coupled with information about the vendor(s) themselves, can then be compared against the risk tolerance identified in step #2. This information can then be taken to help answer:
- Will using this vendor help mitigate a risk the organization already has? Or will the vendor actually make it worse?
It’s possible during this evaluation that you determine that your thresholds will need to change if you go with a particular firm. Taking our example from step #2, you may really like the vendor, but their longer delivery times may necessitate moving the inventory targets to prevent disruption. If it’s determined that a vendor falls outside of where you’re comfortable, are you still willing to move forward with them? What will have to change within your company if you move forward with this vendor?
The final set of questions before moving forward with a vendor can include:
- How dependent will we be on this vendor?
- What will happen if they go down or otherwise unable to provide services? Does that pose a risk to the organization?
- Can we continue daily operations if we don’t have what the vendor is providing?
- What business continuity plans does the vendor have?
Of course, these are just general questions. It is likely, and really recommended, that you will need other questions specific to your company.
It’s tempting to think once you’ve reached this point and you’ve hired the vendor that you’re all done, but that just isn’t the case.
Step #4 – Relationship management and recurring check-in
Now that a vendor has been onboarded, you now have a relationship with a company to manage – congratulations! You will now need to keep asking the vendor questions, with many of them remaining the same as in step #3 above. Remember, that just as much as the environment both internally and externally to your company changes, the same happens with other companies, including your vendors.
You also will need to monitor the risks the vendor poses to the company and continually be asking if those risks are acceptable.
Exactly how you manage the relationship will depend on company policy (i.e., approach to relationship management) and the type of product or service being provided by the vendor.
For suppliers of raw materials for manufacturing, you don’t want a single source. There needs to be some redundancy and duplication, whether that’s a 60/40 or 30/30/40 split or something else.
You can have one major supplier and a couple of minor ones.
Taking this approach keeps the minor suppliers warm – they are used to working with your company, but in the event something happens to the major vendor, they should be able to scale quickly. (In fact, it wouldn’t be a bad thing to occasionally test their scalability.)
Software vendors are a little different since having redundant systems can be incredibly expensive and time-consuming to maintain. The time it would take to switch over to another software is simply impractical.
Monitoring a software vendor, especially for a critical software, will require a higher level of scrutiny of their ability to successfully failover, recovery, and overall service-level support. How quickly will you be able to get back up and running should the software go down?
While ERM should support the development of the formal policy around vendor management, the ultimate goal over the long-term is to have each business unit asking these questions and coordinating their activities with other areas of the company, or as Hans Læssøe alludes to in his book Prepare to Dare – Using Risk Management to Make Manoeuvrability Your Strategic Advantage in a Volatile World:
“The advanced level of risk management essentially changes management of risks from being a governed and required effort to be a cultural element which is ‘just being done.’”
The one catalyst that makes all of this possible is tone at the top.
As is the case with ERM, business continuity, and other efforts, without executives setting the tone and expectation, business functions will continue to operate in their silos.
The benefits of overlaying or integrating ERM with vendor management is clear according to Michael Rasmussen. He explains doing so “…helps protect the organization from reputational harm, legal scrutiny, but also helps ensure the third-parties are a good fit for the organization.”
The alternative means leaving your company vulnerable to risks like reputation hits and constant administrative headaches that cause you to always put out fires instead of working confidently toward achieving strategic goals.
Does your company handle vendors one-by-one by the business? Or does your company have a robust process that ties disparate silos together?
I can’t understate the complexity and importance of managing vendors at the enterprise level, which is why collaboration is so important. If you have any insights that you are able to share to help fellow risk professionals, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And of course, if you’re reeling from a bad experience from a vendor and would like some help in setting up a formal process and policy for your company, take a moment to reach out to say hello and begin the journey to better vendor management today!
