Companies don’t have as many walls as they used to. In an effort to reduce costs, improve efficiency and flexibility, and leverage new technologies and expertise, most large companies today have engaged hundreds or even thousands of third-party vendors to provide products and services. From handling IT, payroll, and accounting to manufacturing, marketing, and selling a company’s products, third-party vendors are now woven deep into the fabric of companies’ most vital functions.
While all organizations monitor vendor performance against the terms of their contracts and service level agreements (SLAs), many fail to put adequate resources into assessing and managing the risks associated with those vendors. This can leave the organization open to service or supply-chain interruptions if a vendor fails, experiences a technical or process breakdown, or is impacted by a crisis event — like, for instance, last October’s Hurricane Sandy. The list of risks goes on an on, from data breaches to regulatory noncompliance to risks associated with security, stability, and operational or cultural practices in the vendor’s country of origin. Vendor risk is receiving ever-greater scrutiny from boards, regulators, auditors, and other stakeholders, and managing these risks effectively is a must, both to satisfy those stakeholders and as a matter of simple good sense: When you’re up a ladder, you want to know the person holding the bottom has a steady grip.
Effective vendor risk management takes a holistic, strategy-driven view across the universe of an organization’s vendor relationships. It sets up a structure to promote consistency, accountability, and effective controls over all stages of the vendor lifecycle, from the risk-assessment stage, to vendor selection and due-diligence, to contracting, to ongoing relationship management. The range of risks across this universe is potentially huge, as is the sheer number of vendors with which a large company might have relationships. Getting a consistent vendor risk management structure in place and then taking the reins might seem like a Herculean task. But it doesn’t have to be.
Start with the numbers. A global firm might have as many as 100,000 vendor relationships, but when you start examining the individual strategic value of those vendors, the core numbers drop precipitously. Office supply vendors? Not critical. Janitorial services? Not critical. Coffee and vending machine suppliers? Not critical, except maybe late at night. Once you strip away vendors whose products and services have negligible impact on the company’s strategic direction and operations, you’re left with a small number that are truly important, and maybe only half of those provide absolutely critical functions in which your organization cannot afford interruption: IT, legal, health and benefits, payroll, outsourced production of products or elements required in your production cycles, etc. These are the vendors on which you need visibility. What are they doing? How are they doing it? What are the risks to which they’re susceptible? Are they stable and secure? If they fail, what’s your plan for replacing them?
Now, how do you parse your list of vendors, separating the wheat from the chaff, documenting the differences, and moving toward effectively managing risks around your critical vendors? As in much else today, a big part of the answer lies within your ERP platform, which can become the source for data on your procurement, your supply chain, and your critical joint business relationships. Being able to pull and analyze that information within your ERP system can give you the first cut of data you’ll need to begin ranking your vendors by their importance to your organization. From there, you can begin leveraging a governance, risk, and compliance (GRC) tool to focus your resources toward comprehensively monitoring your most critical vendor relationships.
Conducting a spend analysis is a good first step. Such an effort will provide visibility into where the company’s vendor dollars are going, what services or products it’s getting for its money, where its vendors are located, whether a particular service or product is solely or primarily sourced from a single vendor, and so on. Such information, gathered and stored in a database, provides companies with a flexible tool with which to analyze vendor risk.
Initiating a spend analysis program involves first extracting spend data from your ERP system and any other relevant locations within the organization (procurement applications, expense reports, manual spreadsheets, etc.), aggregate this data into a single database, then clean and normalize the data to remove errors, standardize vendor names and abbreviations, and map services and products to a widely accepted set of classification codes (such as the United Nations Standard Products and Services Code, or UNSPSC). Analyzing this information will allow you to create a list of important vendors, from which point you can assign resources to make a deeper assessment and determine those that are absolutely critical to the organization.
Rankings of vendor criticality determine the frequency and scope of the due diligence each vendor relationship requires. Core vendors might be assessed annually, providing information on their financials, credit rating, insurance, performance metrics, and controls, and completing a due diligence survey/self-assessment that addresses questions of information and software security, physical security, data access, etc. Adding this information to your database provides the raw material from which to generate risk insight and rankings. Examining vendors by industry classification or product, for instance, can show which vendors might be susceptible to certain industry-specific risks (talent shortages, commodity supply issues, etc.). Examining by geographies may show a concentration of critical vendors in a region prone to political instability or natural disaster. Examining by security protocols may point up vendors with inadequate data privacy controls, or where the security of physical assets is soft.
In addition to vendor surveys, information might also come from internal performance data, public external sources, and elsewhere, so doing the legwork to assemble, clean, normalize, and populate this data will be no simple task, even after you’ve pared your focus down to your critical vendors. But technology can help, providing tools to manage and automate your vendor GRC processes and your ongoing vendor relationships.
The use of automated vendor analysis is growing. Using tools that automatically extract data from source systems helps you classify and enrich data in your database and makes it easy to leverage dashboards to analyze spend data, contract compliance, performance against pre-determined service or delivery metrics, and compliance with standards related to labor practices, environmental impacts, supplier management, and so on.. Complete vendor risk management software solutions are available that can help companies:
Collating the vendor information stored in company ERP/procurement systems and using vendor risk management software to mine and enrich that data allows companies to more easily narrow their risk management focus to critical vendors, monitor the overall health and performance of those vendors, and make sure everything is proceeding according to plan, contract, and SLAs — or not. The goal is securing an early and more complete understanding of your company’s vendor relationships, which may help to reduce unanticipated costs related to regulatory fees, reputational damages, and unintended natural events.
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.
Joe has more than 21 years of IT development, implementation and project management experience and has worked with many of the firm’s key clients, including JP Morgan Chase, BP Amoco, IBM, NIKE and Toyota Motors, working with many key issues surrounding risk management and IT controls, including:
Joe is a Certified Public Accountant (CPA), and a Certified Information Technology Professional (CITP). He also holds a Bachelor of Science degree in Business Administration from American University in Washington, D.C.