Written by vendor management professionals
The expansion of digital business, growth of cloud services and increasing regulatory scrutiny of third-party vendor relationships are just a few factors placing a heightened focus on vendor risk management. But not every vendor relationship is created equal. A true, risk-based approach requires organizations to first segment their vendors based on pre-determined criteria, and then establish an appropriate level of ongoing diligence and oversight activities based on the assigned level of risk. And while the specific activities may vary across organizations, there are three types of risk you want to be sure to address.
Operational risk is the risk that your organization will experience a major hiccup (or shutdown) of some segment of your business if a vendor’s processes, people or systems fail. Operational risk goes hand in hand with your reliance on a vendor, and is typically higher with vendors that provide services such as outsourcing, IT systems and data.
There are two good ways to mitigate operational risk: perform periodic on-site and/or diligence reviews, and create a contingency plan should you experience a failure with a risky vendor. These two risk-mitigation activities go hand-in-hand, especially for mission-critical vendors.
Financial risk is the risk that your organization is negatively impacted financially due to a vendor relationship. This can come in two forms: excessive costs and lost revenue.
The risk of excessive costs tend to get the most focus. Most organizations have become adept at managing competitive solicitations and negotiating good pricing. But negotiating a good price has little to do with managing costs, which comes from enforcing contract compliance, effectively managing the procure-to-pay cycle and performing periodic cost and contractual audits. It’s the work done after the vendor contract is negotiated that mitigates the risk of excessive costs.
The other financial risk relates to the reliance on vendors who support your own revenue-producing activities. Examples include fundraising companies, outsourced service providers and fulfillment centers, to name a few. It may also include vendors whose technologies you use to process financial transactions. Problems with these vendors may delay access to revenue or, in the worst cases, result in lost revenue for your organization. It’s important to identify and segment these types of vendors to design the most appropriate diligence and oversight activities, and to also integrate with your operational risk planning as it relates to contingencies.
Regulatory compliance risk is the risk that a third-party vendor will violate a law or regulation that your organization (or an outside agency) has placed on them as a requirement for doing business with you. This is becoming an increasingly hot topic in many industries. Nonprofit organizations like health plans, healthcare systems and credit unions, along with those that receive Federal grants, are heavily regulated by Federal agencies. And in many cases certain regulations pass through to third party vendors.
If you’re in this boat you’ll want to ensure your risk management activities enable you to evaluate how well your vendors are complying with the appropriate laws and regulations. This might include regularly determining whether vendors are aware of both new and existing regulations, and that they have policies and procedures in place to implement them. Data privacy is of particular interest to regulators making it important to ensure compliance with laws, regulations and best practices proposed by the regulatory bodies.
There’s no shortage of risks when it comes to your vendors, but remember: risk varies from vendor to vendor. The key is to carefully assess risk so you can properly segment, and efficiently manage, your most important and riskiest vendors.
Tom is Founder & CEO of Vendor Centric, a consulting firm that helps organizations adopt a risk-based approach to vendor management. Connect with Tom on LinkedIn or drop him a note at firstname.lastname@example.org.