Supplier Risk Management - The Good, the Bad, and the Ugly by guest bloggers Dan Kinsella & Ajay Bolina

As clients continue to evolve their vendor relationships from broad based sole sourcing into integrated service portfolios and as vendors continue to evolve their service solutions to more technology dependent offerings, e.g. Cloud, Digital, we expect the level of complexity and the risk profile of these interdependent relationships to increase.  In the early stages of outsourcing it was quite common for an organization to be governing and managing a single vendor for each of their functional sourcing needs, with a limited Vendor Management Organization (VMO).  While this may have been convenient at the time, clients today are looking for more focused and specialized vendors who are able to effectively integrate into the Global Business Services portfolio. 

During the 90’s into the 00’s it was much more common for clients to have a sole source provider who provides all IT services, another who provides Finance and Accounting, and depending on the level of maturity there could be a whole host of other providers delivering services for functions like Procurement, Facilities Management, Printing, Asset Management, Human Resources, etc.

Today, however, focus is shifting from delivering single function services to delivering a range of services from a targeted mix of internal and external suppliers, while also asking some suppliers to work more collaboratively with each other for joint solutions.  This increases complexity in the ecosystem, including  Business Units, control functions such as information security and business continuity functions, tax, legal, sourcing, external vendors, captive delivery centers (near shore, onshore, global), and centers of excellence. 

Increased complexity requires deeper and sophisticated risk management policies and procedures, especially as regulators continue to issue more stringent guidance and scrutiny over Supplier Risk Management (SRM).  To date, clients have not been able to respond with effective and efficient SRM programs.

 

Key questions a VMO should be able to answer regarding the SRM program include:

• Do you know who all your critical suppliers are?
• Are you assigning the highest level of risk monitoring and due diligence to your riskiest and most critical suppliers?
• Have you reviewed and approved the Business Continuity and Disaster Recovery programs for your critical suppliers?
• Do you have controls in place to manage and approve the use of subcontractors by your suppliers?
• Do you know which suppliers have access to your data, including client data, and what types of data?
• What controls do you have in place to manage access?
• What information regarding SRM is provided to the risk committee?
• Have you evaluated whether your suppliers are Foreign Corrupt Practices Act (FCPA) compliant?  

If you do not have clear answers to these questions, and a broad SRM program in place, you may be exposed to risks which you may not have considered when you executed your supplier contract, and may remain unmitigated.

To gain a better perspective, we looked at the results of the 2014 Deloitte Global Outsourcing and Insourcing Survey, to try and understand how clients are thinking about Vendor Management, particularly as it pertains to supplier awareness (a sub-function of SRM).

The Good

Approximately 75% of respondents indicated they have a VMO[1]

At first glance you may think, well 75% is not great, and while there is still some room to improve, the fact that nearly ¾ of those surveyed in the market indicated they have a VMO is quite impressive.  This is a great place to start when trying to better understand the vendor landscape and to evaluate the true risks to your enterprise which may be hidden or sheltered as a result of your supplier agreements.  If the information is not available today, a well-run vendor management organization or procurement office should be able to access that information.

The Bad

Only 40% of respondents indicated that they are satisfied with their supplier risk management program and adequacy of third party compliance and controls

While this is not ugly it certainly does not appear to be good.  With over 60% of respondents communicating neutrality or dissatisfaction with their SRM capabilities, regulators will be equally concerned and are likely to take remediation action.

The Ugly

Only 20% of respondents indicated that they are above average in terms of their SRM & Third party Compliance program

This result is the most disappointing across all of the major VMO functions surveyed.  Given the potential scale of service disruption and brand and reputational risk we expected this percentage to be significantly higher.  In fact, only one VMO function scored lower: Document Management

Getting Started

Like all things, the best place to start when it comes to SRM is to first “Acknowledge the Gap” between the actual vendor risk and perceived vendor risk.  The next area to focus should be “Building Awareness”.  Select a few major vendors and dig deeper into the dynamics of the relationship.  Insolvency and bankruptcy risk is always an issue for niche vendors, however, the larger more strategic relationships should be reviewed to understand concentration risk and data risks which may be passed through to the client.  Finally, clients must leverage this information for “Taking Action”.

Critically important, when building a SRM capability, is to include stakeholders from the beginning.  Managing supplier risk must not be seen as an imposition, but rather as a value to the business.  However, it is too frequently built in isolation and enforced upon businesses.  If the program is not hyper-efficient, businesses will focus on the inconvenience of process, and not the risks that the process is intending to mitigate.

Summary

In summary, knowing your critical suppliers is an essential element of any SRM program - “trust but verify” is the key.  Do not rely exclusively on contract provisions and consider measuring and monitoring compliance.  And remember, without the necessary controls, stakeholders may be left to their own devices.

For additional information on Supplier Risk Management, please visit GBS Deloitte.

This publication contains general information only, and none of the member firms of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collective, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

For more, please visit the website here. 

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

_____________________________________________________

Dan Kinsella is a Partner at Deloitte & Touche LLP
Ajay Bolina, Principal, Deloitte Consulting LLP

Copyright © 2015 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited

[1] Deloitte’s 2014 Global Outsourcing and Insourcing Survey: 2014 and Beyond, December 2014