Nobody likes getting caught off guard. Finding out that your largest, most trusted supplier is suddenly one court order away from bankruptcy. Having to deal with a breach of confidential data. Trying to save face after your crisis management efforts fail. Ouch!
These are real potential catastrophes for an enterprise. But in business, we tend to lump them together under the watered-down category of “risk.”
As many executives have belatedly realized, risk must be taken very seriously. It can disrupt supply chains, eat up revenue streams and destroy entire brands. But just being aware of risk isn’t enough to provide protection. So what do you do about it?
First, you read our new INSIGHT IT piece, “RISK: Data-Driven Intelligence Is the Key to Effective Third-Party Risk Management.” It includes three crucial technology-related considerations for early identification and management of risks presented by vendors and suppliers.
A must read for CIOs and IT teams looking to buttress their defenses against potential exposure from third-party contact points.
Are your suppliers a bulwark against supply chain instability? Or thousands of points of exposure?
Most enterprises rely upon thousands, if not tens of thousands of suppliers to keep their operation running and to bring products and services to market. Each supplier relationship, regardless of how large or strategic, creates one of two things:
Thanks to technology, all of these third-party “contact points” are known and can be centrally managed. Therefore, anyone with an ownership stake in the selection, implementation or use of a platform that includes supplier and contract management bears a great deal of responsibility for ensuring proactive risk mitigation.
In this paper we will discuss three critical intersections of technology, risk, and systems- enabled third parties:
The most basic protection (or exposure) a company receives from its suppliers is how those companies cover themselves against risk. When a contract is signed, procurement can request a Certificate of Insurance (COI) and ensure that all of the information in it is up to date and correct. Unfortunately, at any point after that moment, the supplier can fail to pay premiums, cancel or reduce coverage, etc. And shockingly, according to supply chain risk experts GRMS, a full 90 percent of vendors and suppliers often inadvertently misrepresent the actual insurance coverage indicated on their COIs. Nothing in the neatly-filed but unsuspectedly obsolete COI will protect the company against the ramifications of an under-insured supplier facing legal action, or other consequence.
Risk mitigation requires proactive management of insurance coverage for all contracted suppliers. Without this ongoing monitoring, the likelihood of failing to spot a change or lapse before an incident occurs is significantly increased.
If a third party is going to touch my systems, I had better be protected. If something goes wrong, it could either crash the system or hit us with a very large bill.
The same can easily be true of, say, IT security questionnaires. Suppliers are routinely asked to certify that they meet a set of security requirements and upload the file into a supplier management platform. That may meet the data requirements established by IT and procurement, but it assumes too much to serve as protection. By adding a human service component, the enterprise can ensure that the supplier did in fact sign the requirements form, and that they did so without modification. Combining data and service elements in a risk management program thus ensures that such security measures can be real and effective, not simply assumed or implied.
No company wants to do business with a provider that is on shaky financial ground. This is especially true of enterprise-wide technology implementations. Evaluating a prospective supplier's financial standing is a routine part of the RFP and competitive bidding processes, but as with insurance validation, it can change on a daily basis, or be fabricated with relative ease.
Having global financial risk information, including bankruptcy liens and judgements*, available as part of a supplier's information profile is a strategic advantage, but it may fall short of driving appropriate action. In addition to consolidated information, we return to the need for both data and service to be part of the solution: In this case, avoidance or containment of risk depends on timely notifications and alerts to changes in a supplier's financial standing. The raw data is all well and good, but it must be brought to the company's attention immediately.
* Applicable only in the U.S.
In many cases, companies are focused on ensuring data security by insisting upon compliance with relevant regulations: conflict minerals, supply chain transparency, slavery, international watchlists, etc. And yet, none of this compliance protects them against the impact of cybersecurity failures.
Responsible enterprise leadership teams will ensure their own IT security, but what about that of the third parties that have access to their systems? For this, companies require an accurate, up-to-date assessment of their “security posture.” Having this information helps determine the likelihood of a breach that could expose corporate and/or customer data to criminal exploitation.
Risk is pervasive, and it persists whether or not it is actively monitored. While insurance coverage and financial stability are obvious sources of risk, the reality is that any time a company makes a commitment and fails to meet it, a potential financial liability is created. Even “soft” programs such as Corporate Social Responsibility (CSR) can invite risk.
If procurement implements a solution to manage CSR in the supply base, data has to be gathered, yes. But procurement then needs to interpret and analyze that information, and the results of that effort will impact potentially significant business decisions. Reputational damage is unlikely to be contained because the risk was “only” CSR-related.
Risk management is of increasing importance to enterprise leadership teams, and as corporate procurement becomes a key participant in the digital transformation program, its role, relative to risk management, will not only expand – it will also become more strategic.
Since effective risk management requires access to intelligence rather than just aggregated information, a hybrid solution that combines both data and service is the most viable path towards maximum protection. Companies without an appropriate solution in place may make the mistake of thinking they have a data problem, when instead their risk stems from lack of access to reliable, actionable intelligence.