Third Party Oversight

In the Evolving Business Environment, Can You Overlook Real-Time Risk Monitoring?

Written by

Infrastructure security inadequacies at companies such as Equifax, Deloitte, and Accenture in the past few weeks have been part of corporate discussions. These are big reputed companies, which one may assume secure their network with strict security measures in place, but they have also succumbed to data breach incidents and neglect such as old servers being left exposed revealing sensitive information. This makes one re-think their supplier monitoring strategy, and how we should never be satisfied when it comes to safety or delivering quality services to end-clients.

Risk Monitoring

  • The supplier management process starts with step one, the desire to select a supplier for a business requirement. Step two will be to assess the risks associated with the pool of supplier options. Step three is selection of the supplier. Step four, risk monitoring, runs till contract term period ends and does not end with the initial due diligence step.
  • The risk monitoring process includes having adequate data to assess the risk, concluding how to utilize the data to analyze and predict risk, and have actionable steps documented. It also involves continuously assessing supplier risk, in real-time and the potential risk exposure and having a mitigation plan portfolio in place. An outsider view of the supplier is also important to assess the risk and financial viability of a supplier is no longer the only criteria necessary to analyze vendor risk but also innovation, employee metrics, competition, and alliance relations amongst others.

Why Choose to Manage Vendor Risk in Real-Time?

Clients need to assess the following to capture the risk potential: whether client risk assessment measures include 360 degree analysis; are the supplier operations being affected due to macro environment factors such as changes in countries trade policies and agreements; key executives leaving to work for competition; environmental disasters; critical system outages; theft of sensitive data/cyber-attack; regulatory non-compliance, tax or labor issues; purchase price escalation; supplier bankruptcy; and mergers and acquisitions.

  • Macro-Economic Environment: Brexit led the currency Sterling’s (GBP) value to fall and caused delayed decisions on clients’ side and impacted suppliers’ revenue that export to the UK. The US Presidency under Donald Trump suggested new policy changes which raised alarm for a few companies who anticipated negative revenue impact from certain regions or increase in operational costs.
  • Natural Disasters: Hurricane Maria affected electricity supply in Puerto Rico. During such events, disruption/downtime in business services can be expected, the servers could be down; employees may be unable to work from office, thus slowing the progress of some critical projects.
  • Data Breach Theft: A massive data breach at Equifax exposed personal information of millions of US citizens and also some UK and Canadian citizens. Such breaches indicate inadequate data security measures and lapse of firewalls, which lead to reputational risk and invitation of legal probe by authorities including imposition of various fines.
  • Employee Layoffs: TCS announced plans to shut down its Lucknow (India) facility including ~2,000 job cuts due to slowdown in the IT industry. HPE reportedly plans to cut ~5,000 jobs. Impact of layoffs is reflected in terms of employee attrition, reduced team morale, and productivity, ambiguity in roles/responsibilities, and lack of talented staff to fulfill on-going project commitments.
  • Mergers/Hive-offs: The merger of Hewlett Packard Enterprise’s (HPE) enterprise business (HPES) with CSC led to the formation of new company, DXC Technology. After the CSC-HPES merger, Berner Kantonalbank terminated its contract with HPE Switzerland. Recently the spin-off and merger of HPE’s software business with Micro Focus was finalized. This involved HPE’s software assets being transferred to Micro Focus, leading to doubts among clients about how important will the HPE software portfolio be for Micro Focus compared to Micro Focus’ existing offerings?

The above risks may affect suppliers’ or clients’ reputation and business operations in terms of productivity and cost effectiveness etc.

How to Approach Risk Management?

  1. Databank: Prepare a database on suppliers which includes a 360-view of company capabilities. The database should be updated regularly including various aspects like product launches, business continuity plans etc. Identify how actively the supplier is involved in updating those aspects, particularly in terms of innovation and adjustability to market environment. It is also important to consider other key relationships such as partners, distributors, sub-contractors, and others.
  2. Sources of Data: Assess and understand risk and consider various forms of data from a variety of sources (OFAC (Office of Foreign Assets Control) economic/trade sanctions list, supplier financials, business continuity plans and test results, information security and breach notifications, vendor management (suppliers having subcontractors to support client needs), internal risk subject matter recommendations etc.). Risk can be assessed for e.g. in terms of infrastructure and malpractices: Will the clients’ ongoing operations be affected if supplier operations are interrupted (data breach, outages, natural disasters, employee issues etc.)? Does a supplier malpractice have the potential to affect clients’ reputation and brand? Does the supplier meet with regulatory compliance requirements and has the ability to handle health and safety based challenges?
  3. Risk Identification: Convert data into insights to predict risk in terms of how much impact it can create and then list the risk level in terms of actions required to mitigate the risk. This will require a thorough framework and an analytical model. Clients can link supplier risks to the products and services used with earnings generated to analyze: demand of the offering, effect on price and research & development decisions etc. List the suppliers in accordance with the level of risk they pose compared to peers.
  4. A Ready Reference Actionable Plan Library: Key cross-functional risk mitigation actions should be identified, formalized, and stored for easy reference, to enable structured, repeatable, and coordinated execution across the clients’ enterprise. The action plan will consider repeatable triggers in relation to specific procedures, roles, responsibilities, and appropriate measures for them.

Takeaway

Risk will always be dynamic in nature driven by the constantly changing external and internal business environments. Hence, it becomes more important to constantly monitor and re-evaluate the relevance of the identified risks along with the effectiveness of existing control measures, and implementation plans. Is monitoring supplier risk essential? The answer probably will never be a ‘No’.

To stay updated on various supplier/location risk factors and real-time risk monitoring, subscribe to Supply WisdomSMContact us for more information or to get started with a free trial.