The 3rd-party risk management hazards that are costing your business

Liam Gill   |   September 9, 2021

Previously, we have touched on the broad landscape of third-party risk management in the context of subcontractor-dependent industries. Now let’s zoom in on the specific “risk buckets” to see where the potential leaks are.

Treating all vendors equally may not always be the best

When it comes to third-party risk management, organisations need to consider the past to best inform the future and adjust the current when needed.

Not all suppliers are of equal risk to a business, so should the treatment be the same across the board? (Note that is different from the topic of equal opportunities).

Many organisations use a Value/Risk matrix to segment their supplier base and determine the appropriate level of assessment. Another similar one is the Kraljic matrix.

risk value matrixThe value/risk matrix. Source: Queensland Government

Based on this logic, it is both inefficient and risky to use the same prequalification questionnaire for a cleaner and an excavating subcontractor.

There are even further supplier segmentation strategies that organisations are either not applying, or not applying simultaneously (e.g. based on performance rating, item/service type, supplier industry etc.)

A lack of differentiation in how vendors are managed throughout the relationship cycle (before-during-after engagement) leaves organisations exposed to operational, financial and reputation risks.

Before the engagement: Vendor prequalification

Consider this news story: Australian Defence Department awarded a contract to a US firm blacklisted by the US government for bribing American Air Force officials.

Even though it was a low-value contract by Defence’ standard, the lack of knowledge raised some questions around risk management practices of the department. 

Due diligence in vendor assessment is crucial, yet even a highly regulated department made the mistake of not checking the publicly available list of blacklisted companies.

Similar to the finance industry’s “Know Your Customer,” “Know Your Supplier” is increasingly critical. That means maintaining sufficient breadth and depth of data on your suppliers, such as the details of a company’s directors, especially for suppliers that you class as high-risk.

Many organisations choose to do intensive vendor prequalification in advance and use a panel arrangement to capitalise on savings.

Although carrying out a robust prequalification process is necessary, information is constantly expiring and being edited, which creates risks throughout the vendor selection phase:

  • A supplier’s compliance document has lapsed just before the sourcing process and there’s no visibility
  • Under-resourced contractors being selected (market conditions: low margins, high input costs forcing contractors to bid low or tender for work exceeding their current capacity)
  • Previously under-performing contractors being selected (performance review poorly executed or out of date)
  • Poor supplier prequalification or onboarding questionnaires that do not provide enough information on key risk areas, hence the need for standardised prequalification

Spotlight: Felix insights

  • This is a hypothetical user dashboard within the Felix platform.
  • Specific numbers aside, what this shows is that at any given point in time, organisations could be avoiding nearly 15% chance of engaging  a supplier flagged as at risk, nearly 4% a declined supplier, and nearly 17% a supplier pending approval.

 felix dashboard

As the supplier approval process can require input from multiple stakeholders, information silos often emerge. If the operations team has no visibility into the supplier’s latest status, they risk engaging a non-compliant vendor, either from a legal or performance standpoint. 

During the engagement: Contract monitoring

The ball does not stop rolling once contracts are awarded. A survey by World Commerce & Contracting (formerly IACCM) indicated that the average cost of poor contract management is 9.2% of an organisation's annual income - and even up to 15% of the contract value for large capital projects.

Moreover, due to the sheer and increasing volume of outsourced work and/or limited internal capacity, many organisations can lose track of key terms or milestones within vendor agreements.

Out-of-date, rolling contracts, missed delivery dates, “verbal agreements” and so on can result in value leakage, which KPMG estimated to be typically around 17-40% of a contract’s value. Looking at a total cost of ownership perspective, poor supplier performance can result in significant indirect costs of 10-20% (McKinsey).

While the issue of contract setup deserves a whole book in itself, it is worth stressing that vendor management is not a “solitary, arbitrary, or one-off process.” Hence, after the painstaking process of drafting and executing the contract, an organisation may still be exposed to risk if:

  • There is no ongoing contract performance monitoring
  • Contract KPIs are ill-defined
  • There is no shared visibility of progress between the organisation and its suppliers
  • There are no clear incentives or timely corrective measures to improve performance
  • The same performance management process is used for all kinds of suppliers
  • There is a lack of collaboration between procurement, legal and operations

After the engagement: Evaluation and beyond

Once a contract or engagement is done and dusted, what happens to vendor performance data? One or a combination of the following scenarios typically develop:

  • There is no performance data due to no clear mandate or mechanism to collect it
  • The data exists but is not accessible to all relevant stakeholders
  • Performance is not evaluated properly: poor questionnaire design, or performance review is not done frequently enough or in a timely fashion
  • The evaluation is delayed, meaning the information submitted has decayed over time. This delay impacts the quality and accuracy of review

In the age of data being the “new oil,” no performance data or insufficient performance evaluation = poorly informed decision-making when it comes to the next sourcing event.

The “set and forget” approach to sourcing is rather risky, with no continuous feedback loop between sourcing and supplier relationship management. 

Moreover, how performance information is recorded also impacts how useful the data is. It is not uncommon for organisations to use spreadsheets to house performance scorecards. It gets more complex as the spreadsheet grows across different suppliers and time, or different performance reports link to certain spreadsheets that are not updated and so on.

vendor_management_scorecard_showing_target_meeting_criteria_covering_weightage_and_points_in_percent_Slide01An example of a performance scorecard using spreadsheets

A long hard look at risk management practices

With so much still going on in the world and added cost pressure, it can be hard to ensure you’re following best practices in all areas of enterprise risk management.

However, it shouldn’t take another pandemic to realise the importance of getting it right. That’s why with our recent research report, we are also providing benchmarking data for current risk management practices, as well as levels of risk awareness within the industry.  

It’s specifically relevant for those who rely heavily on services focused supply chains, often with a high concentration of high-risk subcontractors.

Download white paper


Liam Gill
Liam is an Enterprise Account Executive at Felix working closely with construction, utility and mining companies. Liam is always eager to promote how technology can help leverage relationships, drive collaboration and inform decision making.
Follow me:

Related Articles

Risk mitigation
Back to basics: Vendor Management in high risk supply chains


The concept of engaging external parties to do work for your business is probably as old as the concept of business itself. The inherent us vs. them relationship means there are often procedures, documents, and checkpoints, to make sure the vendor does things in your best interest 

Risk mitigation
Webinar recap: Why vendor management matters

Industry participants agreed that it’s not getting easier to source suitable third parties, according to the Building in The Dark report. In fact, 67% believed this process to be highly variable or very challenging.

Risk mitigation
Strategies for third-party vendor risk mitigation in your supply chain (part 5)

Vendor risk management in subcontractor-dependent industries such as construction has re-entered the scene as a hot topic. The increasing burden of compliance requirements, cost pressure and project magnitude have pushed some to be “building in the dark”.

Let's stay in touch

Get the monthly dose of supply chain, procurement and technology insights with the Felix newsletter.