Previously, we have touched on the broad landscape of third-party risk management in the context of subcontractor-dependent industries. Now let’s zoom in on the specific “risk buckets” to see where the potential leaks are.
When it comes to third-party risk management, organisations need to consider the past to best inform the future and adjust the current when needed.
Not all suppliers are of equal risk to a business, so should the treatment be the same across the board? (Note that is different from the topic of equal opportunities).
Many organisations use a Value/Risk matrix to segment their supplier base and determine the appropriate level of assessment. Another similar one is the Kraljic matrix.
Based on this logic, it is both inefficient and risky to use the same prequalification questionnaire for a cleaner and an excavating subcontractor.
There are even further supplier segmentation strategies that organisations are either not applying, or not applying simultaneously (e.g. based on performance rating, item/service type, supplier industry etc.)
A lack of differentiation in how vendors are managed throughout the relationship cycle (before-during-after engagement) leaves organisations exposed to operational, financial and reputation risks.
Consider this news story: Australian Defence Department awarded a contract to a US firm blacklisted by the US government for bribing American Air Force officials.
Even though it was a low-value contract by Defence’ standard, the lack of knowledge raised some questions around risk management practices of the department.
Due diligence in vendor assessment is crucial, yet even a highly regulated department made the mistake of not checking the publicly available list of blacklisted companies.
Similar to the finance industry’s “Know Your Customer,” “Know Your Supplier” is increasingly critical. That means maintaining sufficient breadth and depth of data on your suppliers, such as the details of a company’s directors, especially for suppliers that you class as high-risk.
Many organisations choose to do intensive vendor prequalification in advance and use a panel arrangement to capitalise on savings.
Although carrying out a robust prequalification process is necessary, information is constantly expiring and being edited, which creates risks throughout the vendor selection phase:
|
Spotlight: Felix insights
|
As the supplier approval process can require input from multiple stakeholders, information silos often emerge. If the operations team has no visibility into the supplier’s latest status, they risk engaging a non-compliant vendor, either from a legal or performance standpoint.
The ball does not stop rolling once contracts are awarded. A survey by World Commerce & Contracting (formerly IACCM) indicated that the average cost of poor contract management is 9.2% of an organisation's annual income - and even up to 15% of the contract value for large capital projects.
Moreover, due to the sheer and increasing volume of outsourced work and/or limited internal capacity, many organisations can lose track of key terms or milestones within vendor agreements.
Out-of-date, rolling contracts, missed delivery dates, “verbal agreements” and so on can result in value leakage, which KPMG estimated to be typically around 17-40% of a contract’s value. Looking at a total cost of ownership perspective, poor supplier performance can result in significant indirect costs of 10-20% (McKinsey).
While the issue of contract setup deserves a whole book in itself, it is worth stressing that vendor management is not a “solitary, arbitrary, or one-off process.” Hence, after the painstaking process of drafting and executing the contract, an organisation may still be exposed to risk if:
Once a contract or engagement is done and dusted, what happens to vendor performance data? One or a combination of the following scenarios typically develop:
In the age of data being the “new oil,” no performance data or insufficient performance evaluation = poorly informed decision-making when it comes to the next sourcing event.
The “set and forget” approach to sourcing is rather risky, with no continuous feedback loop between sourcing and supplier relationship management.
Moreover, how performance information is recorded also impacts how useful the data is. It is not uncommon for organisations to use spreadsheets to house performance scorecards. It gets more complex as the spreadsheet grows across different suppliers and time, or different performance reports link to certain spreadsheets that are not updated and so on.
With so much still going on in the world and added cost pressure, it can be hard to ensure you’re following best practices in all areas of enterprise risk management.
However, it shouldn’t take another pandemic to realise the importance of getting it right. That’s why with our recent research report, we are also providing benchmarking data for current risk management practices, as well as levels of risk awareness within the industry.
It’s specifically relevant for those who rely heavily on services focused supply chains, often with a high concentration of high-risk subcontractors.