It’s Never a Bad Time for a Supplier Risk Review
Whether you plan to be GDPR compliant or not by the go-live date of May 25, it's a good idea to follow these supplier risk review steps now.
Financial services organizations – credit unions, banks, insurance companies, wealth management firms and wire houses – are constantly trying to find a balance between regulatory mandates and expectations, and operational efficiency. Massive supplier data breaches seem like they have become an almost regular occurrence (when they’re reported), customer privacy and data laws are becoming more stringent (GDPR), and predatory behavior by suppliers and vendors is an ongoing issue. Certainly, the porous nature of globalization isn’t making things any easier. With all that to contend with, it’s critical to remember you can pin the blame for risk on third parties, not the responsibility for it.
Whatever supplier management solution you use – SIM, SRM, SRPM, etc. – depends on what your goals and strategy are. Many financial services companies have traditionally used a Supplier Information Management, Supplier Relationship Management or Supplier Risk and Performance Management solution to manage operational and commercial risk – business continuity, credit issues and others. But as regulations mandate the oversight of third-party vendors, the need for more robust tools – or at least the ability to better exploit the tools at hand – is fundamentally changing how companies are approaching their supplier management technology.
No wonder financial services is one of the few verticals where the position of chief risk officer plays a fundamental role. In fact, one such institution (Santander) promoted a risk officer to CEO. In Aon’s global risk management survey report, 76% of respondents said they have even adopted a formal or partially formal approach to risk management and oversight at the board level. Obviously, the connection between corporate goals, brand value and risk is very real.
Supplier Risk Is Everywhere … but Where?
For one thing, more internal players are getting involved in the supplier lifecycle. This is a good thing in one way, in that more eyes and attention on the function increase the oversight and decrease the likelihood of invisible risk creeping in. But, having more cooks can also make everything more complex – you’ll wonder who’s doing what, when issues are being addressed and who has ownership. Finding the right balance is absolutely about collaboration and integrated shared data. Like we always say, you can’t manage what you can’t see, so a single source of data and interconnected workflows ensures all parties have access to the same data at the same time.
According to the Federal Reserve, financial institutions outsource everything from traditional core processing and information technology services, to operational activities such as accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management and procurement. Add to that the increase in products, services and delivery channels requiring third-party vendors and/or their technology services, and that leaves a lot of potential openings for risk to creep in.
What’s in Your Wallet? Risk.
According to McKinsey, the largest U.S. banks can have up to 50,000 suppliers (by comparison, Carillion, a U.K. construction firm that went into liquidation, had 30,000). That level of oversight requires the most sophisticated supplier management technology. But even if your supplier and vendor base is not nearly that extensive, managing it still depends a lot on the amount of resources you have available. In our experience, companies at or approaching the $1 billion revenue level have many of the same issues as much bigger firms, but only a fraction of the headcount and budget. This is where technology really finds its sweet spot.
Third-party risk enters a company and grows in several ways. Because it can come through the front door during supplier onboarding, having a supplier management solution that links onboarding – certification, verification and vetting – with contract management helps to mitigate or even eliminate this. But it’s only part of the problem. Through mergers, sales, growth, etc., it is not uncommon to have several supplier data sources throughout an organization. This leads to duplicate – and often competing – information, and a missed opportunity to triangulate the information because different departments are looking at different sources. The integrated data mentioned earlier is what alleviates this, because everyone is looking at the same information at the same time. Without the supplier verification being complete, a contract can’t be executed. Without the contract, then that supplier can’t bring in any business – or risk.
What constitutes a “third party” can include a supplier, vendor, service provider, distributor, reseller, contractor, business associate, partner, agent and foreign-based affiliate. How they are assessed can be very different. According to PayStream Advisors, a research and advisory firm focused on business process automation, the most common instance in which a supplier will damage a buyer’s standing is when the buying organization does not properly vet and validate suppliers. What’s more, even if the supplier has not provided correct or legally valid information, or acts out of compliance with the law in some way, the buyer is still responsible for engaging with that supplier.
Know Your Suppliers, the Risks and Your Options
Whether you plan to be GDPR compliant or not by the go-live date of May 25, 2018 (estimates show 80% of organizations won’t be ready and 50% are actively ignoring it), it’s always a good time to do a supplier risk review. Start by understanding where your supplier data is being kept – all the certifications and verifications, licenses, etc. – and then figure out where duplication lies. Determine which suppliers are your most critical, making sure to involve all the relevant stakeholders – as mentioned above, supplier management has many more departments involved, so this is highly likely to include multiple business owners with competing goals/needs. Concentrate on specific risks that are applicable to products or services provided by those suppliers. Then expand out from there.
Patrick Stakenas is President/CEO and Director for Determine. He can be reached at email@example.com.