The 3rd-party risk management hazards that are costing your business

Previously, we have touched on the broad landscape of third-party risk management in the context of subcontractor-dependent industries. Now let’s zoom in on the specific “risk buckets” to see where the potential leaks are.

Treating all vendors equally may not always be the best

When it comes to third-party risk management, organisations need to consider the past to best inform the future and adjust the current when needed.

Not all suppliers are of equal risk to a business, so should the treatment be the same across the board? (Note that is different from the topic of equal opportunities).

Many organisations use a Value/Risk matrix to segment their supplier base and determine the appropriate level of assessment. Another similar one is the Kraljic matrix.

The value/risk matrix. Source: Queensland Government

Based on this logic, it is both inefficient and risky to use the same prequalification questionnaire for a cleaner and an excavating subcontractor.

There are even further supplier segmentation strategies that organisations are either not applying, or not applying simultaneously (e.g. based on performance rating, item/service type, supplier industry etc.)

A lack of differentiation in how vendors are managed throughout the relationship cycle (before-during-after engagement) leaves organisations exposed to operational, financial and reputation risks.

Before the engagement: Vendor prequalification

Consider this news story: Australian Defence Department awarded a contract to a US firm blacklisted by the US government for bribing American Air Force officials.

Even though it was a low-value contract by Defence’ standard, the lack of knowledge raised some questions around risk management practices of the department. 

Due diligence in vendor assessment is crucial, yet even a highly regulated department made the mistake of not checking the publicly available list of blacklisted companies.

Similar to the finance industry’s “Know Your Customer,” “Know Your Supplier” is increasingly critical. That means maintaining sufficient breadth and depth of data on your suppliers, such as the details of a company’s directors, especially for suppliers that you class as high-risk.

Many organisations choose to do intensive vendor prequalification in advance and use a panel arrangement to capitalise on savings.

Although carrying out a robust prequalification process is necessary, information is constantly expiring and being edited, which creates risks throughout the vendor selection phase:

• A supplier’s compliance document has lapsed just before the sourcing process and there’s no visibility
• Under-resourced contractors being selected (market conditions: low margins, high input costs forcing contractors to bid low or tender for work exceeding their current capacity)
• Previously under-performing contractors being selected (performance review poorly executed or out of date)
• Poor supplier prequalification or onboarding questionnaires that do not provide enough information on key risk areas, hence the need for standardised prequalification

 
As the supplier approval process can require input from multiple stakeholders, information silos often emerge. If the operations team has no visibility into the supplier’s latest status, they risk engaging a non-compliant vendor, either from a legal or performance standpoint. 

During the engagement: Contract monitoring

The ball does not stop rolling once contracts are awarded. A survey by World Commerce & Contracting (formerly IACCM) indicated that the average cost of poor contract management is 9.2% of an organisation's annual income - and even up to 15% of the contract value for large capital projects.

Moreover, due to the sheer and increasing volume of outsourced work and/or limited internal capacity, many organisations can lose track of key terms or milestones within vendor agreements.

Out-of-date, rolling contracts, missed delivery dates, “verbal agreements” and so on can result in value leakage, which KPMG estimated to be typically around 17-40% of a contract’s value. Looking at a total cost of ownership perspective, poor supplier performance can result in significant indirect costs of 10-20% (McKinsey).

While the issue of contract setup deserves a whole book in itself, it is worth stressing that vendor management is not a “solitary, arbitrary, or one-off process.” Hence, after the painstaking process of drafting and executing the contract, an organisation may still be exposed to risk if:

• There is no ongoing contract performance monitoring
• Contract KPIs are ill-defined
• There is no shared visibility of progress between the organisation and its suppliers
• There are no clear incentives or timely corrective measures to improve performance
• The same performance management process is used for all kinds of suppliers
• There is a lack of collaboration between procurement, legal and operations

After the engagement: Evaluation and beyond

Once a contract or engagement is done and dusted, what happens to vendor performance data? One or a combination of the following scenarios typically develop:

• There is no performance data due to no clear mandate or mechanism to collect it
• The data exists but is not accessible to all relevant stakeholders
• Performance is not evaluated properly: poor questionnaire design, or performance review is not done frequently enough or in a timely fashion
• The evaluation is delayed, meaning the information submitted has decayed over time. This delay impacts the quality and accuracy of review

In the age of data being the “new oil,” no performance data or insufficient performance evaluation = poorly informed decision-making when it comes to the next sourcing event.

The “set and forget” approach to sourcing is rather risky, with no continuous feedback loop between sourcing and supplier relationship management. 

Moreover, how performance information is recorded also impacts how useful the data is. It is not uncommon for organisations to use spreadsheets to house performance scorecards. It gets more complex as the spreadsheet grows across different suppliers and time, or different performance reports link to certain spreadsheets that are not updated and so on.

An example of a performance scorecard using spreadsheets

A long hard look at risk management practices

With so much still going on in the world and added cost pressure, it can be hard to ensure you’re following best practices in all areas of enterprise risk management.

However, it shouldn’t take another pandemic to realise the importance of getting it right. That’s why with our recent research report, we are also providing benchmarking data for current risk management practices, as well as levels of risk awareness within the industry.  

It’s specifically relevant for those who rely heavily on services focused supply chains, often with a high concentration of high-risk subcontractors.