How Mid-Markets Can Get Started with Vendor Risk Management

Ahmad Sadeddin
Ahmad Sadeddin
Director of Product Management, Coupa Software

Director of Product Management, Coupa Software Ahmad has launched new products, scaled existing products, and helped turned around struggling ones. In addition, he has worked on a couple of acquisition technology integrations.

Read time: 11 mins
Dice and Glasses on Top of a Graph Print Out

When you're a small company, in the hierarchy of risks, vendor risk is near the bottom and vendor risk management isn't a priority. As a mid-market company, there’s a growing awareness that vendor risk needs to be managed. Brand reputation, competitive advantage, and company finances are all at stake. You may not have a lot of vendors, but some are quite critical, and they may or may not be the right vendors to work with as you grow. More due diligence is needed. Yet, many companies struggle to get started with a formalized vendor risk management program and implementing vendor management software. It seems like a daunting undertaking.

Build a New Habit

The good news is, new technology can make it much easier to automate and scale a vendor risk management program. What it can’t do is create a culture of vendor risk management. That requires internal change. The most important thing midmarket companies can do to get a supplier risk management program off the ground is start getting in the habit of screening suppliers while they're onboarding, and reviewing them periodically.                                                                     

Before you worry about technology, or optimization, or creating a full-blown governance, risk and compliance (GRC) function, start by putting together a very basic risk committee with the CPO, the CFO, and maybe the CEO, that comes together once a quarter to talk about what’s happening with your vendors.

This group can lead development of a basic internal governance, risk, and compliance policy. Then start in the simplest way possible: Talk to your most critical vendors, and collect key information related to their business and policies, even if you have to do it manually at first.

All the Right Reasons

This is part of growing up as a company, and something that has to happen on the road to becoming an enterprise. The reasons to mobilize are many: As you attract larger customers, they will want details about your vendors for web hosting and cyber security, for example, because their own policies require them to make sure their information is safe. These days, they may also want to know if your products and services are ethically and sustainably sourced, among other things.

As you grow, your company may become subject to certain government regulations that apply to bigger companies. Perhaps you want to offer a product, or serve a market, such as healthcare or government, where there are more regulations. Your board may demand you start a vendor risk management program, because they want to make sure the company stays stable, and they don’t want to be liable for any vendor issues. Finally, if you’re planning to become a publicly traded company, you’ll have auditors requiring it.

Those are all good reasons to get started. The worst reason is because you’ve already had something bad happen with a vendor. Don’t wait for that to happen.

Bringing in More Data

Besides talking to vendors and collecting information, most companies also start out by getting financial reports on their vendors from credit agencies. That’s a good next step, but what a lot of companies do with that information is they check the box, give the vendor a pass, and then they move on. That’s where a lot of these programs fail, even in large enterprises with well- established programs, because risk management has to be an ongoing effort.

The nature of risk is that it is many faceted and always changing. If you don't do follow-up and monitor constantly, then you’re still at risk. For example, General Motors was recently left scrambling when a major, just-in time parts supplier they had done business with for over 45 years suddenly shut its doors. Somehow, their troubled financial condition slipped through a crack in the system. Once you collect the information, you need to keep checking back, doing quarterly assessments on your vendors.

Optimizing the Program

You can see how this gets to be a lot of work. If you’re a mid-market company with two or three thousand suppliers, even if you just want to do risk management for the top ten percent of your suppliers, that’s a lot of labor hours.

Formalizing the department is expensive. Buying credit reports is expensive. Buying a solution to hold all your data is expensive. Following up with auditors is expensive. And even with all of those pieces in place, there is still a lot of inefficiency in the process. This is where modern technology can help.

In addition to continuous monitoring, to do risk management right, you have to be able to take probability and severity into account. What is the probability of something happening, and how severe will the impact to your business be if it does happen? External data such as credit reports, weather data, legal data, and social media can help you get at probability, but not severity.

You have to tie external data together with your internal spending data to understand the severity of risk for a particular vendor. That takes a lot of analysis, delaying decision making. Even in relatively mature risk management programs, it’s not uncommon for the analysis to be out of date by the time it’s finished, or for no decision to be made.

With cloud technology and artificial intelligence, we can pull together all the relevant data sources, analyze the data in real time, offer prescriptive recommendations and automate regular follow up.

Building Resiliency

Mid-market companies face so many pressures as they grow. You can ill afford to ignore vendor risk management and supply chain resiliency, but putting together a scalable program can be overwhelming.

No longer do you have to choose between leaving your company exposed to risk, or creating a whole new department. You can start out small, making it as simple and manageable as possible. Once the habit is built, then, focus on optimization. You don’t have to continue to do all of this manually. Automation is going to save you time, energy, and cost. That's what systems do. But, they're not going to build that habit for you.

It's like playing an instrument. You’re not going to start by playing Beethoven’s 5th Symphony in C minor on a Stradivarius. You have to practice all the time, and work up to it. It's the same thing with managing vendor risk. It can be hard to layer vendor risk management into established business processes, so you have to spend time developing that habit. It’s time well spent because you’ll be building a more resilient business in the process. The most important thing is to get started.