Vendor risk management in subcontractor-dependent industries such as construction has re-entered the scene as a hot topic. The increasing burden of compliance requirements, cost pressure and project magnitude have pushed some to be “building in the dark”.
It is in the industry’s best interest to build back better, given the recent calls for change across different bodies, such as Infrastructure Australia’s Market Capacity report, or ACA’s response to the 2021 Australian Infrastructure Plan.
In this article, we’ll take a more micro approach and see how organisations can get started in giving third-party risk management the focus it deserves.
It starts at the top
Executive buy-in and direction is more important than ever, especially when it is increasingly clear that third-party risk management is an enterprise-wide endeavour.
Naturally, there are already various risk domain owners within an organisation. Taking a holistic approach to third-party risk management means uniting these needs and capabilities of different business functions. For instance:
- Legal and Compliance (L&C) has been dealing with risks from a reputational and financial perspective, whereas procurement tends to look at risks from an operational perspective.
- L&C has the theoretical expertise and experience with crafting policies and ensuring regulatory alignment, whereas procurement has the practical expertise, people, processes and tools that can be the infrastructure for L&C’s framework.
And who is in a better position to call for unity across the organisation? Top level executives who understand the importance of when to stay in/out of the headlines.
Determining a third-party risk governance framework
As basic as it sounds, risks cannot be mitigated properly without knowing if they are perceived as risks. Hence, executives need to determine the organisation’s risk appetite based on the potential risk areas discussed in previous articles of this series. This means analysing what strategic, operational and financial uncertainty the company is willing to assume.
The next step would be to design a governance structure accordingly. There is no need to reinvent the wheel if there are existing proven frameworks that can be tweaked to your organisation’s needs.
The “three lines of defence” model has become a well-accepted framework for enterprise risk management following the Global Financial Crisis. It has been adapted and applied to various use cases, including project risk management. In this article’s context, the model is applied to third-party risk management.
The “three “Three lines of defence” model adapted to third-party risk management. Source: PwC
This also works well with the hybrid procurement operating model (project-led, centrally enabled), given “who does procurement” does not have to be someone who “works in procurement”.
As the first line of defence, project/vendor managers/department heads at the business-unit level undertake procurement activities such as sourcing and supplier management using standardised tools and processes readily available to them. Guided by policies, they are responsible for their own supplier risk.
The specific functions within the second line of defence vary across industries and sizes with varying job titles, but typically there are:
- Sourcing: a central procurement function that provides expert procurement advice and input into procurement policies
- Subject matter experts: provide subject matter risk management expertise and assist business units in completing vendor risk assessments (e.g. HSEQ, engineer)
- L&C oversees and guides common vendor risk management processes
- Management, oversight, and governance: approve critical suppliers and is ultimately responsible for effective implementation of third-party risk management
The third line of defence provides independent assurance on risk management.
Best practices for third-party risk management
With a governance framework in place, organisations are in a better position to start cleaning existing data and develop a greater understanding of suppliers.
The steps to take include:
- Segment the vendor database based on the degree of risk and value each represents to the organisation. Assign a score after considering other factors (e.g. performance rating, item/service type).
- Systemise / standardise vendor due diligence and onboarding programs: Tailor the depth and frequency of diligence and oversight to match the supplier segmentation identified above
- Establish agreed standards and communication protocols both internally and externally.
- Emphasise a lifecycle approach to managing vendors and associated risks: from planning prior to any interaction; through to due diligence, selection and contracting; ongoing monitoring during the active life of the relationship; and contemplating the eventual termination of the relationship.
Below is an example of a vendor management risk matrix, where organisations use a variety of criteria along the Risk/Value axes to re-categorise their vendor database and implement processes accordingly.
Originally published on the Felix blog