Emerging Tech and the Spike In Vendor Risk

Emerging technologies that employees can self-provision create havoc on risk management and have shot vendor risk to the top of the list of issues facing sourcing and vendor …

Emerging technologies that employees can self-provision create havoc on risk management and have shot vendor risk to the top of the list of issues facing sourcing and vendor management professionals. Forrester has been discussing vendor-related risk with clients for years, particularly in its Sourcing & Vendor Management Council group where, last Fall, our members discussed the role of sourcing and vendor management in the era of what we call Technology Populism. Forrester defines this as an adoption trend led by a technology-native workforce that self-provisions collaborative tools, information sources, and human networks — requiring minimal or no ongoing support from a central IT organization.

So what’s the big deal now? Vendor risks have always existed, and sourcing and vendor management teams are becoming more sophisticated in their understanding of risk management. The big deal is that the sheer number of emerging vendors is going to tax already weak vendor management processes, opening firms to potentially large dangers. Key vendor-related challenges include:

  • An influx of new, emerging, startup vendors — which employees source directly. What kind of risk management issues do self-provisioned technologies cause? For example, an employee can sign up for an online data backup service, and then decide to put important corporate files there. And it’s more than likely that the employee didn’t closely read the terms of use that he agreed to, and has no insight into where the backup service provider is storing the data. Depending on what information the employee sent to the backup service, they could have violated European data laws that do not allow personal data to reside outside of an individual’s home country. Now multiply this scenario across the number of employees with a credit card and the threat of so many new vendors will become a crisis point.
  • The difficulty of applying risk models to emerging players. Most sourcing and vendor management teams have some standard of financial stability that they apply. However, what constitutes a “stable” startup? If the team is not willing to create a startup-friendly version of its stability clause, then enterprise architects and others will likely go around sourcing and vendor management to get access to the emerging technologies they want.
  • A double-edged sword: impose your own standards on emerging players. In many cases, emerging vendors lack the sophisticated enterprise-class security, disaster recovery, and compliance processes that large clients possess. So it would seem simple enough to ask the vendor to use the client’s preferred processes in these areas. However, one manufacturing firm told Forrester that “Startups don’t have the security provisions we need. They’re willing to adopt what we want, but our lawyers say that we could potentially be liable if the vendor’s security fails because in essence we acted as their consultants on the matter.” This prevents many firms from simply requiring emerging vendors to match their internal requirements — and prevents startups from properly addressing the client’s concerns.
  • The “spend equals importance equation” is waning. Vendor management offices tend to have between two and 10 people — yet many sourcing and vendor management executives within large firms tell us they deal with more than 400 vendors! As a result, vendor managers can only focus on the most important vendors. In many situations, they define “importance” as the amount of money they spend with the vendor and the criticality of the product/service provided. However, as firms evaluate emerging technologies and bring in new “as-a-service” offerings, the link between spend and importance is weakening. More sophisticated firms are beginning to use “access to sensitive data” as a key criterion for inclusion on the list of important vendors, but given the flow of data across multiple as-a-service offerings the list begins to expand exponentially.

While deal-specific risk mitigation should already be part of every sourcing and vendor management team’s approach, expanding to a broader vendor risk management approach requires the team to reach out and build internal relationships and processes with colleagues in finance, enterprise risk, internal audit, and security. Risk professionals in particular can help you establish a formal vendor risk management program using existing risk management processes, taxonomies, tools, and other resources. More specifically, Forrester recommends that you:

  1. Determine the impact of emerging vendors on each corporate risk. Strategic sourcing and vendor management teams will work with their CFOs, risk managers, and auditors to understand the firm’s overall risk profile and how emerging vendors may affect each corporate risk.
  1. Re-assess your risk profile to allow for emerging vendors and startups. Sourcing and vendor management should work with security and finance to decide where the firm can tolerate more risk than currently allowed, and where the risk tolerance isn’t movable.
  1. Craft a formal process to track vendor viability across financial and technological factors. This will help determine which vendors to place strategic bets on as long-term suppliers.
  1. Begin documenting the proper controls to mitigate each vendor-related risk. Take a step-by-step approach to each risk, asking questions like “what controls can we put in place to mitigate this risk?” Then build those controls into the vendor governance process and into contracts as they come up for renewal.
  1. Build a risk plan that outlines each trigger event and resulting action you will take. A trigger event is the specific event that caused your risk to occur. For example, if the SVM team is monitoring the risk that the vendor becomes financially unstable then a trigger event could be “vendor loses one of its top five customers.” And the actions taken must match the severity of the trigger event – if the event was,  “vendor failed ad hoc disaster recovery test twice,” then the action would be similarly severe such as “create RFI and distribute to potential substitute vendors.”

Emerging technologies have the potential to transform how companies operate and interact with customers. But that potential comes with new – and increased – vendor risks. Get ahead of any potential challenges by assessing your current risk profile, prioritizing the vendors in your portfolio, and then modifying your risk management techniques to the unique challenges of emerging technology vendors.

Sign up for our Nearshore Americas newsletter:

Christine Ferrusi Ross is a vice president at Forrester Research, where she heads up its Sourcing & Vendor Management Council, an exclusive community of leading executives globally.

Tags