A new operating model
From the April 2022 print edition
Over the last decade, and particularly since the COVID-19 pandemic began, the procurement and supply chain function has evolved from enablement roles to a strategic partner function across most organizations.
The traditional measure of success for procurement and supply chain was always tied to value for money – cost savings, cost avoidance, and labour arbitrage in the BPO/ITO space. That outdated concept has now been replaced by value of ownership, recognizing that the bitter taste of poor quality lasts a lot longer than the sweetness you get from a cheap price.
This new operating model has put significant pressure on the procurement and supply chain function to transform itself in a short time, without impacting business operations in the process. The most successful transformations achieved the desired outcomes by focusing on strategic partnership management, as opposed to a traditional vendor management approach, basing their supplier evaluation criteria on the following areas.
Third-party risk management
The digital transformation that most organizations have undergone since early 2020 was primarily driven not by the CIO, but COVID-19. The pandemic has accelerated the fourth industrial revolution that most organizations were tiptoeing around, before the pandemic pushed them into it.
But with massive changes, we are also exposed to massive risks that, if not mitigated, could have catastrophic consequences. Vendor concentration, fourth-party risk management, information security, business continuity, vendor reputational risk and vendor financial health were check-the-box topics before COVID-19. They are now part of the elevated third-party risk management process that starts at the vendor evaluation and onboarding stage. It is managed through structured, well-defined vendor governance process and continuous risk monitoring.
Balancing vendor concentration with vendor consolidation is tricky as it is not the same for every industry, or even every organization within the same industry. The approach must be guided by the organization’s risk appetite. While it is not favourable to have one vendor perform all or most critical functions for the organization, the benefits of economies of scale are achieved by doing just that. Thus, it is crucial that organizations have a well-defined and communicated risk appetite that will drive scoring of this criterium.
Fourth-party risk management has gained a lot of traction. This implies that, in addition to continuous monitoring of the third-party risk, organizations should also monitor their vendors’ vendors. This requirement alone has put pressure on procurement and vendor management functions, resulting in bigger teams with enterprise risk management skills in addition to sourcing and vendor management skills. Nevertheless, understanding fourth-party risk is an important criterium in the vendor evaluation process.
With the unprecedented reliance on IT vendors, information and cyber security are at the top of the threat scale. Fortunately, there are many InfoSec tools available that can continually monitor data breaches. The best defense remains comprehensive vendor due diligence, including reviews of the independent InfoSec Audits and vendor SOC reports, by the organization’s IT SMEs. Even if the due diligence process checks out, organizations need to have a well-established exit strategy in case of unforeseen circumstances.
Similarly, to the InfoSec and Cyber Security, business continuity moved from the check-the-box exercise to an integral part of the vendor evaluation process. Engaging vendors with an established business continuity plan that is regularly tested and updated is a winning strategy. That’s especially true if the vendor is critical to the organization.
Reputational risk is the hardest one to manage. It is the risk of public impressions, whether true or not, regarding the vendor’s business practices, actions or inactions, that will adversely affect vendor’s earnings, economic value, capital or ability to maintain business relationships. Depending on the type of public impression, organizations might need a plan to disassociate themselves from the impacted vendor. Hence the importance of an exit strategy.
Lastly, vendor financial health is another data point used in the vendor evaluation process to determine vendor’s financial stability. Gathering and monitoring financial information and assessing the financial stability of potential suppliers can reduce financial risk and increase business confidence. Identifying high-risk suppliers drives better fact–based decisions, including where to source from, whether the supplier base needs to be diversified or if the relationships need to be terminated.
An organization’s risk appetite plays a big role in this criterium, as publicly traded versus privately owned companies will have different views on sharing such information. This knowledge should impact decisions and help to mitigate risk and add value to the organization.
Vendor reliability should be viewed from two angles: will contracting this vendor mitigate any business disruption risks, and does the vendor have an efficient operating model with the reputation of being a good strategic partner that meets service level agreements? The answers will only be gotten by doing independent vendor reference checks, connecting to their current customers and/or relying on the professional sourcing network experiences.
Is value achieved with this vendor engagement sustainable in the long run? Did the vendor underprice themselves so they will have no choice but to reduce their overhead to compensate for the difference, resulting in a decrease in quality and customer support? Or is the vendor’s operating model built to withstand time and market turbulence? Does the vendor have an appetite for innovation, and are they open to new products, services or ways of doing business in line with your organization’s innovation roadmap?
For this criterion, the organization must rely on the internal compliance and privacy SMEs to answer the following: will this vendor align to internal policies and governance processes? Are they aligned to the organization’s values and are they in compliance with applicable laws? It’s recommended to include the organization’s standard terms and conditions as part of the competitive sourcing process, asking vendors to sign-off on them or provide their red-line, as part of the evolution process.
To score on this criterion, organizations will either evaluate the vendor product samples (if engaging the vendor for product sourcing) or must rely on the independent reference checks (if engaging the vendor for service or solutions sourcing).
This criterion is probably one of the most delicate ones, as it touches on both the sourcing and the sales targets of the organization: does the vendor have any current or future spend with the organization? Is this vendor replacing another that has the spend with the organization? If so, what is the potential financial impact of the vendor transition? Adding the potential impacts of reciprocity numbers will paint a different picture with a holistic view of the total value of ownership.
Finally, there’s the cost. Arguably, this is last only because it becomes irrelevant if the criteria above have not been satisfied. But if everything else checks out, the pricing negotiations become important as the only tool ensuring cost control. However, this negotiation must result in a win-win outcome, otherwise one party (usually the vendor) will walk away feeling cheated. That will reflect in their deteriorating performance, producing a further domino effect on the organization and its customers.
Today, procurement and supply chain professionals must deliver value across several areas, as opposed to delivering only the lowest cost. This new operating model has transformed the procurement/supply chain function. It calls for an enhanced skills set, tools and resources for vendor and category management/sourcing professionals. That skills set must drive the procurement, supply chain and vendor management strategies and initiatives to create value across the organization, while influencing buying behaviours and processes consistent with policies, strategies and best practices. Gone are the days when “procurement professional” and “buyer” were interchangeable terms.