Here are four of the biggest blunders that can cause outsourced service relationships to backfire.
As Donald Trump is quickly finding out, when you outsource business processes you incur risk. And these days there are few companies, if any, that don’t outsource at least some parts of their business. Many farm out critical functions, such as the manufacture of products they ultimately emblazon their names on. (Sometimes in large gold letters.)
Getting a handle on these risks is vital, but not easily done. Large, complex companies can have thousands of third parties and vendors that they do business with. These relationships increase risks, including bribery and corruption, business disruption, reputational damage, and many others.
IT vendors, those that collect customer data, and those that are customer facing are particularly worrisome. Yet identifying the potential troublesome vendors from the perfect partners can be daunting. “There are some situations where you can get into a royal mess with vendors and you wonder, ‘where was internal audit?’” said Ramonde Brangman, national director of CBIZ Risk and Advisory Services.
Speaking at the recent Institute of Internal Auditors General Audit Management conference in Dallas, Brangman compared vendor risk management to considering allowing your children to sleep over at a friend’s house. “You’re putting your precious assets in someone else’s care, so you need to be sure that risks are managed and that they are properly protected,” he said. “I don’t know many organizations that don’t have significant risks around vendor management.”
Brangman identified four central drivers of vendor risk that can lead to business-damaging meltdowns:
- Poor vendor selection: The first question, when risks become threats is who got us into this mess? It may be that someone had an existing relationship, even a personal one, with a vendor that wasn’t a good fit for the business. Another problem is when a vendor wins the business with upfront flash and dazzle, but can’t ultimately fulfill the promises it made. According to Brangman, a poor selection process is often the biggest contributor to unmanageable third-party risk.
- Relationships not monitored: Identifying a good vendor is important, but the work isn’t done. Service level agreements need to be in place and monitored to ensure that the vendor is living up to its side of the bargain. Environments can change, too, and companies can find that a good vendor has turned into one that is fraught with risk. Keep up on changes in finance and management at providers.
- Over-reliance on one vendor. A favorite vendor can take on too much and suddenly the business has concentrated risk in one organization. Relationships can also get too cozy and a company that relies too much on one vendor will find itself in a difficult spot if the performance of that vendor slips.
- Bad contracts. We all know the directive, “get it in writing.” You can’t put too much emphasis on the importance of contracts in vendor risk management. Brangman recommends that nearly all vendor contracts include a right-to-audit clause. He also suggests that legal is approving all contracts. “You have to make sure legal is paying attention,” he said.
To guard against vendor-management risk, Brangman offered some additional advice. Among his suggested risk-management tips was separating the controls an organization uses over the process itself from the controls used to manage risks at particular vendors. He also advocates continuous monitoring. “Make it a sustainable process so you don’t have to go through this exhaustive risk-assessment exercise every year.
One thing he doesn’t suggest is filtering vendors by how much an organization spends with them. “I’ve seen low-spend vendors who are actually handling a critical business process.” And he advises companies to segment vendors by industry and keeps up with the big forces that are impacting those industries. “If you want to understand what is coming down the pike, knowing the industry will help a lot.”
Perhaps, if Trump managed his vendor risks better he would have seen the problem that could arise when outsourcing manufacturing to foreign countries while advocating “Made in America.”