Optimizing supplier oversight with risk intelligence

As organizations across industries continue to outsource with product and service providers there are increasing contractual obligations, regulatory requirements, financial and reputation risks the customer (i.e., your organization) has in managing these expectations. Embedded within your supply chain management (SCM) value chain are risk management activities to ensure the appropriate governance of your supplier portfolio, whether focused on performance, the exchange of protected information, or geomonitoring of events. One critical tool in your “toolbox” is the use of supplier risk intelligence to help you answer a key fundamental question:

How are my suppliers behaving outside the four walls of my organization?

What does that mean and why should I care as long as my suppliers are executing on our organization’s expectations. Well, let’s first consider those potential activities you want to be aware of with your most strategic suppliers such as:

• Recent privacy/cyber data breaches (i.e., root cause, data exposed, number impacted, etc)
• Litigation/bankruptcies/regulatory action
• M&A—acquired or being acquired
• New business alliances, products and markets
• Labor issues—strikes, layoffs, hiring freezes, etc
• New locations to support what specific services
• Leadership/management changes
• 8K filings

Analyzing supplier risk outside your organization is critical as both a competitive advantage and risk management practice that should be integrated early on in procurement due diligence to identify areas of concern prior to finalizing contracts. For example, in a finalist selection, risk intelligence confirms a respected BPO telephonic service provider is being acquired by a private equity firm known for right-sizing suppliers and reselling them for a significant profit. In this use case, your organization may find this information critical since this BPO will be a strategic partner in managing escalated customer calls with significant volumes. Your concerns could include whether the acquiring private equity firm reduces operating costs that impact response times, degrade infrastructure, or minimizes innovation—all impacting performance. 

Supplier risk intelligence can also be a part of your SCM oversight or third-party risk management program with the monitoring of external risk intelligence starting with your most critical or strategic suppliers. For example, a supplier that provides claims processing services to an organization that recently experienced a data privacy breach impacting one of their other clients. Becoming aware of this intelligence is time sensitive and relevant to your business to determine if your organization was also impacted by your supplier’s breach since there are regulatory (i.e., CCPR, GDPR, state breach notification laws, etc.) and customer contractual notification requirements you’ll need to comply with in breach matters.

In addition, you may have other questions for your supplier including regulatory action, mitigation plans and impact to performance. As a result of becoming aware of this intel, cybersecurity, privacy and legal teams should be engaged to assess this event along with potential breach of contract issues.

Keep in mind these risk intelligence capabilities can be leveraged to monitor geolocations where your suppliers are providing products or services to your organization, 4th parties/subcontractors and other potential surface areas of risk. Likewise, intelligence monitoring doesn’t have to be for adverse news but also for opportunistic information about your suppliers to include new business alliances, innovative services and markets they’re entering as well.  Such information may be very helpful to procurement and business owners. 

Standing up a supplier risk intelligence program can range from using basic open-source information or public data to contracting with a service provider. There are a number of offices of civil rights’ breach, SEC filing and various industry websites. Other tools available to you at no cost are leveraging Google alerts where you can establish individual alerts for each of your strategic suppliers and receive a daily or weekly recap based on current web news sent to a predetermined email. Likewise, with the increased use of artificial intelligence (AI), you can easily design an intelligence gathering tool to execute daily scans of specific suppliers focused on adverse news (i.e., breaches, litigation, regulatory action, etc.) and recap it almost immediately. You can set perimeters around the type of news, timeframe, and other considerations. Finally, there are a number of reputable intel service providers who specialize in monitoring suppliers, identifying valued insights and scrubbing such information prior to sharing.

Finally, one important consideration when your organization implements a supplier intelligence program is to ensure there is a defined framework to manage the program to include a controlled manner of who will be receiving news insights on your suppliers, how this information will be triaged and verified and which stakeholders (i.e., legal, procurement, cyber, privacy, ops, etc) will be engaged in taking action. Without this framework, intel that is received may not be assessed appropriately or creating an unnecessary flurry of emails and concern. 

Remember, understand what’s important to your organization by defining an intel profile of adverse topics, when identified, assess, validate and if need be, engage your supplier.

About the author:

Steven Adler is a partner with The Edmund Group, a third-party risk management advisory firm. Along with his 20 years of healthcare risk management, business process outsourcing and strategic experience, Steve partners with clients to address their supplier governance, regulatory response and litigation needs.

SC
MR