Vendor Risk Management has come a long way from running a credit reference report at the start of a market approach or contract negotiation.
Enterprise-wide Vendor Risk Management, driven in part by regulatory provisions such as the oversight and control requirements for material outsourcing in Chapter 8.1 in the FCA handbook, now needs to ensure a holistic and consistent approach across the full breadth of an organisation. Vendor risk management is best served through the implementation of a comprehensive governance framework, which at its core ensures vendors are appropriately supervised and risks effectively managed and mitigated at all times.
So where does an organisation’s focus for vendor governance need to be?
Firstly, it is critical to understand not just who your suppliers are, but also their criticality to the organisation. Mapping this, and the associated risk posed by their services, supports a tiering system which in turn supports the application of appropriate and relevant governance. Some organisations have developed their own or implemented third-party tooling to support this process, often in line with wider business operational risk frameworks – however, this is only part of the process. Organisations must also ensure this capability is continually applied to ever-changing vendor relationships and supply chain landscapes.
The process for consistent application of the governance framework should include all relevant business functions, including Procurement, Risk and Compliance functions, and be well documented and easy for anyone within the organisation to access. Each process, which could include the form and requirements for a sourcing recommendation to be approved, or the tracking of a monthly risk and issues log, should be recorded and able to be evidenced on request - covering the lifespan of the relationship (and be in line with the organisations Records Retention policies).
The core details and agreements made between the organisation and the vendor must be codified in a contract – one which is kept updated as the relationship with the business progresses. Organisations should ensure they have a centralised repository where all such documents are stored, and which can easily be accessed by the relevant stakeholders. Good discipline is also vital – make sure the agreements are signed and dated!
Finally, and critically, good governance must extend across the lifecycle of a supplier relationship. It should be clear as to what governance tasks are required, and the frequency to which they should be replied. Such governance should cover all aspects of the relationship – from strategy to operations, service delivery to finances.
The development of a comprehensive vendor governance framework takes time to develop, and even more to roll-out across an organisation. Organisations then have the following considerations:
1) Are the processes being continually applied, when they need to be? How can central control functions ensure this is happening?
2) How can organisations evidence this back to their internal auditors and, ultimately, regulators?
These issues are exacerbated where organisations have federated business models or significant geographic or functional diversity. Add to this the compilation of the required evidence via manual and inefficient processes and ensuring effective implementation in this critical field can prove extremely difficult.
It is these challenges that prompted TORI to implement its ControlNet technology – with the flexibility to build any Supplier Governance model into its Cloud-based, intuitive interface to schedule and track all the required elements.
- Captures all required activities across the governance framework
- Schedules tasks to ensure they are undertaken at the required frequency
- Requires the action owners to positively attest that the activities have happened (driving greater adherence, and ensuring the completeness and quality of the outputs are at the right level)
- Captures all evidence submitted, providing a central repository for easy retrieval and playback to regulators
- Provides one, easy to update, centralised tool, reducing complexity and removing consolidation issues from spreadsheet-based activities.
For further details on the solution, get in touch.