By Subhashis Nath, Global Senior Partner for Corporate Governance, Axis Risk Consulting (Genpact)
Aligning with regulatory compliance
A new compliance risk is looming, and most businesses are not yet ready for it. With financial services leaders preoccupied with reporting regulations such as Basel III, vendor risk management (VRM) has not been a priority beyond attention to price and quality. That needs to change, and quickly, because the regulators—and the related enforcement bodies—are becoming more aggressive.
Financial decision makers need to understand the need to manage vendors in order to control costs and ensure a high quality of goods and services. A single bad vendor can have catastrophic impact on a business ecosystem, for example a defect in one item supplied for an oil rig can result in lasting damage to the oil company, the vendor, the economy, and the environment. Vendor Risk Management (VRM) has become the focus of increasing interest by regulatory agencies and the irrespective enforcement ecosystem.
Financial services companies are required to set up a robust VRM frame work such as the Dodd–Frank act. Stiff penalties for non-compliance are only a matter of time with this new focus on VRM compliance has caught many organizations off-guard.
Most companies are unknowingly at high risk of spending inordinate amounts of time in the near future fixing VRM deficiencies instead of addressing business goals, with damages arising from poor VRM in general.
Businesses need to be prepared for the coming VRM regulatory offensive. Over the next few years, regulators will expect far more robust vendor risk management frameworks and ongoing monitoring of vendors, including proof of vendor oversight, audits, surveys, and close management of all of a company’s thousands of vendors, large and small.
What do companies need to do?
Currently, there is no standard approach to meeting the regulatory requirements for VRM. Companies are developing their own programs, when in fact a cooperative effort to establish a single standard would be beneficial for all involved.
In the interim, implementing a robust VRM operating model can be achieved relatively quickly through a focused, risk-based framework of better processes, analytics, and monitoring mechanisms to run the operations cost effectively.
The right technology is critical as screening and assessing performance for tens of thousands of vendors worldwide requires the ability to filter massive amounts of data quickly and accurately. Manual processes and Excel spreadsheets are inadequate for this task, and although some off the shelf tools can help, none were specifically designed for VRM.
Companies must either adapt the tools to business needs, design internal systems for VRM, or leverage third-party expertise. The best tools are platform agnostic, able to pull data from any legacy system and quickly present a coherent view of every vendor across the enterprise. Integrating databases such as ‘Lexis Nexis’ or ‘World Check’ with a technology platform suitable for VRM can lower risk by identifying the riskiness of the vendor at the on boarding stage and flagging any negative feedback.
Better technologies support more effective VRM processes, and the compiled data supports analytics capable of spotting overpricing, poor performance, and other enterprise risks. It is crucial not only to continuously track vendor performance with a carefully chosen set of appropriate metrics but also to use the results to refine the VRM program.
Actionable data through intelligent insights
Analysing the data is not enough; it must be applied on an ongoing basis to weed out risky vendors and keep up with regulatory changes.
An experienced partner not only can provide the required analytics tools but also can quickly conduct a full-coverage screening of all the company vendors to achieve a clean vendor database free of multiple or non-standard contracts. This results in a fully vetted set of reliable vendors that won’t put business continuity or brand value at risk. The new mechanisms put in place for ongoing vendor assessment can ensure continuing high performance and best pricing.
The future of VRM
Vendor risk management will become a major target of regulatory oversight, which means the appropriate VRM program must be comprehensive. A viable program needs to encompass quality, performance, financial, and non-financial (reputational) risk, and must be integrated across financial institutions rather than siloed in each department. The long-term gains of strengthening VRM are well worth the short-term effort. This will prove especially true when the regulators’ scrutiny increases. Proven advanced operating models can achieve good VRM within a reasonable time, in relatively non-intrusive ways. The time to start is now.