Article written by:
Brooke Hauser
Senior, Information Technology Services
Depending on the size and type of business—as well as how long the organization has been operating—the number of vendors it has at any time might range from the tens to the tens of thousands or more. Even startups and smaller businesses, however, tend to see rapid growth in the number and type of vendors with whom they deal on a regular basis in today’s business environment.
Part of the reason for the quick engagement of multiple vendors—so large that it often becomes difficult to govern—often directly correlates to organizations’ supply chains. Given the global nature of business today, as well as the increasing reliance on e-commerce, it is little wonder that many brands work with up to hundreds of thousands of suppliers.
Many businesses operate without structured vendor management—that does not mean it is a plan for success
The truth is that many organizations operate without knowing the true number of suppliers with whom they do business. A February 2018 Forbes article confirmed that many buyers admit that they simply guess at their supplier base.
Does this sound familiar? If so, this approach to vendor management can pose a variety of potentially serious problems for your business, such as the following:
- You may not have any risk assurance that your vendor partners are reliable.
- You may lack documentation or other proof that vendors are supplying purchased items at specified levels or intervals.
- You may find it difficult to determine whether suppliers are treating your company fairly and ethically.
- You may find it challenging to track and plan purchasing trends in the future.
- You may be sharing sensitive data with a third party company that has adopted and implemented few or insufficient security practices.
- You may need to treat your critical vendors differently from non-critical vendors, which we discuss in more detail in our article entitled, “How to Treat Critical vs. Non-Critical Vendors.”
It is vital for businesses to identify and prioritize critical vendors
The most effective strategy that business leaders are implementing today is identifying and prioritizing all of the critical vendors that fundamentally support the core functioning of the business. The means of determining which vendors are in fact critical may rely on factors such as the industry your business is in, as well as the goods and services you provide.
How do most businesses identify critical vendors?
Many businesses develop their own strategies for determining who their critical vendors are. Some companies consider suppliers that support the core activities and operational functions critical to their needs. Without the vendors who provide supplies or services for these functions, the client business could face significant risk if the vendor proves unreliable in any way. If customers and any other third parties possibly feel the impact of a failure of a vendor to meet expectations, that vendor may be deemed a critical vendor.
Other companies may designate critical vendors as any goods or services provider or other third parties that could trigger either regulatory scrutiny or significant impacts on the company that could impose risks on the business leading to a disruption of business or damage to the brand.
How should you identify your critical vendors?
It is vital that you perform a thorough critical vendor identification process to ensure that you have properly identified and categorized suppliers. It has never been more important for businesses to rank vendors as critical and non-critical to avoid any possible business disruption.
Here are a few things you should do to get started to identify critical vendors:
- Inquire of your legal department if they maintain a listing of all vendor contracts.
- If there is no central location of all contracts, obtain the Company’s disbursements listing and peruse payments to vendors.
- Review your user listings to critical systems. You should already perform periodic user access reviews, but doing so will give you an understanding of what vendors have access to your network or sensitive data.
Once you have performed these tasks, you may be able to better categorize your critical vendors, according to the following classifications and how they rate within your own organization:
- Vendor type
- Regulatory requirements
- Specific services provided
- Business disruption factors
- Data type and volume
Here are a few businesses that serve as good examples of critical vendors:
- Cloud service providers
- Payroll administration firms
- Shipping specialists to support supply chain logistics
Further, it may help for you to perform risk assessments to designate the appropriate risk ratings to help determine how much monitoring may be necessary for a vendor.
Level 1 – high risk
At level 1, the risk factors are high, meaning that a potential breach is likely to cause significant disruption to the supply chain or to business processes as a whole. At this level, it is important for the client business to conduct on-site risk assessments periodically. The vendor should supply evidence of properly aligned security controls.
Level 2 – moderate risk
A possible breach will likely cause regulatory compliance issues. In this case, the performance of a regularly scheduled assessment is not required, but the client business needs evidence of controls used by the supplier.
Level 3 – low risk
The supplier primarily accesses non-sensitive information at the business facilities and in the business environment. There is no need for an on-site vendor assessment in such cases. However, if an incident occurs, businesses do sometimes conduct an examination to better understand what happened.
Is it time to identify your critical vendors?
If you have been putting off identifying your critical vendors, it may be time to get started to minimize risk, improve vendor relations and ultimately boost profits.
If you need more help and guidance getting started, contact us so we can help.