Don't "Gamble" with Your Organization's Future
For very long time procurement was perceived by organizations as a tactical capability that was there to just process purchase orders. As the profession kept developing, the focus shifted a little bit towards cutting costs but still not delivering value through strategic initiatives that would aim to deliver innovation, enhanced collaboration, risk mitigation and reduction in the Total Cost of Ownership of a given solution. In the past decade we have seen a major shift in terms of what procurement ought to be, which is a strategic partner that is creating value by administering the process of signing deals that are not only cost effective but focus a lot on the qualitative attributes of suppliers, assess all types of risk, and make sure that vendor performance is also managed post-contract signing.
Vendor Risk Management
Vendor risk management is a very important discipline and one that has the ability to bring the security and procurement departments together to not only provide value for an organization but also provide insights to mitigate risk and provide the appropriate safeguards during the contracting phase always in collaboration with the legal department. As cloud computing is becoming more and more prevalent, organizations tend to find the process of buying SaaS, IaaS and PaaS solutions very easy and convenient. Security professionals all over the country are spending countless hours to convince their colleagues about the risks of not assessing solutions, vendors and architectures from a risk perspective. A number of CISOs I have talked to, have admitted many sleepless nights wondering if their organization will be breached and if everybody in their respective organizations understand the need for robust vendor risk assessment prior to buying anything and bringing it in the environment.
Procurement & Vendor Risk Management
Vendor risk management is of course a very broad term and one that encompasses many different meanings across an enterprise especially when viewed through the lenses of different parts of the organization such as IT. In order to implement a comprehensive vendor risk management approach there are a lot of processes that need to be put in place. Firms have been struggling for a while to implement a risk management program to manage third party security risk as the ISO organizations have difficulty getting the message across. Policy and documentation by itself is not enough. What some organizations do not realize is that just down the hall, procurement has been wrestling with many of the same issues for years and has been trying to build processes and tools needed to meet such security risk management demands.
Procurement needs to shift its thinking before anyone else and educate the organization
The cultural shift
Dr Peter Drucker said that “culture eats strategy for breakfast” and he was absolutely right. No matter how many times how many meetings and presentations and “lunch and learns” take place to explain the importance of risk in today’s enterprise, this way of thinking is a major cultural shift for many organizations. Procurement is in the forefront of spearheading that way of thinking and making sure that when we think savings, TCO, contracts and Ts&Cs, we think vendor risk, and have worked very closely with our security organization to create a risk assessment process. Procurement needs to shift its thinking before anyone else and educate the organization. It is very difficult to move away from a thinking process where the CFO is pushing for savings to one where the organization understands that the risk exposure can bring the organization down and no savings that have been achieved through negotiations would be enough to save the company.
There needs to be an alignment on the incentives that the different teams and leaders have. Procurement (depending on the organizational maturity) needs to be incentivized to not be looking only for cost reduction but for putting all vendors (new and old) through an overall security posture per project and not per vendor. This is very critical and even though it appears burdensome it is a critical part of the procurement department’s job.
Procurement in this era
Procurement is changing. As we are moving forward with technological advancements, machine learning, automation and robust data management, 80 percent of the transactional work of the procurement professional will not be manual anymore. The procurement professional needs to adopt and realize that shift in the profession as the most important attributes of the job become the following: Internal and external stakeholders’ management
• Vendor risk management and risk mitigation project management
• Vendor consolidation and strategic partnerships creation
• Enterprise Strategy contributor
• The Message Start investing on your vendor risk management capability before it is too late for your organization and/or your customers.