As a former practitioner, the challenge with 3rd party risk management wasn't that I was 100% engaged with a single supplier and laser focused on monitoring their activities. The challenge was that there were about 15000 active suppliers with whom my company transacted on an annual basis (and we were at towards the bottom of the Fortune 500 list at the time) and if the average person works for 2000 hours a year that would give me around 8 minutes per supplier (per year) to consider all the risks from onboarding, operational performance, financial, regulatory, legal, environmental, social, and governance metrics - constantly.
Third-party risk management therefore was much more of a data problem. How do you classify suppliers in such a way that you remain focused on what is important and yet are able to properly push the noise of all the rest of the activity to the background, still monitoring and aware but in a way that does not distract from the critical and important? How can you ensure that the right actions are monitored and reviewed by the right people under the right conditions?
The first step is to define what is critical to your business in aligned with corporate strategic objectives. Here are three conditions to focus on the most critical suppliers:
Time and revenue impact to switch suppliers. A supplier may provide a standard service, but if it take 18+ months to switch they are a higher risk.
Suppliers are single source, meaning the only provider to you, versus sole sourced, meaning the only provider that can do that specific thing. Both introduce risk to the process but the latter is higher risk. And if a single sourced supplier takes longer to switch than you can survive without a provider they might as well be listed as sole sourced.
Consider the brand and revenue impact if there was a situation where the supplier was found to be operating in violation of Human Rights Due Diligence (HRDD) standards. Brand impact is hard to calculate but with new laws including a % of revenue, the impact is clear.
Note that these considerations are not tied to commodity, region, or business unit but intentionally generic in order to encourage thought around impact to the business over criteria based on spend thresholds. Once those three questions are answered, the work to define the risk mitigation activities would be delegated down to regional and commodity leaders.
Once this criteria is defined on the suppliers prioritized for more management, the next step is to define the data sources, scoring & weighting, and activity monitoring necessary to ensure relevant coverage. The importance is to pull all of the information together so that it is all available in a single pane of glass for visualization into the risk drivers for that supplier's activity.
Most importantly, this result set needs to be integrated into the decision actions throughout the source to pay process. Here are a few sustainability examples that cover inclusion of the relevant and timely risk controls in the decision moment, such as:
Supplier Onboarding: Based on commodity/service, region, business unit (i.e. government customers versus general consumers) engaging the right due diligence to cover the relevant HRDD regulations
Sourcing: recommending or gating supplier selection based on risk thresholds or qualification thresholds or providing award scenarios tied to lowest risk and/or most sustainable options
Contracts: based on risk information automatically adjusting contract template or content to require compliance and provide risk mitigation customer capabilities
Buying: recommending promoted suppliers based on corporate sustainability targets or automatically notifying or gating approvals based on selection of less sustainable sources
I hope this was helpful, but would love to continue the conversation.