Vendor risk management in subcontractor-dependent industries such as construction has re-entered the scene as a hot topic. The increasing burden of compliance requirements, cost pressure and project magnitude have pushed some to be “building in the dark”.
It is in the industry’s best interest to build back better, given the recent calls for change across different bodies, such as Infrastructure Australia’s Market Capacity report, or ACA’s response to the 2021 Australian Infrastructure Plan.
In this article, we’ll take a more micro approach and see how organisations can get started in giving third-party risk management the focus it deserves.
Executive buy-in and direction is more important than ever, especially when it is increasingly clear that third-party risk management is an enterprise-wide endeavour.
Naturally, there are already various risk domain owners within an organisation. Taking a holistic approach to third-party risk management means uniting these needs and capabilities of different business functions. For instance:
And who is in a better position to call for unity across the organisation? Top level executives who understand the importance of when to stay in/out of the headlines.
As basic as it sounds, risks cannot be mitigated properly without knowing if they are perceived as risks. Hence, executives need to determine the organisation’s risk appetite based on the potential risk areas discussed in previous articles of this series. This means analysing what strategic, operational and financial uncertainty the company is willing to assume.
The next step would be to design a governance structure accordingly. There is no need to reinvent the wheel if there are existing proven frameworks that can be tweaked to your organisation’s needs.
The “three lines of defence” model has become a well-accepted framework for enterprise risk management following the Global Financial Crisis. It has been adapted and applied to various use cases, including project risk management. In this article’s context, the model is applied to third-party risk management.
This also works well with the hybrid procurement operating model (project-led, centrally enabled), given “who does procurement” does not have to be someone who “works in procurement”.
As the first line of defence, project/vendor managers/department heads at the business-unit level undertake procurement activities such as sourcing and supplier management using standardised tools and processes readily available to them. Guided by policies, they are responsible for their own supplier risk.
The specific functions within the second line of defence vary across industries and sizes with varying job titles, but typically there are:
The third line of defence provides independent assurance on risk management.
Our upcoming research paper provides benchmarking insights to help with vendor risk management best practices in construction & related sectors. Register to be notified when it’s published.
With a governance framework in place, organisations are in a better position to start cleaning existing data and develop a greater understanding of suppliers.
The steps to take include:
Below is an example of a vendor management risk matrix, where organisations use a variety of criteria along the Risk/Value axes to re-categorise their vendor database and implement processes accordingly.
For instance, “Strategic” suppliers can also be labelled “High risk” suppliers due to their “high risk high return” nature.
It wouldn’t be complete if we don’t cover the role of enabling technology in the People – Process – Technology framework.
Stay tuned for the next article.
In the meantime, if third-party vendor risk management is something that you care about or need to get a grip on, we’ve undertaken an industry survey to provide benchmarking insights and recommendations. Sign up here to be notified of its launch.