Vendor Management and Mitigating IT Supplier Risk
By Hugo Britt | October 20, 2022
Vendor managers have come a long way from being a cost-savings shop. Today, they are thoroughly integrated with the business and play a key part in ensuring resilience and minimizing supply chain interruptions.
Cost savings will always be on the plate, but vendor managers are now managing risk from a governance and compliance perspective. In addition, they play a crucial role as the gatekeepers of supplier innovation.
This is particularly true in the world of IT procurement. In episode 82 of Una’s Sourcing Hero podcast, we explored this issue with Rohit Hajela, CEO of ProcureIT and Co-Founder of Vendor Management Office, an organization that helps track third-party technology vendors.
The risks of ineffective IT vendor management
“The biggest threat that surrounds us is cybersecurity risk, with ransomware being the largest risk within cybersecurity,” says Rohit.
“Cybersecurity cost the world $20 billion in 2021. By 2031, this is going to rise to $265 billion. It’s a huge cost that haunts every cybersecurity expert and CIO because it’s a significant risk that organizations are opening themselves up to [through their supply chains].”
Rohit says that ransomware is one of the biggest costs, but other associated costs come with it. “You’re also facing downtime. You’re losing money in lost opportunities, along with ransomware removal costs and recovery expenses and any money that is lost in productivity – all those hours that are lost. It’s a huge challenge, [considering that you are also] open to compliance and privacy risks.”
A two-step process to bring IT contracts under management
Rohit talks about a multi-stage process for companies that are looking to bring their IT contracts under management and hopefully thwart some of the costs associated with cybersecurity and ransomware. Speaking in the abstract, he refers to the two parts of the process as “Day One” and “Day Two.”
“Typically, day one to me is when you are buying something; negotiating a contract and just getting the vendor on board,” says Rohit. “You are doing risk assessments on what this vendor is doing, how it is helping the organization, and what kind of data [they] would have access to. If they have access to any data, what are they doing with it? Is it stored on Cloud? Is it on-prem? If they have access to the data, then how are they protecting it? You do all these due diligence items during the negotiations phase.”
Day two kicks in once you’ve signed the contract, explains Rohit. “Now the focus is on managing that relationship. There has to be continuous monitoring of that relationship from a performance standpoint. Is the supplier meeting the requirements? Complying with contractual requirements?”
If the supplier was supposed to provide us a software report on X date, did [they do so]? Have they provided us with insurance certificates? Did they conduct a disaster recovery test? You need to track all of that information. If there are any risks found or any exploitable [factors], then you need to capture that and make sure that you reduce or mitigate that risk.”
Collaborate with stakeholders to get the RFP IT security questionnaire right
Rohit stresses the importance of getting the contract right, particularly regarding IT security. “Remember, once the contract is signed, then that becomes your bible. The vendor will behave, act, and respond based on what’s written in the contract.”
“It will become very hard to ask the vendor to do something which is not written in the contract,” he advises. “Your best bet in crafting and signing a high-performance contract is to do your due diligence, make the right connections with your stakeholders, get them to review it, and include as many clauses, conditions, and controls as possible in the contract so that you are covered from that perspective.”
Procurement’s strength as a function is that it has relationships with multiple stakeholders within the organization. Rohit recommends leveraging these relationships to get the contract right.
“For example, if you’re talking about the cybersecurity questionnaire, I would go to my cybersecurity team and say, ‘Hey, this is the contract we are negotiating. This was the questionnaire that was sent to the suppliers, and these are the responses – can you take a look from your lens and see if anything stands out?’”
“Are we covering our risks appropriately? Is there anything that you want us to negotiate with the supplier? Any change in terms and conditions? Any additional controls that you want to put in place to protect our organization’s data?”
Besides the sourcing team and cybersecurity team, other functions that could be involved in reviewing a security questionnaire might be the information security team and privacy team, if there is one. Once you’ve received feedback, put those items into action and ask the supplier to make the required changes to the contract.
Get in touch
For Rohit, a real procurement hero is someone who will transform the procurement function to make sure their organization remains successful and resilient.
If you’re interested in learning how to mitigate supplier risk and improve vendor management with the help of a group purchasing organization, get in touch with the Una team today.
Listen to Rohit’s full episode of The Sourcing Hero here:
Get in Touch
Do you have questions about group purchasing? Wondering how a group purchasing organization works to save you money, time, and effort?
Una’s team of Sourcing Advisors is here to help. Contact us to learn more.