Does your organization have a supplier governance process in place? This process is important for mitigating the risks with existing and new suppliers. Unfortunately, it’s a process that is sometimes overlooked by many companies. Avoiding this process can result in lost revenue due to business interruption and can also affect your brands’ reputation. This is especially true if a supplier is providing a product or service that is critical to your business. You want to ensure that you have the right supplier governance model in place. To find out more, answer these questions:
- Do your suppliers have access to your clients’ confidential and private information?
- Do you know your 4th party suppliers?
- Do you have a supplier governance process in place?
- Do your suppliers complete a financial, technical and privacy assessment prior to being awarded a contract?
If you answered NO to the above questions, you need to keep reading this article. If you answered yes, read it to ensure you have haven’t missed anything.
“There is nothing inherently wrong with sharing data with a supplier if the appropriate provisions are outlined in the contract to balance risk, incentives and cost.”
Three ways to ensure that the supplier is financially secure and able to weather any economic downturn or operational setback, especially if they are providing a service or a product that is critical to your business.
- Request a copy of last fiscal year end financial statements in your RFP
- Ensure that proper provisions exist in your contract e.g. annual audits
- Conduct a Dun and Bradstreet credit report
Privately held companies may not want to share this information however, if you state that this is a critical part of the RFP evaluation process, and that their competitors are complying with this request, they may consider it. Talk to your finance department on creative alternatives to obtain financial information from your supplier. i.e. ratio’s.
IT Security & Privacy Assessments
These areas should prepare supplier assessment questions to determine the level of compliance and risk. Integrating these documents into your RFP is a good idea for new supplier selection. Ensure that there is a provision in the contract that stipulates suppliers must repeat this assessment annually (frequency is dependent on the company’s preference and product/service the supplier is providing).
Confidential and Private Information
Does your supplier have access to yours or your customer’s information? There is nothing inherently wrong with sharing data with a supplier if the appropriate provisions are outlined in the contract to balance risk, incentives and cost.
Do you know who your 4th party suppliers are? Although your suppliers are typically responsible for any 4th party suppliers, knowing who these suppliers are and if they have access to your company’s private and confidential information is important.
Data Residency Regulations
Data used to be stored on premise or in a dedicated facility – with cloud and infrastructure as a service, the question of where your data is stored becomes much more complicated. Is it in the cloud or on a designated server? If it’s in the cloud, is your data being managed privately or publicly? Are your suppliers meeting data residence compliance? Make sure you are in compliant with your company’s data policy. Some Canadian companies, specifically healthcare facilities, must have their data stored in Canada.
If you currently don’t have a supplier governance process in place, be aware of the risks to your organization:
- Supplier interruptions or discontinuities
- Crucial technology failures resulting in down time, brand reputation, business loss, cyber attacks
- Supplier fraud, financial failures, cash flow issues, environment incidents
Contact us for tips on the provisions you should include in your contracts to mitigate and reduce risk.