BY SANJA CANCAR-TODOROVIC
A NEW OPERATING MODEL
Sanja Cancar-Todorovic is director – strategic relationships, global real estate asset management, at Manulife.
ASSESSING THE TOTAL VALUE OF OWNERSHIP Over the last decade, and particularly since the COVID-19 pandemic began, the procurement and supply chain function has evolved from enablement roles to a strategic partner function across most organizations. The traditional measure of success for procurement and supply chain was always tied to value for money – cost savings, cost avoidance, and labour arbitrage in the BPO/ITO space. That outdated concept has now been replaced by value of ownership, recognizing that the bitter taste of poor quality lasts a lot longer than the sweetness you get from a cheap price. This new operating model has put significant pressure on the procurement and supply chain function to transform itself in a short time, without impacting business operations in the process. The most successful transformations achieved the desired outcomes by focusing on strategic partnership management, as opposed to a traditional vendor management approach, basing their supplier evaluation criteria on the following areas. THIRD-PARTY RISK MANAGEMENT The digital transformation that most organizations have undergone since early 2020 was primarily driven not by the CIO, but COVID-19. The pandemic has accelerated the fourth industrial revolution that most organizations were tiptoeing around, before the pandemic pushed them into it.
But with massive changes, we are also exposed to massive risks that, if not mitigated, could have catastrophic consequences. Vendor concentration, fourth-party risk management, information security, business continuity, vendor reputational risk and vendor financial health were check-the-box topics before COVID-19. They are now part of the elevated third-party risk management process that starts at the vendor evaluation and onboarding stage. It is managed through structured, well-defined vendor governance process and continuous risk monitoring. Balancing vendor concentration with vendor consolidation is tricky as it is not the same for every industry, or even every organization within the same industry. The approach must be guided by the organization’s risk appetite. While it is not favourable to have one vendor perform all or most critical functions for the organization, the benefits of economies of scale are achieved by doing just that. Thus, it is crucial that organizations have a well-defined and communicated risk appetite that will drive scoring of this criterium. Fourth-party risk management has gained a lot of traction. This implies that, in addition to continuous monitoring of the third-party risk, organizations should also monitor their vendors’ vendors. This requirement alone has put pressure on procurement and vendor management functions, resulting in bigger teams with enterprise
risk management skills in addition to sourcing and vendor management skills. Nevertheless, understanding fourth-party risk is an important criterium in the vendor evaluation process. With the unprecedented reliance on IT vendors, information and cyber security are at the top of the threat scale. Fortunately, there are many InfoSec tools available that can continually monitor data breaches. The best defense remains comprehensive vendor due diligence, including reviews of the independent InfoSec Audits and vendor SOC reports, by the organization’s IT SMEs. Even if the due diligence process checks out, organizations need to have a well-established exit strategy in case of unforeseen circumstances. Similarly, to the InfoSec and Cyber Security, business continuity moved from the check-thebox exercise to an integral part of the vendor evaluation process. Engaging vendors with an established business continuity plan that is regularly tested and updated is a winning strategy. That’s especially true if the vendor is critical to the organization. Reputational risk is the hardest one to manage. It is the risk of public impressions, whether true or not, regarding the vendor’s business practices, actions or inactions, that will adversely affect vendor’s earnings, economic value, capital or ability to maintain business relationships. Depending on the type of public impression,
18 APRIL 2022
SP Apr 22.indd 18
2022-04-11 1:30 PM