‘Procurement practitioners are tasked with balancing the external risk posed by vendor relationships against the internal benefit they offer.’ Though this statement would likely lead to murmurs of agreement and nods of assent when voiced in a procurement context, it fails to grasp a fundamental aspect of the modern procurement experience. Many key, indirect vendors are no longer external forces, but are instead massive sourced expertise operations, taking the form of managed service partnerships.
While in the past a vendor risk may have been viewed as a straightforward, due-diligence style problem, examples adhering to this past precedent are now regarded as more of an administrative afterthought than a vendor risk. With initial risk assessments being a commonplace practice, including assessment instruments as KPI scorecards, market and customer portfolio analysis, historic pricing forecasts, and so on, the focus has shifted away from being micro-focused toward a larger, more holistic strategic analysis. And yet, the average company’s understanding of itself and its divisions differs widely from any degree of analytical understanding it has of key strategic partners.
Nowhere is this clearer than the manner in which the term Third-Party Risk is used in relation to the field of procurement. Research of the term within the procurement industry will yield a bit of information on managing third party risk in terms of legal compliance, financial compliance, and brand exposure. This is a strange reality given that these groups can easily be the same third parties who are themselves key partners to the same Managed Services vendors who have replaced entire internal divisions of companies. In this sense, these are closer to second-party risks; if an entire function has been outsourced, then the vendors of that function are effectively second parties, from the perspective of risk management.
For an example of this phenomena in another domain, we can look to the effects of COVID-19 on the cryptocurrency market. Before the pandemic hit, cryptocurrencies were considered “safe haven” assets – it was believed that they were not connected to traditional markets, and thus were price-stable investments in casus fortuitus situations when traditional markets might suffer. Contrary to this classification Bitcoin declined steeply in early March 2020, losing 55% of its value at the same time traditional markets were crashing. Simply put, the risk presented by the traditional market was significantly underplayed by risk analysts.
A strong theory explaining the crash of Bitcoin goes as follows: traditional traders sold off their crypto assets to make up for losses accrued in their leveraged security positions, starting a fire sale that the trading bots picked up on and compounded, sending the price of Bitcoin into freefall. Though the two markets are not linked, they both share a common, metaphorical “vendor” in the form of the human traders who move them on the market, and the human traders share a common sub-vendor (Read: third-party) in the form of the quantitative trading algorithms leveraged by most firms to handle market analytics and market correction.
So, what can this teach us about managing risk for key, third party vendors? Just like the cryptocurrency investors who lost billions during the COVID-19 pandemic, many modern companies leveraging managed service vendors to replace key functions do not understand, and have not thoroughly assessed the sub-vendors performing key roles for their prospective partners, despite the fact that the risk is equally their own.
In the current sourcing climate, it’s no longer enough to perform traditional vendor risk analysis focused on a prospective vendor, their customers, or the market they operate in. In a world where increasingly large segments of businesses are being outsourced, many vendors are no longer external, nor are they simply vendors. They now represent key functions – the competitive advantage of a robust supply chain made into reality, with all the potential benefit and risk that entails.
For this reason, just as standard practice dictates that strategic risk mitigation on a company-level must include deep-dive analysis of the entire value chain, similar levels of analysis must be applied to vendors performing key functions. The complex relationship between business and market factors necessitates a vendor analysis in which the entire value chains of key vendors must also be understood and analyzed for risk, including the sub-vendors they rely on. Until these types of analyses become a common aspect of vendor risk management, the procurement practitioners tasked with mitigating risk will have failed to fully grasp the scope of what they are facing, and will be at the mercy of the unforgiving hand of third party risk, a hand which their lack of analysis has rendered invisible.
