Supplier Risk Management Best Practices: 7 Critical Steps to Building a Proactive SRM Program

4. Take a consistent approach to supplier tiering and categorization

Not every supplier requires the same level of scrutiny, so tiering and categorizing suppliers based on risk will help you to prioritize and scope your ongoing risk assessment and monitoring initiatives.

For a more structured approach, consider grouping your suppliers based on three categories of risk:

• Profiled Risk: To start, group your suppliers based on profiled risk, which is the risk associated with each group’s industry, criticality to business performance, location, and other high-level factors. This can typically be achieved by conducting a quick survey of internal supplier managers.
• Inherent Risk: This is each supplier’s specific level of risk before accounting for any controls required by your organization. Use supplier questionnaires to gather information on their level of access to your operations and data, internal security processes, reliance on fourth and Nth parties, legal and regulatory obligations, and other company-specific factors. Resulting risks should be scored based on likelihood and business impact.
• Residual Risk: Having a baseline inherent risk score enables you to then calculate residual risk, or the risk level remaining after controls are applied. You’ll be able to determine residual risk after working closely with each supplier to remediate or mitigate issues identified during the assessment process.

Tiering and categorization must be performed consistently to gain an accurate picture of your third-party risk exposure, inform further due diligence, and ensure that suppliers are assessed against the risks and standards that matter most to your business.

5. Devote the right resources to supplier risk assessments

Accurately and comprehensively assessing your supplier risk will likely require participation from experts from several disciplines across your company, including supplier management, procurement, IT security, compliance and privacy – not to mention your supplier contacts. A centralized SRM platform can help by delivering automated, relevant supplier risk assessments that drastically reduce manual labor while rallying both internal and external stakeholders around a single, cohesive process.

When it comes to selecting risk assessment questionnaires, you’ll need to consider two primary factors:

• Content. Standardized or custom? Standardized questionnaires make it easier to compare suppliers. Custom content enables more precise evaluation.
• Method. Should you do it yourself or outsource to a specialist managed services provider? Many organizations choose to devote their resources to managing risks, leaving the collection of supplier data to outsourced specialists.

Regardless of the content or collection method you use, be sure to have a remediation strategy to act on assessment results. There’s no sense in conducting risk assessments if you’re not willing (or able) to go the final mile.

6. Continuously monitor for supplier risks

At any time, businesses can fail, new products can launch, or mergers and acquisitions can occur. Questionnaire-based assessments are essential for gathering data from suppliers at specific points in time, but new risks will inevitably surface between periodic assessments.

You can bridge the gaps between assessments, keep risk scores updated and accurate, and know when further investigation is necessary by leveraging a continuous risk monitoring solution to scan public and private sources of supplier intelligence for:

• Cyber exposures, such as data breaches, leaked credentials, and company data on the Dark Web
• Business news, such as M&A activity and operational updates
• Financial updates, such as public filings, annual reports, and profit and loss statements
• Reputational issues, such as adverse media and executives on politically exposed person (PEP) lists
• Compliance violations, sanctions, state-owned enterprises, and other conflicts of interest

If there is any best practice in this post that will help procurement and supplier teams become more proactive, it’s this one. Not only should you leverage continuous monitoring data to validate and update assessment findings, but also seek an SRM solution that integrates monitoring and assessment capabilities for maximum efficiency and visibility.

7. Don’t forget offboarding risk

A supplier’s risk to your business doesn’t just evaporate when the contract ends or is terminated. A supplier holding sensitive data must return and/or securely destroy that data; support obligations may outlive a purchase agreement; and organizations must ensure that any supplier access to internal systems is terminated.

Key considerations in your supplier offboarding strategy should include:

• Centralized contract assessments to ensure that final commitments are met
• Offboarding workflow to gain approval from all internal stakeholders before final sign-off
• Reporting to validate compliance

While this may seem obvious, Prevalent research found that 43 percent of companies are not actively assessing supplier risks during offboarding.

Download the Best Practices Guide

To measure your current supplier risk management process against best practices, download Seven Stages to a More Proactive Supplier Risk Management Program. The guide examines:

• The characteristics of a mature and proactive supplier risk management (SRM) program
• How different risks should be managed at each stage of the supplier relationship
• Key capabilities to look for in a solution that addresses multiple supplier risk types
• Real use cases for companies that have successfully tackled their SRM challenges
• Tips and tricks for securing buy-in across the enterprise

Contact us today to schedule a demo where we can demonstrate how to take your SRM program from reactive to proactive.