This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.
In this age of doing more with less, the IT landscape has become more like a web, with multiple vendors involved in the IT-enabled delivery of business solutions. Vendors are critical to enterprises’ abilities to deliver—ensuring that they can scale up and down to meet changing demands. For instance, if a company's new marketing campaign is exceedingly successful, it might cope by relying on trusted third parties to deliver the goods.
With the increase of outsourcing duties and cloud computing, vendors are taking on increasingly fundamental roles in enterprise operations. But there is also a trend in the market toward fewer (but more significant) vendor relationships. Why? Because many enterprises prefer to have a single point of contact (SPOC) that represents a consortium of vendors, which simplifies the management process.
As the scope, scale and complexity of vendor relationships and services increase, the risk related to them and the importance of effective vendor management increase proportionately. Managing external vendors should be a key competency for every enterprise. Successfully doing so leads to optimally migrated risk and significant benefits.
Effective management of the third parties that deliver IT services and products to the enterprise helps maximize benefit and reduce associated risk. This process requires significant effort from both the enterprise and the vendor; therefore, IT vendor management often focuses on strategic client-vendor relationships that play a vital role in the enterprise’s daily operations. These relationships can have significant impact on the success of strategic projects and may generate substantive financial implications.
To help, ISACA offers
, a publication focused on the effective governance of vendor communities. The book provides prescriptive and detailed guidance in the full lifecycle, including the call for tender, contract process, and developing/managing service-level agreements with templates and checklists to aid you in your vendor journey.
reveals that approximately one out of five enterprises (19 percent) does not invest sufficient effort to manage vendors and vendor-provided services effectively. This can mean that enterprise requirements and standards are not properly incorporated into vendor contracts, ownership of information being handled by vendors remains undefined, and access to information may not be guaranteed if vendors go out of business.
The research finds that almost 70 percent of enterprises have some awareness about vendor management and incorporate some requirements into IT vendor contracts, but they do little to nothing to determine whether their vendors comply with terms specified in the contracts and even less to determine if they are at risk because of their vendors, often waiting until it is too late.
Approximately 12 percent of enterprises devote great effort in gathering information from vendors, assessing vendor compliance and risk, employing red flags and triggers to identify when additional information from vendors is needed, and taking action to manage the compliance profiles and risk posed by their vendors.
The most common vendor management threats and related risk components are financial, operational, legal/compliance and reputational. Some of the top threats in relation to these risks include:
The threat of inadequate vendor selection may result during the operations phase in the non-fulfilment of core vendor contractual obligations. Proper due diligence before closing the contract can help mitigate this risk and provide the enterprise with a better view of the long-term delivery capabilities and sustainability of the vendor.
Failure to conduct adequate vendor selection exposes the enterprise to a financial risk in the form of the considerable costs associated with replacing the vendor, potential revenue loss and ineffectiveness of financial penalties. Operational risk includes the inability to operate a certain part of the delivered service to meet the enterprise goals and the inability to obtain adequate skilled resources. Image and market share loss are considerable reputational risk elements. Legal risk is situated around labor issues and lawsuits.
An incomplete contract, not covering all the aspects of the relationship that need to be managed up front, is a major threat to the sustainability of the contractual relationship.
Neglecting to detail payment terms and price-setting mechanisms is a major financial risk associated with this threat. Related to the financial risk, but also operational in nature, is requiring unrealistic or inadequate service levels from the vendor, which results in over-engineered solutions and high prices or underutilization of resources and lost business opportunities. Other operational risk includes missing end-of-life management stipulations (exit strategies) in the contract or ineffectively communicating clear, measureable requirements to the vendor. Legal/compliance risk could arise when the contract fails to detail liabilities or does not stipulate any intellectual property rights or specifications on the use, disposal, and distribution of software and data.
The threat of inadequately setting up and detailing the requirements can have a huge impact on the proper execution of the service by the vendor.
Enterprises tend to focus on solutions themselves instead of defining the requirements and giving freedom to the vendor to propose the optimal solution. This could lead to operational (e.g., failing service), financial (e.g., revenue loss due to failing service), legal (e.g., disputes with vendor due to not meeting the requirements) and reputational (e.g., unwanted rumors, image and/or market share loss due to the inability to provide a service) issues in the long run. Insufficiently detailing reporting requirements and the right to audit may also expose the enterprise to an operational risk (e.g., unawareness of the performance of the service delivery).
A lack of governance during the contractual vendor relationship life cycle can be considered a major threat to proper vendor management.
Failure to define an adequate governance model between the enterprise and the vendor increases operational and compliance risk. Also related to a lack of governance is ineffective contract change management procedures during the contract life cycle, which increases operational risk (e.g., ineffective execution of the service due to misaligned incentives) and financial risk (e.g., paying a price that is too high for the desired level of service provisioning).
The enterprise vendor management strategy has considerable impact on the enterprise’s business activities.
Over reliance on a specific vendor, especially for business-critical tasks, increases operational risk (e.g., lack of in-house knowledge and demotivation of employees) and, consequently, financial risk (e.g., vendor can over price its service due to the enterprise’s dependence on the vendor). Considerable attention must be paid to the applicable law in the vendor’s physical location, especially with offshore vendors and contracted cloud computing services, because these regulations can expose the enterprise to increased legal risk.
Enterprises will all have different approaches to managing vendor-related risk. On one end of the spectrum, there are enterprises that treat vendor management as a simple sourcing and contract-signing issue, while on the opposite end, there are enterprises that consider vendor management part of the enterprise long-term strategy to reduce risk, optimize cost and create value for stakeholders. Ultimately, effective vendor management has many benefits.
Robert E. Stroud is a member of ISACA’s Professional Influence/Advocacy Committee and vice president of strategy and innovation at CA Technologies
Portions of this article were excerpted with permission from ISACA’s "Vendor Management Using COBIT 5"