Vendor melt-down, the unexpected failure of an outsourcing service provider, is a troubling aspect of the slowing economy and tight credit conditions. Is it one of those "what keeps you awake at night?" issues.
According to George Westerman, Research Scientist at MIT's Sloan Center for Information Management Research "Enterprises that manage risk effectively have a better handle on how they are addressing high priority risks, and importantly what risks they are choosing to "live with". They are confident that they are investing money and effort into risks that really matter." More information can be found on the attached link http://web.mit.edu/cisr/resbrfgs/2004_07_2C_ITRiskMgmtEff.pdf
How do you know whether one of your key outsourcers is teetering on the brink of failure? How do you prepare if the worst happens? Replacing any outsourced relationship takes time and effort. In fact, under normal conditions, the selection process alone usually takes anywhere from 4 to 8 months.
Here are a couple of ideas that you may want to consider:
1. Implement a Vendor Management Risk Govenance (VMRG) program.
Vendor Management Risk Governance (VMRG) is the overarching structure that enables an all company view of your supplier community. Not to be confused with vendor management or vendor governance - which is a set of tools and processes to identify and manage day-to-day operational risk on a supplier-by-supplier basis. Forrester has a white paper on this topic that may be of interest. http://www.forrester.com/Research/Document/Excerpt/0,7211,41478,00.html
It is recommended that VMRG reports into risk, compliance or sourcing, not into the business line or IT. This separation of duties is a best practice that ensures objectivity and appropriate oversight.
Characteristics of a Vendor Management Risk Governance (VMRG) Program:
VMRG starts with classifying the type of relationship - e.g. outsourcing and mission critical supplier relationships - to distinguish critical and potentially risky supplier relationships from the hundreds or thousands of other supplier relationships on your books.
If you then establish a common set of key risk factors such as whether the supplier has access to customer or employee data that is protected by privacy laws, whether the relationship is Sarbanes Oxley reportable for your company, the supplier's financial and operational stability, the quality of their Business Continuity Planning and Disaster Recovery plans and testing methodologies, the ease of replacement, whether negotiated contractual terms provide adequate protection, etc. then you will normalize vendor management risk governance assessments across your whole supplier community.
Applying this standarized risk assessment process will allow you to determine the level of risk - High, medium or low. Then the intensity of due diligence and frequency of reviews will be appropriately aligned with the level of risk. You will be investing your risk management governance resources wisely.
According to the level of risk, it is important to establish standards and processes for monitoring and reviews. It is a best practice to assign responsibility for the service provider performance management - Vendor Governance or Vendor Management - to a person or a team within the business unit that utilizes their services.
The process of monitoring outsourced service provider relationships should be structured and well defined, to ensure that there is consistency. The monitoring and review processes are performed by the contract owner in the business unit, with results reported to the VMRG function.
Vendor Management/Governance (VM) is a supplier-centric operational risk management and monitoring process. If structured and requirements are well defined. The VM officer is responsible for managing to contract, service level agreements, and expectations. Equally important, the VM is a key point of escalation for issues including vendor melt-down and failure. Crisis management processes will still be invoked, but the organization will be better prepared to deal with the issue.
In March 2008, IT Governance Institute (ITGI) formed a working gorup to develop an IT enterprise risk management framework that will allow business managers to assess IT controls for deficiencies and business risks. More information can be found at http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=40934&TEMPLATE=/ContentManagement/ContentDisplay.cfm
Defined Vendor Management Risk Governance policies and processes ensure orderly execution of vendor risk management. VMRG brings an all-company view of supplier operational risk and trends to senior management. Operationalizing VMRG and seeing results will help you sleep better at night.
2. Adapting the outsourcing selection process for "rapid-start" engagement.
Bad things happen. Unless the economy turns around very quickly, it is highly probable that you'll be facing major issues or a complete failure of at least one outsourcing or mission-critical supplier. Being prepared to rapidly execute sourcing processes to that help you select the right replacement service provider and to transition services quickly is important. This can be accomplished in a couple of ways:
1. Develop exit plans for all key supplier relationships. Make sure your processes are well documented and that the format of your data that resides with your outsourcer is accessible and in a format that is transferrable to another supplier. Will the licensing terms for software contracts utilized on your account by your service provider accomodate transfer to another supplier?
2. Invest in some competitive intelligence . Find out who else is out there, what they offer, how it compares with your current relationship. Complete a high level assessment of alternate service providers that seem to be a good fit.
#. Review your existing contracts to ensure that they reflect the services the outsourcer is providing. Having a good contract that reflects your needs will save you time later if you need to negotiate with a new service provider. Also, check for termination penalties and assistance plans. If they aren't clear and comprehensive, renegotiate that part of your contract.
3. Develop a rapid start outsourcing process. Review your outsourcing methodology to determine which steps can be shortened, eliminated or combined with other activities. Scan the advisory community and determine if and who you would choose to hire in the event of a crisis situation. Detemine key terms of engagement. Finding a qualified advisor isn't the kind of barrier that you should be dealing with in a crisis.
An ounce of prevention is worth a pound of cure. Be prepared, stay alert, design and implement good governance processes. You'll have better outcomes in the event of a crisis.
Linda Tuck Chapman is Managing Director, Ontala Performance Solutions Ltd. www.ontalasolutions.com You can contact Linda at ontala@rogers.com