In the corporate world, some companies have entire departments and sophisticated software devoted to vendor risk management (VRM). At Point Park University, Pittsburgh, which enrolls 4,200 full- and part-time students, we focused on a sustainable solution requiring minimal resources.
Point Park’s existing enterprise risk management (ERM) program addresses both institutional and operational risks. Third-party, outsourced vendors fall into the second category: Not knowing what our vendors are doing—or not understanding the environment in which they’re operating—could have a negative effect on the university’s physical or financial operations, as well as on stakeholders themselves.
Like many institutions, Point Park employs a variety of practices to conduct VRM informally. For example, we ensure that legal agreements include key provisions to limit risk (such as indemnification and limits of liability), tailor insurance requirements for vendors to the specific risks associated with the outsourcing, and establish Key Performance Indicators (KPIs) for certain agreements.
A Cost-Effective Way to Implement VRM
How might we improve vendor risk management? Research into that topic turned up an interesting article in the Institute for Supply Management Journal. In it the author, the procurement officer of the International Monetary Fund, explains a qualitative and quantitative approach to VRM that could easily be adapted to higher education. That realization led Point Park to develop a formal process—and a more collaborative approach—to vendor risk management without taking on the considerable expense of purchasing VRM software. Here are the steps that we follow:
Re-engineer the vendor certification process. Most businesses, whether for-profit or nonprofit, "certify" new suppliers for third-party relationships. Typically, the certification forms sent to suppliers collect biographical data—such as years in business, names of key officers, and the number of customers or clients—but don’t gather information relevant to assessing the risk of using that supplier. With permission from the International Monetary Fund, we modified its vendor certification form to meet our needs. Our certification form, for example, now includes such yes/no questions as:
- Has your network security ever been breached, resulting in the release of your firm’s or customers’ data?
- Does your firm subcontract with any vendor who will have access to our confidential information or personally identifiable information?
- Indicate whether your firm has a disaster recovery plan. If yes, indicate how frequently the plan is tested.
We currently have two variations on the certification form—one for general use and one for general contractors engaged in new construction or renovation. The certification form has been well-received by our vendors. For those involved in competitive processes, completing the electronic certification form is one of Point Park’s RFP requirements. And, if we put another project out for bid less than 12 months after a vendor has submitted the certification form for a similar project, we’ll generally use the form we already have on hand.
Create an internal assessment form. With the assistance of a consulting firm, we incorporated the questions from the certification form into an electronic vendor assessment form. Based on the vendor’s responses to the former, the latter calculates a perceived risk score. In other words: What’s the perceived risk of doing business with this vendor, without taking any mitigation steps? The higher the score, the more favorable the perceived risk.
We consider the perceived risk score as one of the factors when evaluating responses to RFPs. Of course, some information collected from vendors must be subject to human review. Typically, we calculate a perceived risk score and then may increase or decrease the score depending on our review of materials such as SOC (service organization control) reports and financial statements.
Develop a risk exposure tool. Not all Point Park vendors are routinely involved in the competitive RFP process. To ensure that we didn’t overlook them, we sent key operating departments a framework against which to evaluate suppliers in five areas of risk exposure: volume, finances, strategic and competitive advantage, compliance, and human capital. It asks questions such as:
- Which 20 percent of your vendors account for 80 percent of your spend?
- Does this vendor access/store personally identifiable information?
- How mission critical are the services from this vendor to your department’s success and strategic goals?
- Does the vendor perform services on campus with minimal or no internal supervision?
Through this exercise, the departments identified their top five to 10 vendors in terms of risk. We plan to send the vendors supplier certification forms targeted specifically to them. Our goal is to reassess the risks of doing business with those suppliers every 12 to 18 months.
Build a centralized vendor intelligence database. Still in development is a database that will store all the information from the vendor certification and risk assessment forms. The database design includes the ability to upload relevant documents and an observational notes section. For example, accounts payable might use the observational notes section to note that a vendor, on multiple occasions, has asked to expedite payment before 30 days. A second or third request for expedited payment may signal cash-flow problems that could be a precursor to more significant issues.
The database would also house information gathered from site visits to vendor headquarters, one-on-one interactions with vendor representatives, Dun & Bradstreet reports, and simple Google searches. In addition, this database will send electronic reminders when it’s time to update a vendor’s information or request a financial statement. Finally, departments could use it to find out whether a potential supplier has already done business with the university—and if there were any issues.
Increased Risk Awareness
Another piece of our vendor risk management process remains on hold: a supplier scorecard to proactively inform both vendor performance measurement and risk management. Point Park’s prototype did not test particularly well among staff members. In the future, we’ll redesign the scorecard and possibly narrow its use to the most critical suppliers.
Successful vendor risk management involves collaboration with multiple operating units, including procurement, IT, finance, accounts payable, audit, risk management and, of course, the end user of vendor services. We often get into spirited conversations, weighing the risks and rewards of material business transactions. The vendor risk management process has helped us have those conversations by breaking down informational silos on campus and generally making people more aware of and conversant with risk.
SUBMITTED BY Ruth Rauluk, assistant vice president of risk management and procurement, Point Park University, Pittsburgh