Third-party risk management is currently an important topic for most corporate entities. In order to minimise their risk exposure, corporate entities are carefully scrutinising their third-party suppliers. Moroke Phajane, an admitted attorney and expert in third-party risk management, unpacks how third-party risk management can create a competitive edge, in this month’s SmartProcurement.
As a result of the current economic climate, corporate entities are also exploring innovative ways of saving costs, without compromising the quality of services required from third party suppliers. This simply means that service providers and suppliers with effective governance, controls, suitably qualified personnel, and a flexible fee structure, will be most attractive to corporate entities.
This definitely creates an opportunity for suppliers using an operating model that makes it possible for them to negotiate alternative fee arrangements with their clients. This fee model – coupled with effective governance, controls and suitably qualified personnel – enhances the supplier’s stature, brand and reputation.
Most corporate entities have a ‘Procurement of Goods and Services Policy’, which requires that a formal, transparent process is followed when selecting suppliers. The supplier selection involves a process in which suppliers are invited to bid to provide the required services.
In most cases, an independent cross-functional sourcing team is selected to assess the bids submitted by the various suppliers. The team uses specific criteria to select the most suitable supplier. The following criteria are generally used to assess-, and select suppliers:
• Preferential procurement (the supplier’s Black Economic Empowerment (BEE) status)
• Operational and technical capability
• Assessment of suppliers’ liquidity and solvency
• Commercial assessment (charge out rates, pricing structures and cost benefit analysis)
• Risk and compliance management controls (information security, business continuity and compliance with laws)
Preferential procurement
Most corporate entities are rigorously examining how supplier engagements impact their BEE scorecard. One of the key elements that is measured on the BEE scorecard for preferential procurement, is ownership.
Operational and technical capability
Suppliers have to provide evidence of their technical and operational capability. This can be achieved by demonstrating expertise in a specific area of specialisation, as well as the qualifications-, experience- and capacity of the resources employed to provide the services. This may include personnel and technology used to provide the resources.
The supplier’s track record – or success rate – is also an important factor in determining the supplier’s competency and capability. The supplier is also required to demonstrate its case management capabilities – which include providing clients with the necessary reports, updates and alerts for deliverables.
Assessing supplier’s liquidity and solvency
The assessment of supplier’s liquidity and solvency includes the evaluation of the supplier’s audited financial statements to verify that the supplier is financially stable, and that its financial position will not hamper its ability to continue providing its services.
Information security
It is advisable that a supplier should – at a minimum – demonstrate that it has the following policies, processes and controls in place for the safe, and fair management of information processed on behalf of a corporate entity:
• Information protection and privacy policy: Internal mandatory statements that define the minimum requirements for fair and secure information handling practices
• Information security policy: Internal mandatory statements that define the minimum requirements for information security – including, strong password standards, data classification, data retention storage, data destruction and data loss prevention security standards (such as patch management, application firewalls, anti-virus tools and anti-malware tools)
• Access management policy: Sets out the procedures and requirements for applying for-, granting-, managing- and revoking user access to systems, data and physical premises. This includes controls to ensure that only authorised individuals enter the company premises – including a visitor sign in process, secure remote access procedures and encryption technology
• Acceptable use policy: Contains explicit rules for individuals (employees and contractors) about the appropriate use of the firm’s information assets – including networks, devices and good practice to secure such assets
• Risk management framework and policy: The defined risk management framework as it pertains to people, data, financial risk and the mitigation thereof
• Compliance policy: The defined compliance management approach – or framework – to deal with regulatory compliance as it pertains to the organisation. This includes operational-, security- and human resources compliance requirements
• Business continuity framework or plan: A process which manages and tests the organisation’s business continuity, and disaster recovery capability. This includes the availability of business continuity plans, disaster recovery plans and robust backup procedures
• Security management alignment to ISO2700X, Cobit and King III
• Incident management processes
• Compliance with relevant laws: It is important for the firm to understand the corporate entity’s legislative universe, which comprises legislation applicable to the entity, and the industry in which the entity operates. This will enable the supplier to include measures and controls in their operations that will ensure that – while providing the services to a corporate entity – the supplier does not cause the corporate entity to contravene applicable legislation or regulations.
Business continuity
The supplier needs to demonstrate that it has measures and controls in place, which enables it to provide services to the corporate entity, without any disruption caused by factors such as key man dependencies, technology downtime and lack of back up procedures.
The current economic climate has contributed to businesses and individuals minimising, or at least prioritising, their procurement initiatives, as corporate entities are embarking on various initiatives to save costs. Managed- and outsourced services will definitely be on the list of services earmarked for minimal procurement, as companies are beginning to scrutinise the necessity of outsourcing services to external suppliers.
Innovative firms, which address business needs at a reasonable and lower cost – compared to existing suppliers – stand to benefit from this. This practice will certainly provide suppliers offering sound business solutions, adequate risk- and compliance controls, in addition to an established track record, the competitive edge.
