October 25, 2022 / Blog

The Critical Nature of Managing Vendor Risk

Chris Duffy

Share on

Business management is a trust game. Every day, managers trust that the people they hire will perform competently. They trust that the equipment will function correctly. They trust that customers will pay promptly. Indeed trust is essential to management theory as far back as Henri Fayol, who more than a century ago identified management as composed of five parts: Planning, Organizing, Command, Coordination, and Control.

Each of the five components carries risk. The risks involved in planning include having the wrong information to plan correctly or making bad plans with the right information. A manager risks organizing the business poorly with the wrong people and equipment in the wrong place. Command risks include interfering with optimal employee performance. Coordination risks include employees failing to work together toward the organization’s goals. Control risks include submitting to the temptation to let things be.

Vendors are critical to the function of most enterprises. This is especially true for manufacturers, who rely on raw materials sourced ably from distant locations and precisely made components that make the assembly process operate smoothly. It’s only marginally less accurate for creative businesses, where the final product still requires materials and experts to combine effectively on deadline.

What To Do To Make Sure Vendors Are Engaged

When companies assemble their business impact analysis (BIA), they examine and prioritize the organization’s business, which parts are important, which operations are vulnerable, and what actions would be necessary to restore function in the event of a disruption.

A BIA is incomplete, however, if it involves only itself. In the event of an earthquake, for instance, it’s not just the ability of the facility to remain intact that’s important. Nor just employee safety, nor the ability of the equipment to function appropriately again. Having an operational manufacturing plant that’s unable to operate because a Third parties plant no longer can is just as bad a problem as if one’s own plant collapses.

Therefore, vendors should be encouraged to have their own Business Continuity/Disaster Recovery (BC/DR) plans. It’s even reasonable to require a plan for any job bid made by a vendor. If a relationship will be ongoing, BC/DR planning should be part of any contract.

This approach is exacting, but not sufficient. The relationship with key vendors must also be reciprocal and cordial. Every person in an organization that interacts with a vendor contact should ensure that each exchange is open. The vendor should know how it fits into its customer’s business operations and feel its contributions are more than merely the delivery of a component. When a vendor contact feels valued, it reinforces the monetary significance of the commerce conducted between the companies. Knowing that makes it easier to enlist vendor participation in planning, tabletop exercises, tests, and other functions of BC/DR. It encourages alignment between the companies and makes the vendor’s BC/DR planning less likely to fall by the wayside.

What To Insist On

Businesses should conduct their BIA, then build and test their BC/DR plans, then use these touchpoints to make sure vendors are working in sync:

  1. Align with their planning. The time to be sure BC/DR is part of a vendor prospect’s approach is when first approaching the vendor. A company’s vendors should not only test with them, but conduct its own tests and planning exercises on a similar schedule. Those results should be available to companies they do business with as a condition of the relationship.
  2. Insist on a contact replacement plan. If there’s a problem with the point person at the vendor — from resignation to reassignment to death, the vendor should have a solution for the loss of that liaison.
  3. Are the vendor’s criteria for determining a disaster the same? Is the vendor content with a return to normal function two months after a flood? Does the vendor even make a clear determination and communicate that decision to its people and locations?
  4. Are they taking precautions? The vendor should have the appropriate backups for the parts of its business that interact with its customer. This could mean anything from having the same servers, the same IT security approach, or using the same BC/DR platform. What is the vendor’s plan for redundancy or backup — is data backed up to the cloud, on a tape drive, or to a server farm thousands of miles away?
  5. Does the vendor work on BC/DR with its vendors? A vendor’s ability to provide goods or services relies on its own vendors. Vendors that don’t include their own vendors in their own BC/DR planning are just humoring their clients.

What’s In It For The Vendor?

While it shouldn’t need to be explained, it should nevertheless be laid out for vendors and prospects that their relationship will depend on their ability to produce, even in trying circumstances. First, delivery of goods and services means the usual compensation, often when competitors without BC/DR plans aren’t going to be paid. Second, by delivering those goods during trying circumstances and difficult conditions, both vendor and client will likely emerge from the disaster ahead of competitors and in position to leverage that advantage.

This means coordination is critical. As touched upon briefly above, this means as much congruence as possible. At first, it may be essential to retain relationships with existing vendors. Companies seeking to reduce or eliminate vendor risk may want to negotiate agreements or concessions that specify equipment or procedures that bring the two in better coordination. That might mean using the same enterprise software or insisting that an overseas vendor has enough employees and backups that speak the same language you do (and vice-versa).

Memorializing the terms in a contract may be the prudent way to indicate importance and ensure compliance. At the very least, an organization and its vendors should perform these tasks together:

  • BIA
  • Planning
  • Tabletop Modeling
  • Testing
  • Reviews

Some concerns are always going to be important to both parties. It’s vital that both company and vendor commit to ongoing monitoring and updating. The vendor must know and agree that BC/DR planning is not just a one-time event. Tools like BC in the Cloud by Infinite Blue are an easy option to maintain a consistent BC/DR program.

Some matters are going to primarily require the attention of the engaging company. Beyond what a vendor brings to the table in terms of its service or materials, there will always be value to the institutional knowledge a good vendor has of its customer’s business. Therefore, companies should understand when they use a vendor that the sale or acquisition of the vendor can affect that dynamic. As with everything else in BC/DR, changes in the relationship must also be planned. Could a competitor buy a vendor? Could a vendor decide the public politics of its customer are too disagreeable to maintain a relationship? Plan for it.

Good BC/DR Includes Vendors

The fewer things left to chance in commerce, the better. In an industrial world, it’s difficult to function as a company without relying on outside organizations to supply expertise, equipment, or materials. Therefore, the best way to function in that world is to build solid relationships with vendors and leverage those relationships to make vendors part of a company’s BC/DR. Companies that have done this are probably well-positioned to overcome challenges that come. Companies that have not yet done this may still have time — but they should get started at once.


Learn More

Even more insights from Infinite Blue.

View All Insights

Contact us

Ready to get started?

Reach out for a no obligation, initial conversation.

Let's talk
XS
SM
MD
LG