Business as well as life is a balance. It was the Chinese New Year on the 8th of February, so it seems pertinent to use the philosophy of yin and yang to discuss the interactions of critical controls in the enterprise procurement process. The idea of yin and yang is that opposite/contrary ideas can in fact be complementary and build a stronger whole. This approach may well be useful in providing the right balance between the various control systems that come into play as any procurement process develops.
There are a number of ‘critical controls’ within any given procurement program. Security is often seen as the main critical control and one, which can have the greatest impact on assets and infrastructure. However, security is not the only element that can have a potential impact on the procurement process and on vendor risk management. Of course, the criticality of each part is dependent on the industry. But in general, the type of things that you need to know about a vendor before procurement choices can be made include:
Security: If you read this blog regularly, you’ll know that data and privacy breaches often have their origin with a third party supplier. A number of studies corroborate this, including the 2013 Trustwave study, which found that 63% of the investigated breaches began with 3rd party administration exposure. There is also a general and historical problem in the communication between procurement and security, security being seen to ‘slow down’ procurement. However, this is starting to change as more breaches, like those mentioned above, occur. In a previous post we have talked about how KPMG have found that 70% of procurement managers now realize how important it is to know how a third party will handle their client data. This is a move in the right direction. An end-to-end security strategy, across the vendor/client eco-system is increasingly important and often needed for compliance with industry regulations.
Legal: The legal aspects of vendor onboarding can be arduous. It seems that once you involve the lawyers, everything comes to a standstill. There are, of course, good reasons for this; legal needs to make sure that all eventualities are covered. This is never truer than when you have regulations to comply with, which often extend outwards to your suppliers systems. Other factors, such as competition law and the legalities around origins of goods, personnel and services, need due consideration.
Social and environmental: As green laws take effect, a number of environmental constraints can come into play in the procurement process. You may need to develop a sustainable procurement policy to comply with regulations around these areas and to make sure the vendor choices you make, fit in with this overall strategy.
Having effective know your vendor (KYV) policies in place before making final decisions is part of your supply chain risk assessment. This is a key part of the procurement process as it offers a way to minimize the future risks and protect the business against uncertainty. Gartner in their recent evaluation of the role of the CIO and risk, have stated that “Procurement teams develop contracts that improve security agreements with cloud vendors and security managers” to be able to meet the challenges facing business today, especially when dealing with Cloud based data.
Procurement choices that are educated and based on checks and balances will ultimately benefit the company, because they reduce the risks associated with unknowns. Getting this process right is a challenge. For example, procurement and security need to work together for the greater good. The SANS Institute in their paper on “Combatting Cyber Risks in the Supply Chain”, recommend a combination of ‘people, processes and technology’ to deal with the problem of good vendor evaluation for procurement. Communication and transparency is the key to risk reduction. It may seem like a slower process to add in the assessment stage, to audit vendors’ data security procedures, but in the long term, this will benefit your company, through informed choice – the old adage, “more haste, less speed” is highly applicable to the procurement process.
Procurement is the natural place where communication can start. It is often the main channel between the enterprise and the vendor and as such, can create effective dialogue to manage critical controls, like security, and ensure they don’t slow the process down any more than necessary. Seamless, clear communication in this area can also help to identify any hurdles. For example, if the vendor needs to go through a certification or validation process this needs to be identified early on. It is only be having open discussions and actively building frameworks to work to, that we can ensure we have those critical controls incorporated into the procurement process.
Getting your procurement controls in place before you sign that purchase order is vital. If you do it after knowing your vendor and any critical exposure points they may have, then you may well end up with security or compliance issues down the line. Once the ink is dry on the contract, it is much more difficult to put controls in place. This can result in overall increased costs, as well as a risky project that potentially could end in a catastrophic data breach. Putting controls into the mix, at the right time and to the right level, is part of a good, holistic approach to procurement. Getting the yin-yang balance right will create the type of vendor eco-system that gives you true value for money, whilst minimizing your risk of privacy and data breaches.