7 steps to effectively control supplier relationships

Image: Shutterstock

In today’s business environment, collaboration, partnerships, sourcing and outsourcing are inevitable. These partnerships eventually form the operational backbone, the supply chain of an enterprise.

Managing suppliers well, whether primary or tail spend is important although the approach and intensity may vary depending on their strategic criticality to the enterprise. But whatever role they play, here is a direct impact of any development in the supplier organisation on the enterprise, more so as regulatory bodies hold the engaging enterprise accountable for the supplier’s practices as they act on behalf of the enterprise.

The dangers “Penalised $1 million over supplying unsafe children’s nightwear”, “Suppliers use children to dig in lethally dangerous mud pits for tin ore”, “Imposed penalty for data breach by supplier”, etc., are headlines no enterprise wants associated with their brand. And it is this risk that makes it necessary for an enterprise to exercise judicious control over their supplier practices.

Seven essentials to maintain control
1.    Pre-qualification and selection – Comprehensive knowledge about the supplier at the earliest stage of the relationship is critical. This knowledge helps pre-qualify and select suppliers. In addition, the selection process must be aligned to the enterprise’s strategic objective of getting into a supplier relationship. The process must also help profile the supplier to fit into the appropriate control environment, considering its risk appetite. A proficient and effective procurement process would help select and manage suppliers in a timely manner while complementing the strategic objectives.

2.    Quality and risk management – Consider the supplier’s deliverables in the service / product design, and establish and execute a clear risk-based quality plan for supplier services. Also establish a robust risk assessment and risk treatment plan based on the supplier profile while identifying owners at both the supplier and the enterprise end. These must be aligned to the enterprise’s risk management policy.

3.    Security and data privacy – Ensure that the supplier’s security and data privacy practices are in line with the enterprise’s policies in these areas. Controls must be defined considering the nature of services / products provided, size / scope, the regulatory regimes under which the services / products delivered fall, supplier’s profile, and the results of the risk assessments. While the defined controls should be adequate to protect tangible / intangible assets and personal data, they should not be excessive. The interpretation of excessive differs according to the geography.

4.    Incident management – Establish a robust incident reporting and management process that must integrate with the enterprise’s overall incident management process. This would ensure that appropriate measures are taken and learnings are disseminated across the enterprise and other relevant suppliers. Corrective actions culminating from the process must be tracked to closure. Incident analysis should be performed at regular intervals to identify any trend that needs attention. Corrective actions of repetitive incidents should be further looked into for effectiveness.

5.    Regulatory compliance – Establish a compliance programme whereby suppliers identify all the regulatory requirements applicable to them, say, employment, child labour, health and safety, fraud and corruption, internal controls, service / product standards, environmental, privacy, etc. Owners must be identified and the compliance status tracked, reported, and reviewed periodically.

6.    Communication and business continuity plan (BCP) – Establish a robust communication process and ensure the supplier’s BCP complements the enterprise’s BCP. Enterprises must verify if the supplier conducts business impact analysis and risk assessment on critical services provided by them, derives a BCP out of it and communicates it to the enterprise. In addition, establish a clear communication plan for handling a crisis or disaster that could impact services. These must be factored into the enterprise’s BCP. Enterprises must also test the BCP with the suppliers at least once a year as well as every time there is a material change in the plan.

7.    Performance monitoring, governance, auditing and feedback mechanism – Continuously monitor supplier performance on various parameters as per the contract, best practices, regulatory requirements, etc. Establish internal and external governance mechanism with the supplier to review progress made on achieving objectives of the supplier relationship. Any issues should be highlighted, discussed and resolved. Enterprises must also consider at least one form of supplier auditing, specific to their services / products. Such audits may be part of the enterprise’s audit programme.

A formal, mutual feedback mechanism is a good tool to reap the best out of the supplier relationship and align it with the enterprise’s strategic goals. This helps in creating an environment of mutual trust, partnership and value creation.
Enterprises having reasonable control over their supply chain are more likely to achieve their supplier relationship objectives faster with higher delivery predictability. Such enterprises develop the resilience needed to respond to changing market conditions and disruptions.

By Rajeev Thykatt, Group Leader – Risk Management

The thoughts and opinions shared here are of the author.