One of the most common issues in supply chain security is in identifying vendors initially and then in maintaining their status over the long term. To answer that challenge, here are some ideas around creating initiatives to answer those needs that we have seen work over the years. This post will focus on identifying vendors and refreshing vendor lists. Another post will discuss suggestions for creating vendor tiers and sorting vendors based upon various criteria and mapping that to controls for each tier.
Getting Started:
The first step in identifying your vendors and beginning the supply chain security process is to establish responsible parties. Who in the organization will be responsible for establishing the program and who will be responsible for oversight of the program. Who will the program report to, and what data is expected as a part of the report. This is often assigned to the company’s risk or security department, where available and flows upwards through their management chain to a steering committee or chief executive. In some cases, where security or risk functions don’t formally exist, we have seen supply chain security tasking as a part of either legal or operational teams. Rarest of all, and the least successful in our experience, is when it is assigned to members of the accounting team – mostly because they often lack sufficient technical and risk assessment skills to perform the work optimally.
Creating Data Boundaries:
Once you know who will do the work, the next step is to establish boundaries and the underlying mechanisms you will use to manage the data. In small companies, this might be as simple as a spreadsheet. Mid-size companies often build a small database or Sharepoint repository to hold the data. Large firms often use modules in their enterprise data platforms to manage the data. How you will manage the data though, irregardless of your chosen platform, is much less important than setting boundaries about how far back in the vendor supply chain you will go. In our experience, this is an area where organizations often damage their success early by trying to target too large a portion of the vendor population or using too much history. Our suggestion is to use only vendors that are currently serving the company, and then to pick a criteria such as “criticality to just in time delivery”, “line operations criticality”, gross spend or criteria that reflect the potential for large impacts to your operations or central valued assets. For example, if you have vendors that provide raw materials to your factories, and downtime of the line is a significant threat – then focus on those critical suppliers to start. If you are a bank or credit union and you outsource item processing or marketing to your clients/members to a third party – then these vendors could impact the core value of your business – the trust of your clients, so start there. To begin, start by identifying the top 10 or 20 vendors in this group. That becomes the working list to begin the process.
Gathering the Data:
Now that you know what vendor data you need and what the boundaries are, how do you actually gather the data? In most cases – the process begins by working with accounts payable to obtain their ranked and sorted list of vendor payees. A quick hint here is to check with your disaster recovery and/or business continuity team to see if they already have the data and have vetted it. In many cases the DR/BC folks have done the basic footwork – so you may be able to leverage thier processes, data and systems. Either way, once you get the list, it is advisable to do a rationality check with the various lines of business using the vendors. In many cases, their feedback can help you make sure that what accounting says is critical agrees with their operational sense of the world.
Once you have the data, and get it processed it into your systems – you will next want to establish a workflow on how you will use the data, what baselines you will use, etc. We will cover that shortly.
Be sure to the document the collection processes you used, and create a periodic refresh process for the data based upon it. Optimize that process over time to expand scope, reduce time between updates, etc. Eventually, most organizations settle on monthly or quarterly updates vendor data, and then sort their vendor assessment efforts based upon tiers. Using and refining such a process will go a long way toward reducing your supply chain risks over time.