Vendor risk management can be divided into three distinct categories: business risk, control risk, and relationship risk. Business risk deals with the financial, compliance, and geopolitical aspects of a third party’s operations; control risk addresses the procedures and policies a vendor implements to effectively and compliantly do the job it was hired to do.
Relationship risk differs in that it involves both the vendor and the contracting company. The name itself offers a definition: Relationship risk is concerned with a third party’s risk profile in relation to the company that has hired the vendor. This includes scope of services, contract protections, geographic location of services, and delivery—things that the third party does that directly affect the first party.
Relationship risk is also called inherent risk: the risk that is inherent simply by engaging in business with a third party. Any relationship with a vendor is inherently risky—a supplier, for example, may not deliver its goods per the contract terms, thus leaving your company without the (potentially important) product. Assessing relationship risk is essential in managing your vendors, especially the ones that are key to your company’s successful operation.
The Importance of Relationship Risk
In 2011, severe flooding struck Thailand and severely impacted the Southeast Asian country’s technology industry. One-third of the world’s hard drives are produced in Thailand, so naturally, it affected computer and computer storage sales internationally.
Assume you are an manufacturer of notebook computers. If your example company’s hard drive supplier built its products in Thailand, the flooding indirectly affected your bottom line. This is relationship risk. The hard drive vendor’s risk profile included:
- A product that is absolutely essential to your manufacturing process
- Production in a distant, foreign location, thus requiring a longer shipping process
- Production in a location that is prone to weather events
- So much aggregate production, by many companies including the vendor, of one item in one location
When the hard drives weren’t being delivered, your theoretical company likely had to scramble to find hard drives in order to continue production, or it cut back on production and was forced to lay off employees, or it raised prices and saw sales decline as well as took a public relations hit.
However, this imaginary notebook maker might have looked at all the risk factors listed above, as well as other inherent risks with the vendor, and decided this was still the most efficient, cost-effective way to obtain the hard drives it needed. That’s why assessing relationship risk is so important, because it determines:
- What is most important to your company
- How much vendor risk your company will tolerate
- How much risk management will be required
- How much of your resources should be directed toward that management
- When a vendor is simply just not worth contracting
Relationship risk management starts with your company, which must determine what vendors and what functions of those vendors are most important to your organisation. Obviously, a third party that supplies a key component of your product or handles sensitive customer data will be more crucial than the vendor that sells you office equipment. Armed with this knowledge, you’ll know what questions to ask during the assessment process. Good vendor risk management software will allow you to tailor assessments to your specific needs (e.g. providing added weight to categories deemed more important by your company). After analysing the results, your risk staff can proceed with managing the relationship risk and, hopefully, improving the relationship between your company and your vendors.
What aspect of relationship risk do you find most challenging?