Having the right vendors or potential suppliers could make or break your business. However, your vendor selection process can protect you from third-party risks alongside meeting your business needs.
It isn’t enough to choose from a list of vendors based on who offers the best bargain. Your vendor evaluation process needs to dig a bit deeper to make sure you find the right vendors. Here’s why vendor sourcing is so important and how to improve your selection process.
How Can a Vendor Selection Process Boost or Expose Your Business?
Without an effective vendor selection process, it’s hard to really know who you’re going into business with. Companies may show you impressive performance statistics and offer cost-effective services, but unless you do your own research, it’s hard to tell their risk levels.
Choosing the wrong suppliers can risk your reputation, ability to fulfill customer needs, and, in the end, impact your bottom line. On the other hand, optimizing your supplier procurement process can put you ahead of a large percentage of organizations. A Ponemon Institute study found that 61% of companies had security breaches as a result of third parties.
If you develop a streamlined and effective vendor selection process, you can avoid the pitfalls of working with bad suppliers, such as regulatory fines or lost customers due to a supplier not coming through on time. In addition, you can minimize costs by setting up an automated, centralized selection process that also reduces human error.
4 Key Steps in Your Supplier Selection Process
Just a few extra steps in your supplier selection process help your business avoid a lot of backlash from outsourcing to irresponsible or at-risk third parties.
1. Align Your Selection Process With Your Business Objectives
Your procurement team needs to understand how your general business requirements and objectives affect the supplier selection process. The best way to do this is by gathering relevant stakeholders to create an internal policy outlining those overarching requirements.
For example, let’s say your main goal is to maintain an excellent customer service experience, as that’s how you differentiate from other companies in your industry. Doing so may require working with third parties in order to provide 24/7 customer support. It’s absolutely key to find a customer service provider who offers an excellent experience and can prove this by showing you how their agents are trained, how they escalate support tickets, and how they’ll respond to high call volumes to keep wait times down. Once you define your stakeholder objectives and what that means for vendor selection criteria, you can find a great fit for the role.
The same Ponemon Institute study found only 42% of companies are reviewing their internal policies to manage third-party risk on a regular basis. Having a policy is not enough — it must be updated as external factors shift, such as geopolitical situations, global economics, company strategies, and international regulations. You need to understand how these affect your business and be ready to pivot accordingly.
For instance, maybe you realize all your support agents are located in one unstable region — you might realize that it’s best to have multiple teams in different regions. Perhaps new regulations come into force and your suppliers need to shift their strategy in order to comply. Or, a potential supplier could merge with another company who has a greater risk. It’s also possible a country gets a new political leader which creates instability in the local economy. Any of these situations can change how you work with third parties.
2. Define Your Risk Appetite
Your risk appetite is the amount of risk you’re willing to take in pursuit of your business needs. By creating a risk appetite statement, all teams can get on the same page in terms of understanding which potential suppliers you can and can’t work with depending on their risk levels.
For example, if you have a low risk appetite for security breaches or cybersecurity risk because your company handles highly sensitive information and data, working with suppliers who’ve historically been affected by data breaches or who use outdated software might not be an option for you.
As you begin your vendor selection process, you can use the risk appetite statement to evaluate each candidate. You can create your risk appetite statements for each category of risk such as financial risk, security risk, operational risk, and strategic risk, and outline your limits for how much risk you can take on.
Relevant data can help you find appropriate risk appetite levels for your company. Certa can help you get risk ratings that make sense for your business’s strategies and your industry’s compliance standards. This will be a great start in helping you create measurable plans for your procurement team to decide which vendors are the best fit for you.
3. Create Your Vendor Selection Criteria
Once you understand your overall objectives and risk appetite, you need a vendor selection criteria. The idea is to create a list of important factors to measure the potential vendors against.
You can use your vendor selection criteria to build a vendor scorecard that weighs each category based on your priorities and score each article.
Your selection criteria will be based on your individual company needs, which could include things like delivery times, customer service standards, pricing, quality of the product or service, and other more advanced factors such as legal compliance, cybersecurity threats, and fourth-party vendor risks.
Here are a couple important, complex categories you may want to include:
Vendor Performance and Potential Risk
The performance of your vendor has a direct impact on your business, too. For instance, you don’t want to engage with an underperforming company that’s not meeting its own clients’ needs. That’ll ripple out and, eventually, come to your door.
Identify your requirements for evaluating a vendor’s performance, including their promised delivery times, testimonials, and whether they offer the best selection of services for your company.
It’s as important to assess vendor performance as it is to understand the potential risks of working together. To do so, you’ll need to thoroughly research the vendor’s policies, history, and ownership structure.
When you know who the vendor is owned by, where they operate, how often they update their software, and how secure their finances are, you can better understand whether working together will also put your company at risk.
For example, knowing who the company’s major stakeholders are and whether they’ve received concerning press coverage can help you understand how the vendor affects your reputational risk. Viewing their recent financial statements can help you see whether they’ll be able to deliver on their promises to you and your customers. Seeing where their vendors operate can help you understand if your operations are at risk in case of regional instability.
Gather documents including SOC 2 reports, results from their penetration tests, written security protocols, their most recent compliance reports, an organizational chart, and the vendor’s policies regarding their own third-party risk management.
Keep in mind there may be more information to audit depending on your industry and the extent of your work together. An important note: Make sure you have up-to-date documents for all these categories. Risk levels can change fast, and their organization should adapt accordingly.
Environmental, social, and governance (ESG) performance is vital, especially since the SEC has proposed new rules surrounding how companies disclose their ESG information. The fines related to ESG can be steep — Goldman Sachs was given a $4 million SEC fine for violating ESG regulations.
Surprisingly, cybersecurity risks are also beginning to be considered ESG risks. With everything being technology-driven, including a company’s business structure, a company’s poor cybersecurity protection tools can result in sustainability issues.
To future-proof your organization, incorporate an ESG section into your vendor selection criteria. Assess and monitor third parties for ESG metrics such as energy and sustainability efficiency, emissions data, and current SEC reporting processes.
ESG also considers whether a company acts dishonestly, unfairly, or illegally. Other suppliers or customers could stop working with you if you’re associated with any sanctioned businesses or unethical practices.
4. Vet Potential Suppliers
Once you have a good understanding of the solutions your business needs, your risk boundaries, and your top criteria, you can create a short list of solid candidates. Then, you can more thoroughly vet selected vendors.
You could check customer reviews and testimonials, look at other companies that the vendor has worked with, and request samples or demos. In addition, you can make a request for proposal (RFP) or request for information (RFI) to give you more details about what exactly the supplier can provide you and the costs involved.
For instance, you may want to request information about your supplier’s cyber insurance. If your suppliers have protection against data breaches, ransomware attacks, network interruptions, or medical liability, you may benefit from that protection as well. On the other hand, you may wish to ask for other types of insurance or certifications depending on your industry such as hygiene certificates, machinery inspection checks or business insurance.