Executive Briefings

Is There An Opportunity for Supply Chain Risk and Vendor Risk Convergence?

Analyst Insight: The complexity of modern supply chains introduces a wide variety of risks into business operations. Supply chain professionals primarily worry about logistics and planning challenges, but a host of legal exposures can come into play as well. The management of these vendor risks typically falls to legal and compliance stakeholders, but ultimately impacts supply chain activities. This creates a unique need for integration between solutions supporting risk and supply chain management. – David Houlihan, Principal Analyst at Blue Hill Research

Is There An Opportunity for Supply Chain Risk and Vendor Risk Convergence?

Supply chain risk management typically refers to the challenges of maintaining integrity and continuity in complex and changing supply chains. Relationships with third-parties and suppliers also invite an array of legal and regulatory concerns. These risks include controls on the connections or relationships, such as specially designated national and other trade restrictions. Conflict minerals regulations and similar laws create requirements for information that must be tracked through multiple tiers of the supply chain. Other laws go so far as to impose vicarious liability for third-party conduct or regulatory violations, such as Sarbanes-Oxley, HIPAA or anti-corruption laws.

Enterprise divisions of labor separate the two between supply chain risk and vendor or third-party risk management. The former belongs to supply chain managers, while the information collection and analysis of the latter typically falls to enterprise risk, compliance, and legal functions – or even external managed services providers. Since supply chain managers ultimately remain responsible for managing relationships with third parties, an information exchange is required for supply chain managers to apply the due diligence, controls and advice of vendor risk management stakeholders.

This may sound like a minor concern, but the result is a division between two closely-related risk management activities. This divide creates opportunities for inefficiency, misunderstanding and errors in ways that create new exposures for the organization. Consider how often related inquiries and recommendations are sent by email, or managed in spreadsheets held across the desktops of stakeholders. Ultimately, these issues create inefficiency in operations, and potentially open the door to exposures.

Despite the maturity of solutions supporting both supply chain and enterprise risk management, little has been done to bridge supply chain and vendor risk efforts. Governance, Risk and Compliance solutions have expanded from core enterprise risk and compliance activities to include supply chain risk offerings, but still do little to reach into the supply chain management function. Similarly, despite the emergence of supply chain risk solutions, SCM has remained primarily concerned with operational risks.

Because each solution is focused on a different enterprise need, there is a clear opportunity for integration automating the exchange of information between these environments. While a relatively minor change, it could do much to bring together vendor and supply chain risk management stakeholders and information. It could also facilitate interactions between the respective stakeholders, potentially accelerating their processes. For the ultimate supply chain user, it could also increase the accessibility of risk information, providing a more complete picture of supplier risks and driving better decisions.

The Outlook

The division of labor separating vendor risk and supply chain risk management creates a compelling opportunity for consolidation of enterprise information management and distribution. The ultimate benefits don’t just relate to the efficiency and trustworthiness of information exchange, but also for new opportunities to combine supply chain logistics and vendor risk assessments. Whether any vendors have such a combination on their product road maps, of course, remains to be seen.

Supply chain risk management typically refers to the challenges of maintaining integrity and continuity in complex and changing supply chains. Relationships with third-parties and suppliers also invite an array of legal and regulatory concerns. These risks include controls on the connections or relationships, such as specially designated national and other trade restrictions. Conflict minerals regulations and similar laws create requirements for information that must be tracked through multiple tiers of the supply chain. Other laws go so far as to impose vicarious liability for third-party conduct or regulatory violations, such as Sarbanes-Oxley, HIPAA or anti-corruption laws.

Enterprise divisions of labor separate the two between supply chain risk and vendor or third-party risk management. The former belongs to supply chain managers, while the information collection and analysis of the latter typically falls to enterprise risk, compliance, and legal functions – or even external managed services providers. Since supply chain managers ultimately remain responsible for managing relationships with third parties, an information exchange is required for supply chain managers to apply the due diligence, controls and advice of vendor risk management stakeholders.

This may sound like a minor concern, but the result is a division between two closely-related risk management activities. This divide creates opportunities for inefficiency, misunderstanding and errors in ways that create new exposures for the organization. Consider how often related inquiries and recommendations are sent by email, or managed in spreadsheets held across the desktops of stakeholders. Ultimately, these issues create inefficiency in operations, and potentially open the door to exposures.

Despite the maturity of solutions supporting both supply chain and enterprise risk management, little has been done to bridge supply chain and vendor risk efforts. Governance, Risk and Compliance solutions have expanded from core enterprise risk and compliance activities to include supply chain risk offerings, but still do little to reach into the supply chain management function. Similarly, despite the emergence of supply chain risk solutions, SCM has remained primarily concerned with operational risks.

Because each solution is focused on a different enterprise need, there is a clear opportunity for integration automating the exchange of information between these environments. While a relatively minor change, it could do much to bring together vendor and supply chain risk management stakeholders and information. It could also facilitate interactions between the respective stakeholders, potentially accelerating their processes. For the ultimate supply chain user, it could also increase the accessibility of risk information, providing a more complete picture of supplier risks and driving better decisions.

The Outlook

The division of labor separating vendor risk and supply chain risk management creates a compelling opportunity for consolidation of enterprise information management and distribution. The ultimate benefits don’t just relate to the efficiency and trustworthiness of information exchange, but also for new opportunities to combine supply chain logistics and vendor risk assessments. Whether any vendors have such a combination on their product road maps, of course, remains to be seen.

Is There An Opportunity for Supply Chain Risk and Vendor Risk Convergence?