Risk assessments made easy

How risk assessments can become more integral to the vendor sourcing process...

Risk assessments can be an arduous task for everyone involved. Procurement and compliance teams view this process as ‘mission-critical’ while internal stakeholders view it as ‘lots of paperwork’. In fact, it is one of reasons why internal stakeholders hesitate to engage because outcomes can take time and be uncertain. Even after a risk assessment is complete and the contract is executed, three  certainties still remain; no one can anticipate all risks, no company can or is protected against all risks and a given contract is unlikely to have anticipated the risks exactly as they materialize.



In short, there is a lot of work being done with little appreciable benefits – at least, that’s what it looks like. Still, regulators require financial institutions to assess risks extensively and companies do it as a best practice. So, how can risk assessments be more integral to the vendor sourcing process while also be more value-add – without the pain? 


In my experience, the solution to align these conflicting interests is to integrate risk assessments into the procurement process. Procurement teams need to stop looking at the risk assessment process as one work effort being completed as one of the final steps in on-boarding a vendor. Specifically, I propose to break the risk assessment process into two stages at which to discover and assess various risks discreetly by performing a risk assessment on the engagement itself before the launch of any bid process like an RFx and Completing the risk assessment on the vendor itself during the selection process.


By splitting the risk process into the engagement risk assessment (ERA) and the vendor risk assessment (VeRA) phases, it becomes integrated into the entire procurement process and creates many benefits. These benefits range from better clarity as to what is being sourced to measurable efficiencies in the contracting process and significant leverage during negotiations. But before touting them further, I will outline the ERA / VeRA process in more detail. 


For purposes of illustration, I will assume the purchase of digital marketing services. An integrated marketing services agreement presents different risks and legal terms than a data purchase agreement. 

Engagement Risk Assessment (ERA): What it is and when to complete it?


Once a procurement professional starts working with the internal stakeholders on a new engagement, they  need to gain clarity as to what is being sourced. Discovery is key here. Not only does the procurement professional need to understand the what, why, who, and when  but also the intentions and definition of success. 


Key discoveries require an understanding around the setup (systems integrations, work product, KPIs), responsibilities ( data sharing, timing of deliverables etc.), and security (encryption standards, data hosting, data separation etc.). Key internal stakeholders to be engaged are InfoSec (for data security and hosting requirements), Legal (for contractual guidelines or language), the internal business partners (for engagement specifics), and others as applicable. All of these stakeholders should be able to provide guidelines (“nice-to-haves”), guardrails (“cannot-do’s”), and requirements (“must-haves”).


By understanding these key questions, contractual requirements and related risk requirements are becoming clear. This up-front intentionality may be more work at this stage but will save hours and likely weeks on the backend. Also, in many cases these guidelines will only need editing or validation in the future. None of these discoveries are specific to the supplier but apply to the engagement and to any and all providers. 


In addition to including applicable guidelines, guardrails, and requirements in the RFx, several risk assessments can be conducted at this stage. Specifically, the ERA should include a financial viability assessment on all vendors (likely via an external data provider like DnBi or Tealbook), a strategic risk assessment, and (if applicable) a country risk assessment.


By defining these initial discoveries (which guide the intended service setup) and integrating them with the ERA, the risk-integrated bid event (RFx + ERA) accomplishes market research that benchmarks the viability of proposed setup to what suppliers actually can do (i.e., the RFx provides some truly useful insights beyond costing). 


It also provides greater clarity around the contracting hurdles because key terms and conditions (T&Cs) are broken out without requiring attorneys redlining an entire agreement. Specifically, the company may request certain terms (such as limitations of liabilities, cyber insurance, data ownership, intellectual property rights, work product definition, and others) to discover what vendors are willing to give.


Lastly, it provides leverage in the upcoming negotiations since the selection process includes not just pricing but also other inputs impacting total costs of ownership or retained risks.


Vendor Risk Assessment (VeRA): What it is and when to complete it?


After the conclusion of the risk-integrated bid event, the company’s cross-functional team needs to select a front runner as the partner of choice. Now Procurement initiates the contracting and negotiation process inclusive of conducting a VeRA. 


The VeRA consists of two aspects. First, there is the backend validation of ERA’s guidelines, guardrails, and requirements or outline of gaps of the same. This step is critical as it offers the opportunity for creating a feedback loop, which creates a learning process.Then, there  is the risk assessment specific to the vendor selected.


There is quite a comprehensive list of risks that need to be assessed as part of the VeRA. These include,  financial risks including credit risk, operational risk such as loss resulting from inadequate or failed internal processes, people, and systems or from external events, compliance risk form a violations of regulations or noncompliance with internal policies, transaction risk (problems with the service or product delivery) and finally reputational risk such as negative public opinion. 


In addition to the aforementioned, the ERA will have already assessed the strategic risk (including adverse business decisions or the failure to implement appropriate business decisions) and even country risk (accounting for different legal, political, and geopolitical variances).

At any given time, these risk assessments that are performed as part of the VeRA will vary by a given company’s risk appetite, industry-specific regulations, and criticality of a given engagement.


The Procurement professional should run the VeRA in parallel to the contract negotiations. This negotiation process should be significantly easier because there should be ewer surprises or late uncovering of “deal breakers” or discomforting trade-offs, better leverage and understanding due to market insights from participants’ replies to the the RFx questions, greater clarity as to the intent of the engagement and desired setup due to guidelines, guardrails, and requirements and an incoming understanding as to the contract hurtles resultant from the risk-integrated bid event.


Although no company can protect against all risks, procurement can more proactively discover known risks early and clarify engagements-specific requirements upfront. This intentionally risk-integrated procurement process can drive more expedited contract negotiations as there will be fewer surprises to address by both parties – and that is truly a win-win.

go back to top ^