Supplier risk monitoring generates more signals than teams can act on. And while better monitoring tools make it much easier to detect risk, it also means more signals, making effective triage even more important. To effectively address the most pressing risks, your procurement and risk teams need to collaborate together with the right combination of tech, priorities, and optimized workflow. Here’s how to prioritize and address the most important signals without getting overwhelmed and burnt out by low-criticality signals.
Implement the Right Technology
The ceiling of your risk response is set by the tech you have in place. A supplier intelligence platform provides continuous monitoring and automated analysis, accelerating and elevating your capabilities. That saves you countless hours on data crunching, ensures you have up-to-date and reliable information, and simplifies your workflow.
That empowers you to respond more effectively to risk, but the response is still up to you, and the people you work with. In effect, the technology frees you to focus on tasks humans really excel at: analyzing and responding to the signals the tech surfaces.
Segment Your Vendors
Your standards are going to be different for different vendors. Critical vendors need tighter controls than commodity vendors, and certain segments, regions, or business types may also need enhanced scrutiny.
Segmenting vendors by relevant categories lets you set different standards for action based on your risk tolerance for each category. If FOCI exposure is a much greater concern in one line of business than another, or your company or agency needs to control for concentration risk among critical vendors, but not commodity vendors, you can write those rules into your segmentation.
This is an area where technology can make your life much easier. Look for a vendor intelligence platform that allows you to choose and surface risks per segment. That enables you to triage risk simply by selecting the folder with all your critical or high priority vendors.
Set Tiered Response Protocols
A simple, effective way to set response is to segment risks on criticality. Then, build a process and workflow around each type of response. If your vendor platform has the needed functionality, it’s a good idea to keep everything on platform. This will greatly simplify logging, and eliminate the extra complexity that occurs when a workflow spreads across multiple platforms, messaging, and storage apps — not to mention the compliance and auditing issues!
Be sure to set up a mechanism for following up. How often are stakeholders required to check in on a low criticality signal, and what information should they watch for? At what point should they escalate to a take-action step? What are your conditions to resolve each type of signal?
Develop Responses for Shared Risks
Risk signals rarely travel alone. If a company has negative financial signals, for example, the crunch may impact compliance, operations, or cybersecurity. That doesn’t mean everything will degrade at once, but you’re likely to see other effects somewhere.
You can detect these compound risks by triggering a cross-signal review whenever you get a risk flag. Your vendor intelligence platform should make this simple, because it already scans across multiple risk categories.
Your triage system needs to account for these multiple signals when you encounter them. Not every multiple signal is going to require immediate response. For example, a vendor who sells you basic office supplies may pose such a low risk that you can safely ignore a few risk signals so long as the supplies work, and are getting delivered more or less on time. Whereas, for an extremely critical vendor, even a single risk signal may require immediate triage and remediation.
Getting the right balance is going to take some time. When you start, prioritize triaging more critical vendors, while setting a lower, common standard for commodity vendors. As your program matures, you can differentiate further, for example, calculating how multiple signals impact the risks of different commodity vendors, or building escalation and resolution paths.
Automated Alerts for Critical Risks
Alerts are extremely useful, but their utility drops drastically when overused. Once you’re getting alerts for everything that requires your attention, it’s easy to get overwhelmed and start either ignoring the alerts or trying to triage them as they come in. They become a source of stress, and start to make it more difficult to react quickly, defeating the point.
Think of alerts as a class of their own in your triage process. For example, let’s say you check your vendor platform twice daily, and triage all your critical risk signals. Depending on your situation, you might use alerts in one of two ways: either as a queue for your “Keep An Eye On” medium signals, or as a separate category of “Act Now” for critical risk signals that need you to drop what you’re doing and resolve immediately.
Which approach to choose depends on your workflow and the needs of your company; if you actually need to drop everything at the sign of a significant risk from a major vendor, and you and your team can realistically accomplish it, the Act Now category can make a huge difference in emergencies. But for many businesses, that level of response is either aspirational, unnecessary, or already in place through alternate channels like cybersecurity, legal, and business continuity.
What’s important is that you decide and exercise discipline in how you use the alerts, so that they help you rather than just annoying you.
Focus on Speed of Escalation, not Just Detection
With the right tools and a well-constructed sorting strategy in place, speed of escalation becomes the biggest challenge. With a cross-functional workflow and a lot of other duties, getting supplier and risk stakeholders to respond quickly and reliably takes regimentation. Make sure every step has explicit owners, reviewers, and workflows, along with expected timeline and a mechanism to confirm results. And ensure the schedule accounts for when key stakeholders are unavailable, so that other people can take up the slack.
Keep your workflow within your supplier intelligence platform, if possible. It will keep the work from sprawling across other platforms, and will let you oversee the whole process, and catch stuck reviews.
No Mistakes, No Blind Spots, Just Handle Risk
Responding to risk signals in a sensitive industry like aerospace and defense is already stressful enough. The right vendor intelligence platform lets you eliminate analyst error and blind spots, giving you the tool to prioritize and handle risks quickly and effectively. It may never be a stress-free job, but Craft can make it a lot easier.