While the financial crisis brings to the fore the need to assess and mitigate risks in vendor relationships more effectively, other factors such as expanding regulation and shifting vendor dynamics, also call attention to the discipline of vendor risk management. Recently, we have seen that larger customers are moving away from big long-term transformational commitments that soak up significant investment dollars. Instead, they are going for more digestible projects, typically implemented in less than six months and with less taxing requirements for staffing and project dollars.
This explains why major transformation projects have declined in the region, while the number that involve tactical fixes to applications has surged.
These dynamics have understandably changed vendor preferences for many. More attention is given to the business and financial viability of vendors - with quite a few larger organisations deciding to work only with tier-one players, especially on projects that involve key applications and processes. While it remains to be seen whether this is a long-term trend, the focus on vendor quality and reputation has noticeably intensified.
We also see that more organisations are consolidating supplier numbers, a wise move when chief information officers and chief financial officers are struggling to get a better handle on the cost and effort of managing vendor relationships. As they take on tactical projects they would like to work with a few select vendors with a view to integrating these projects into a cohesive IT architecture. This trend is also supported by IT optimisation initiatives that help organisations make more sense of IT assets, costs and service providers.
Still, CIOs universally speak of the daunting effort of managing relationships with all types of technology providers - ensuring proper due diligence and assessment, contracting, overseeing service-level agreements (SLAs), contract dates and so forth. This need for more effective vendor risk management arises out of a confluence of several factors, but the economic crisis has brought the viability and sustainability of vendors' businesses into question, as did the dotcom bust in 2000.
And while several financial technology vendors have reported good results despite the tumultuous economic environment, the pace of vendor consolidation has gained speed. The risks facing customers in the event of the failure of a key vendor were underscored after the fall of Indian IT giant Satyam.
The crisis has caused vendors to be more mindful of fee structures and engagement margins. Customers justifiably have to watch for vendors drastically cutting staff levels, as well as those showing declines in SLA compliance and performance. As the IT organisation is pressed to justify technology spending, the vendor management office is compelled to spend more effort on due diligence, monitoring and scrutiny of service-level agreements.
To evaluate risks associated with each vendor more effectively, more mature customers have segmented them depending most often on how crucial their services are. Some application providers or outsourcers, after all, play less mission-critical roles, while others offer services that fit hand in glove with the strategy of the organisation. The assessment of risks associated with each vendor has to be aligned with this major vendor versus minor vendor delineation.
We have used other methods of vendor segmentation to differentiate vendors according to size of engagement or investment, the extent to which vendors have access to confidential information and the implications that the vendor's services bear on key transactions and processes.
Customers evaluate the financial strength of vendors to ensure that their suppliers will be able to sustain operations, especially in the turbulent environment. But some are going beyond a cursory evaluation of annual reports and are also looking more closely at other financial metrics, such as debt, cash flow and current and near-term sales performance. Evaluation of the corporate governance structure of the vendor is also being taken more seriously.
It is not all about financial analysis, however, as vendors are vulnerable to many types of risk. It is essential to focus on two other types of risk: staffing risk and risk associated with the vendor product or service itself. In relation to staffing risk, customers need to keep a lookout for changes in key personnel as well as significant staffing cuts. In the latter type of risk, you need to look out for how your particular product or service is going to be sustained by the vendor in the long term.
There is no fixed view as to where vendor risk management should sit within an organisation. Still, most are expected to keep vendor risk management correctly within the IT unit, with combined effort from their risk, audit and corporate governance teams.
Vendor risk management enables the customer to answer the following questions. Do I know who I partner with? What impact will I see if vendors have problems in delivery? How do I ensure business continuity in the event of a vendor's failure? Unfortunately, many regional customers will be hard pressed to address these questions adequately.
Chris Morris is director of services, IDC Asia/Pacific. Email comments to firstname.lastname@example.org
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.