HBR and GLG Law (Gerson Lehrman Group, Inc.) recently co-hosted their first education session on Vendor Risk Management in New York City. This session was part of a quarterly series to provide expert insights into topics that are front-of-mind among legal procurement leaders. HBR’s partnership with GLG, a platform connecting professionals to expert insights, ensures the sessions deliver information from industry-leading sources.
I was privileged to facilitate a panel in which Greg Schlegel, founder of the Supply Chain Risk Management Consortium and co-author of “Supply Chain Risk Management: An Emerging Discipline,” and Joe Thompson, former Chief Procurement Officer at Avon, provided expert insights.
Vendor risk management is or should be a critical concern for law firms, due to the changing regulatory environment, client expectations and increasing exposure to potential risks facing law firms. Procurement leaders recognize this (participants in HBR’s 2018 Procurement Roundtable identified it as a top priority for 2019) but it can sometimes be difficult to get buy-in from the executive team. Following are the key themes discussed in this first education session, including some of the foundational tools and trends firms can leverage to manage vendor risk.
Impact of Risk Events on Law Firms
Do you know who has access to your framework and data? Can you confidently tell clients that their information is safe? Are you prepared for a risk event in order to prevent potential catastrophe?
Vendors present opportunities for efficiencies, mutually beneficial partnerships, and tools and technology to improve operations or service delivery. Unfortunately, vendors can also expose firms to increased vulnerability when firms outsource operations, share information or provide access to internal frameworks. Ignoring the risk exposure from a firm’s vendor base creates potential long-term problems and can magnify the effects of a risk event, heightening panic and confusion when there is no plan in place.
Firms are regularly targeted by hackers looking to withhold files for ransom, erase files or steal information for corporate espionage and insider trading. When disaster strikes, having an action plan in place can right the ship quickly and efficiently, minimizing the reputational and financial impact of the event. Speed in risk management is critical – being able to prevent, identify or solve a problem quickly can mean the difference between a cost of a few thousand dollars and several million. A firm’s reputation takes years and potentially millions of dollars to build but can be destroyed in an instant when a firm falters publicly during a risk event. Losing the trust of clients and employees imposes a heavy cost on a firm for years to come.
Gaining Buy-In from Firm Leadership
Despite all this, only 53 percent of respondents to HBR’s 2018 Procurement Leader Survey had a formal vendor risk management policy in place. It can be difficult to convince firm leaders to invest in a problem that the firm is not immediately facing when there may be seemingly more pressing issues to solve or investments that may drive savings or business development. As one of the panelists observed, “no one gets promoted for good cost avoidance.”
One approach to gaining buy-in is to quantify the return on investment for a vendor risk management program. While unconventional, program advocates can balance the program investment cost against the potential risk cost: the dollar value assigned to the impact of a risk event and the probability of the risk event happening. Quantitative evidence can help leadership better understand an intangible problem and provide a basis for very real imminent costs for risk exposure.
Leveraging the Procurement Function for Vendor Risk Management
One of the most common mistakes made when implementing a vendor risk management program is underestimating the skills and resources needed to integrate an impactful, effective risk program into a firm’s strategy. Law firms’ risks differ from those of many other organizations or professional services firms. The decentralized nature of law firms allows partners to exercise great freedom in engaging vendors. In order to mitigate firm risk, internal teams need to understand the holistic vendor base and design processes that support partner needs while decreasing risk exposure.
Despite many law firms’ somewhat decentralized operations, our panel of experts agree that the vendor risk management process and policy should sit within a firm’s procurement function, with oversight from the CPO and/or CFO. Procurement already houses the majority of policies and procedures related to managing a complex vendor base. Firm leaders should look to leverage the capabilities of the procurement team, supplemented with additional training specific to vendor risk management. The skills required for risk management diverge from the foundational proficiencies in procurement and it is important to develop those mature internal capabilities.
Building a program takes time and expertise, so firms should approach building a holistic risk management program in stages. Following are the major steps for developing a program that aligns with industry best practices:
Conclusion
To be successful, a firm needs to take a proactive approach to vendor risk management as opposed to the historical reactive approach that has led firms to be blindsided by catastrophe. Lack of preparation easily translates to millions of dollars in lost brand value, clients and employee information – a cost that could be detrimental to a firm’s reputational and financial health in the market.
For more information on building a vendor risk management program that aligns to your firm’s risk environment, please read our white paper “A Guide to Developing a Holistic Third-Party Procurement Risk Management Strategy” or contact me.