Third Parties and Vendors and Suppliers, Oh My!

 Cyber & Risk

You’re not in Kansas anymore! Organizations can’t go it alone: strong business-to-business (B2B) relationships are necessary for success in today’s economy. B2B relationships come in all shapes and sizes. Organizations are also managing those relationships in a multitude of ways, sometimes based on the best fit for the organization…and sometimes not.

Remember the line, “Pay no attention to that man behind the curtain”? Pulling back the curtain and fully understanding the operations – both the good and the bad – is critical to successfully managing B2B relationships.

Whether you are setting up a new program or reviewing an existing one, it is useful to start by taking a step back. Organizations tend to approach B2B relationships in multiple ways; internal groups may be working separately from one another on different areas within the same relationship. In some cases, these internal groups are working independently and have overlapping technologies to accomplish similar missions. The operating model, program staffing, and any technology related to this effort should be evaluated in a manner that enhances how your organization manages relationships.

Below are four areas to consider when reviewing your organization’s approach to managing B2B relationships.

The Yellow Brick Road: Defining the Path to Success

It’s challenging to have a conversation around B2B relationships within an organization when terminology is not consistent, including what constitutes a relationship. There is a distinction between third-parties, vendors, and suppliers yet these terms are often used interchangeably:

  • First Party: Your organization
  • Second Party: The customer or buyer of your organization’s product or service
  • Third Party: Another person or entity that is involved in support of the transaction between the first and second party (both contractual and non-contractual)
  • nth Party - Another person or entity that is outsourced by the third party, which could be fourth, fifth, or nth degrees away from your organization
  • Vendor: A third party that is selling a good or service to your organization, usually the last stop in the supply chain
  • Supplier - An nth party that is selling the product or service to the vendor and could be the manufacturer or distributor

Third-party management incorporates both vendors and suppliers and takes a holistic view of any entity that an organization interacts with, whether contractually or non-contractually. Vendor management focuses on entities with contractual agreements in which a product or service is the output. Supply chain management is about understanding the potential risk of suppliers down the line from vendors in which the product is manufactured or distributed.

The Wizard of the Emerald City: Pulling Back the Curtain on the Operating Model

Are you able to accurately describe your current operating model for third-party management? In a perfect world, a centralized approach would provide the biggest benefit with the most efficiency, where a dedicated team is responsible for third-party management. Unfortunately, we don’t live in a perfect world, so a majority of the time a decentralized approach is taken, which requires significant coordination to manage overlapping responsibilities. The decentralized operating model is most common as it is the easiest to start with (it doesn’t require organizational change).

  • Decentralized: Easy to begin a program with, but very inefficient with minimal accountability
  • Centralized: One-stop shop, a single team with support from multiple business units where needed, usually requires an organizational change to occur
  • Hybrid: Best of both worlds, a single authoritative group makes decisions and keeps the program moving, but with support from committees
  • Federated: Useful for more substantial, global organizations with governance boards set up in corresponding regions

The Scarecrow, Tin Man, and Cowardly Lion: Staffing to Meet the Mission

What are your organization’s priorities for your B2B relationships? Are you focused on an overall third-party management program or maybe more explicitly managing vendors on a day-to-day basis? Given your industry and organizational mission, the focus could be on vendor risk management, including managing information security risks with vendors that have access to your data. Reviewing your operational approach as well as your priorities for a B2B relationship will help you choose an appropriate staffing model.

  • In-House: Building capabilities with current staff and employees
  • Co-Sourced: Augmenting your team of employees with expert assistance
  • Outsourced: Managing a team of expert contractors
  • Managed Service: Engaging an externally managed team of experts

The Magic of the Ruby Slippers: Enabling Processes Through Technology

Are your current processes for managing business relationships well-defined and succinct? Unlike the ruby slippers, technology does not provide a magical solution to business problems. Focus on the process: if your process is chaotic, then technology will just automate that chaos. With that being said, technology is fundamental once a process is well defined and provides benefits including a central repository, workflows, reporting, and intelligence.

  • Enterprise Solution: An all-encompassing solution that provides broad functionality with additional CAPEX and OPEX costs (i.e. governance, risk and compliance (GRC) and integrated risk management (IRM) tools)
  • Point Solution: A single solution that focuses on doing just one thing well (i.e., manages information technology risk of vendors)
  • Hosted: Hardware, software, and maintenance supported by the organization, giving complete control but also includes OPEX
  • As-a-Service: Organization consumes the software as a service through a pay-as-you-go or subscription model

Key Takeaways

It’s essential first to understand your organizational needs around managing business relationships. Next, take a look at how you are currently operating and staffing your program, including from both a process and a technology perspective. Below are three areas to examine when evaluating your current program:

  1. Review your organizational mission, vision, and values. Compare that to what the business units require for their third-party relationships to be successful. Is the current program falling below or above that threshold?
  2. Review the roles, responsibilities, and skills of the staff currently supporting your program. Do they line up and support the threshold you determined in the step above, and can they continue to build out the program appropriately?
  3. Review the processes and technologies in place that are used by both the business units and the program staff who are providing support. Are you to able work backward and derive relevant use cases? Do the use cases align with your responses from the two questions above?

Many organizations’ third party-related programs can look like a tornado blew through town, with processes and technology strewn all around. While clicking your heels together might not do the trick, stepping back and better understanding your current operating model can help you envision and create a strong future for your program.

About the Author

matthew karnas

Matthew Karnas is the Cybersecurity & Risk Practice Lead at Sila. He has 18 years of experience providing professional services to Fortune 500 companies and government agencies across multiple verticals. He brings a unique mix of both technical and functional experience advising on information technology, cybersecurity, and risk management practices and approaches to drive client successes.