Categories
BLOG - Risk For Competitive Advantage

Vendor (3rd party) Risk: Who will win the platform wars?

Over the past seven years we’ve witnessed extensive growth in the vendor risk management cloud-based solutions market (also commonly referred to supplier and third-party risk).   Two major events in 2011 accelerated market expansion; the Tohoku earthquake and tsunami and Thailand floods.  The market for vendor risk assessment and management solutions shifted from a concept (stuck in the chasm between early adoption and the early majority) to reality as many automotive, electronics and other manufacturers realized the need for greater transparency and monitoring of their upstream supplier network.  Vendor risk management regulation (e.g. HIPAA, OCC 2013-29, MMOG/LE, ISO 9001:2015, IATF 16949:2016) and pressure to comply with more stringent vendor risk assessment requirements by the large hi-tech, automotive, energy, chemical companies requirements led to further market expansion.

The law of physics applies here as well; what goes up must come down or in this case, markets consolidate as solutions become more widely accepted and less unique.  The commoditization phenomenon leads to acquisitions, roll-ups and yes, even the demise of the weak.

What are the implications to your current vendor risk management program?

The big question, which general platform will thrive and which will just survive.   Let’s take a quick look at the market for solutions.  Here’s one way to view the market of direct and indirect solution providers.

  • ERP (Enterprise Resource Planning) and operations platforms that include vendor risk management capabilities as well as APIs to integrate data feeds (e.g vendors such as SAP, Oracle, IBM, QAD).
  • Procurement, Sourcing and Vendor Management platforms that are managed by the CPO and sourcing functions and dedicate entire modules to vendor risk  (e.g. vendors such as Ariba, ProcureWare, Gatekeeper, Ivalua, HICX).
  • Risk Driven GRC, Supply Chain Risk and Data-Risk platforms that are typically managed by sourcing, procurement, enterprise risk management, and/or supply chain risk management functions.  (e.g. vendors such as Resilinc, RiskMethods, Lexis Nexis, D&B, Rapid Ratings, iTrust, Hiperos, Logicgate, Navix, 360 Total Solution, SupplierSelect, Virima)

All provide valuable intelligence to decision makers on how to anticipate and react to vendor risk in the upstream supply chain.  However, the risk driven platforms (GRC, Supply Chain Risk and Data-Risk) platform) market will be the first to see consolidation, acquisition and exiting.  History has demonstrated that risk-based solutions in the technology space ultimately succumb to the OEM providers of performance (firewalls, anti-viral software, desktop and network security hardware/software).   The ability for the risk-based platforms to operate as a stand-alone market for an extended period of time is highly unlikely; market penetration and working capital (or investment) is minuscule in comparison to the activities of the ERP an Procurement platform providers.  All ships rise with tide and eventually, many of the advanced risk monitoring and assessment features will be standard to the broader operational platform offering.

Now is the time to begin assessing how the shift will impact your vendor risk management program.  Questions such as: where is the vendor data maintained and how easily can it be ported or exported to another platform?  Will the same level of risk rigor and associated features be maintained if the risk platform is integrated into and ERP or Procurement platform?  Organizationally, who will be responsible for the conversion, integrity and sustainability of the new/modified solution?  These are just a handful of the many questions that you will need to begin thinking about as the market transforms.

What do you think?  Please comment or send me a note to discuss further.

 

By Gary S Lynch

I am the Founder and CEO of The Risk Project, LLC a risk, uncertainty and opportunity advisory firm. As a management consultant, business developer and market analyst at Booz Allen Hamilton, Gartner Group and Marsh, I was responsible for defining market strategy, commericalizing capabilities, and developing businesses. I've helped dozens of organizations create new revenue streams. I've also held the position of Risk Executive, CISO and Global Leader - Office of Business Continuity at JPMorganChase, Prudential and Prudential Securities.

Throughout my career I worked with senior leadership from startups, academia and government agencies to life sciences, hi-tech and financial institutions. I was a founding member of the US Dept of Commerce's Advisory Committee on Supply Chain Competitiveness, Advisor to the WEF Global Risk Network and Sr. Research Fellow at the RH Smith School of Business, University of Maryland.

I've authored three business risk books and been a featured at the WEF, APEC, WCO, NIST, NACD, AIAG, RIMS, MIT CTL, Robert H. Smith School and the Desautels School of Management/McGill University.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.