Skip to content

Information supplier risk: one size doesn’t fit all

Supply chain risk management is the practice of identifying, analysing and addressing the risks that can affect an organization’s suppliers. Any disruption in the supply chain has the potential to limit its ability to deliver products and services to its customers.

For most organisations, supply chain risk is managed by specialist Enterprise Risk Management teams. Under pressure to “protect the business”, they tread a fine line between meeting legal or regulatory requirements while balancing the need to improve resilience and enhance competitiveness.

Access to accurate, timely, reliable information is critical to delivering these two outcomes. Good information management fuels successful business development work, enriches client engagement, enables successful product development or design, and generally informs better decision making.

When it comes to managing supplier risk for information vendors, the primary issue is one of scale. As discussed in an earlier post, the 80:20 rule applies to information vendors: >80% of information spend is with <20% of vendors. The practicalities of assessing risk across the whole portfolio becomes time consuming and expensive, so one size does not fit all. Whether you work with your Risk Management colleagues or not, it is good practice to map your vendors by categorizing and tiering them in terms of their inherent risk to your business. This can be done with a simple matrix designed to help you (and them) understand the likely impact and likelihood of the impact of a future event.

Having categorized your vendors, you can begin to build a tiered framework to assess them. The potential threat categories you need your suppliers to assess include operational, technology, regulatory, legal (including copyright), reputation and ethical risk. There may be core elements that apply to all vendors across the portfolio, most likely to include some elements of technology and information risk like GDPR, while other components can be selectively applied based on the profile of the supplier.

Part of any strategy will involve developing mitigations to lower a supplier’s risk profile by reducing dependency or likelihood of future issues, performing regular ongoing assessments of unmitigated risks and identifying alternative suppliers to step in should the primary provider fail. The best protection can be to build critical risk mitigations into the contract, while more marginal risks may be part of a separate risk or threat assessment.

Ultimately, a practical supplier risk strategy will be prioritized and proportionate, effectively protecting a business from their supplier’s risks. At Couranto, we are sensitive to these challenges; as practitioners we know how important these issues are to our clients. We work proactively with clients to understand and ensure their risk management processes are effectively implemented, proactively priming suppliers to ensure a faster, more effective contracting engagement.

A WBENC and Disability:iN certified diverse company with more than 30 years experience in corporate information contract management, Couranto serves clients globally with strategic programs that maximize the value of information portfolios by reducing costs while improving access to licensed content, data resources, intellectual property, corporate memberships and related contracts. Couranto’s Discovery and Clarity platforms provide custom-configured end-to-end information access, budget planning and license management tools. Built on deep expertise and a long history of client successes, Couranto solutions add value to your information and help drive innovation throughout your organization, creating enduring impact.



Information about the author

Stephen Phillips

Stephen Phillips

Director, EMEA Business Development

sphillips@couranto.com

Stephen Phillips is a global leader, influencer and advisor with over 30 years of experience in knowledge and information management, document services, analytics, and vendor management.