As you’ve probably noticed, the focus on vendor and supply chain risk management has increased lately.. Beyond SOX (Sarbanes-Oxley), the BSA/Patriot Anti-Money Laundering Act, and quite a number of other laws and regulations, rating agencies are augmenting their evaluation of companies’ Enterprise Risk Management (ERM) maturity, which is helping to make ERM a household acronym.
So what is Extended ERM? If the enterprise consists of everything within your company walls, then the extended enterprise includes suppliers, services providers, business process outsourcers, consultants, external auditors and any other third parties with which you have a relationship to help you run your business.
Since an extended enterprise increases the vulnerability of your business, your risk management practices should include the vendors within this space. I recently produced a white paper: Managing Risk in the Extended Enterprise that more clearly articulates the elements needed to effectively manage extended enterprise risk.
This approach is fairly simple in concept yet has proven to be a very effective and efficient solution for companies, even those with limited resources and thousands of third parties. The essential components of this approach include:
1) Understand your contracting process so that you can maintain a single list of vendors, suppliers, contractors, etc.;
2) Organize the list by the type of products, services, geographies, etc;
3) Identify the types of risks by category or risk profiles;
4) Develop risk assessment templates for each category/risk profile;
5) Prioritize and/or scheduling your assessments based upon the profiles;
6) Analyze the assessment results and plan your audits according to the responses and risk ratings;
7) Follow-up on the remediation items resulting from the assessments and audit findings.
If you’d like to explore this solution further, take a look at the white paper I have prepared and if you like, contact me directly to discuss in more detail.
I’d be interested to hear about similar approaches that you have taken or other effective ways you have constructed to manage and oversee your extended enterprise risk.
No comments:
Post a Comment