How to Understand Strategic Vendor Risk

Strategic risk may sound like a rather simple concept, but it’s often overlooked or diminished in preparing a risk assessment. Trust me, it’s one you need to focus squarely on. In fact, it’s the first risk that the FDIC lists in Financial Institution Letter 44-2008.

What Is Strategic Vendor Risk?

Strategic vendor risk is the risk arising from adverse business decisions, or the failure to implement adequate business decisions in a manner that’s consistent with your organization’s strategic goals. It’s one of the primary categories of risk. If the vendor offers a product or service that isn’t compatible with your organization’s strategic goals, can’t be effectively monitored by the organization or doesn’t provide an adequate return on investment (ROI), there’s strategic risk present.

What Can Go Wrong If You Don’t Evaluate Strategic Vendor Risk?

So, why all the hype around strategic risk? Here’s a good example that shows why it’s so important.

Your organization has a strategic plan that’s board approved. The strategic plan has been socialized in every corner of the organization. Everyone knows the plan and they know their role. Meaning, they know how they fit in and how they can help the organization achieve the goals and objectives outlined in the strategic plan. Technically, everyone inside the organization is (should be) on the same page. 

Your organization’s plan calls for the development of an international financial lending model that’s very common in the European Union (EU) but will require a technology vendor to help your organization deploy the solution the line of business is currently utilizing. The line of business contacts the technology vendor and the vendor informs the line of business that they don’t operate in the EU. After a brief back-and-forth between the vendor and the line of business, the vendor agrees to do the deployment and to begin operations in the EU. Don’t let what I just mentioned slip through the cracks. Suddenly, the vendor has decided to begin operations in the EU.

This is a serious strategic risk! Doing business in the EU will be expensive. We’ve established that a vendor is needed to help with deployment, but the vendor our line of business wants to use will also be completely new to doing business in the EU. Hence a big strategic risk to take.

This is an example of strategic risk for a couple of reasons. Strategic risks come in two basic flavors:

1. The vendor’s strategic plans don’t align with your organization’s strategic plans and/or direction.
2. The risk of the proposed operation is risky enough it could cause serious loss of revenue, fines or loss of customers if it fails as a business strategy.

All of which is present and a possibility in this scenario.

Steps to Determining Strategic Vendor Risk

As part of your vendor risk assessment process, you should be completing a questionnaire that contains questions to help you evaluate the various levels of risk presented to your organization by engaging in business with the vendor. Some of those questions should help you determine if there is strategic risk. Some questions you can ask include:

1. Are the vendor’s products or services consistent with the organization’s existing services?
2. Are the vendor’s products or services newly launched or an emerging technology product?

If you answer no to the first question or yes to the second question, then your organization may be subject to strategic risk by engaging with this vendor. Therefore, you need to dig further and see if there is any risk that should be mitigated, in other words lessened.  

4 Tips to Mitigate Strategic Vendor Risk

Strategic vendor risk is important. Therefore, you should have some processes in place to help mitigate strategic risk as needed. Here are 4 tips I recommend:

1. Ask for a copy of the vendor’s strategic plan. If the initiative you’re considering using the vendor for is truly a strategic initiative, there won’t be much room for error. If the vendor has no strategic plan, then they’re flying by the seat of their pants. This is never good! If your strategy is important to the overall success, mission, goals, objectives, etc. of your organization, using that vendor may put your strategy at risk.
2. Evaluate the vendor’s mission, goals and manner of conducting business. Ensure they’re consistent with your organization.
3. Always review the vendor’s plan for alignment with your organization’s strategic plan and your critical and high-risk vendors’ strategic plans. If there isn’t an alignment, you may need to seek a new vendor elsewhere.
4. If you can’t find a vendor that lines up with your strategic plans, look for vendors that’ll meet your need without having to be integral to your strategic plan. That is, mitigate the potential risk by compartmentalizing the activities of the vendor so those products or services the vendor is providing aren’t critical to the strategic plan.

When you’re looking to make decisions about with whom your organization does business, strategic risk needs to be a core consideration.

Learn more about how to rate your vendor's regulatory risk level. Download the infographic.