Managing Manufacturing Industry Vendor Risk Assessments

Executive Summary

Since early 2020, manufacturing supply chains have seen unprecedented global disruption, leading to tighter margins for suppliers and increased pressure from regulators to manage supply risks. Even prior to COVID-19 and its continuing knock-on effects, doing business with third parties had become an increasing business and supply chain risk for global manufacturing. A 2016 survey revealed that 87% of respondent firms had experienced an incident with a third party that resulted in operational disruption. Around 11% had experienced an incident that led to a complete breakdown in their vendor relationship. The actions of vendors and third parties can have serious knock-on consequences for your manufacturing organization, especially in terms of legal ramifications or reputational damage.

It is more important than ever that manufacturers conduct thorough risk analyses when beginning a relationship with a new vendor – such as requiring vendors to undergo cybersecurity risk audits to ensure that stringent data security protocols are laid out and followed. In this article, we examine the major challenges for managing vendor risk in the manufacturing industry and discuss how some firms are overcoming these challenges through a mix of automation and adaptation.

Managing Manufacturing Vendor and Third-Party Risks in an Era of Supply Chain Disruption

In an increasingly digital business landscape, cloud commerce has caused an explosion in the number of interactions between manufacturing businesses and third parties. A larger market and greater ease of doing business have encouraged more organizations to outsource services and processes to specialized third parties and vendors. Deloitte has termed this the ‘rise of extended enterprise,’ referring to businesses becoming more reliant upon a network of third-party vendors to provide value and obtain competitive advantages. Companies of all sizes are prone to data breaches and cyber attacks, and these risks are compounded when data is transferred between organizations and their third-party vendors.

Discrepancies between two organizations’ security protocols or human error have the potential to cause data leaks, which cost businesses an average of $4.37 million in 2021. In fact, many major data breaches are first-time incidents that result from a history of poor regulatory compliance. To mitigate the risk of a costly data leak, it is important that manufacturers set in place stringent and thorough procedures to gain an understanding of the regulations that affect vendors, and how compliance can be maintained.

Ensuring that vendors and third parties undergo a thorough risk assessment is important. However, taking partners through your audit process can be a laborious and time-consuming process. The audit process, if not conducted efficiently, is liable to cause supply disruption and project delays due to having to wait for vendor assessments to be completed before operations can commence. Prior to a substantial project onset, manufacturers may need to onboard large numbers of vendors, which can easily create bottlenecks in getting work underway.

3 Challenges for the Manufacturing Industry in Managing Vendor Risk Assessment and Monitoring

Manufacturing firms are exposed to a number of risks through their interactions with vendors, which can result in production delays, supply disruption, regulatory breaches, and data leaks. McKinsey & Company provides the following summary of risks encountered by procurement and vendor management teams when dealing with suppliers:

As well as these issues that apply across the entire lifecycle of vendor relationships, manufacturers also encounter a number of risks during the supplier onboarding process. In what follows, we expand on these risks and discuss some strategies for mitigation.

1. Delays Resulting from Time-Consuming Vendor Risk Assessment Questionnaires

There are several risks that are pertinent to the manufacturing industry in doing business with new vendors and partners, with perhaps the most significant being the risk of supply, shipping, or production delays leading to increased costs and potential lost revenue.

Supply Chain Issues

Global supply chains have been squeezed due to a combination of lockdowns, staffing shortages, border closures, and workplace restrictions, leading to some manufacturers attempting to ‘re-shore’ supplies that were previously procured from international suppliers. Redirecting supply lines to domestic suppliers may take time, as well as increase costs – thereby eroding competitiveness. Onboarding new vendors also comes with a full set of logistical challenges that can cause project disruption. Delays in onboarding suppliers and third parties are liable to occur during the risk assessment process, during which new partners are asked to complete lengthy and complex audit questionnaires.

Lack of Time or Resources

These questionnaires are likely to be extensive and time-consuming for busy teams to complete. Differences between each company’s questionnaire formats mean the infill process can be laborious and frustrating, making it difficult to encourage vendors to participate or return questionnaires promptly

Business Continuity

A second McKinsey & Company survey on the effect of the COVID-19 pandemic revealed that business continuity has become more important than minimizing cost. In an era of unprecedented supply disruption, firms are shifting focus towards maintaining continuity by investing in resilience and flexibility. To this end, firms are investing in digital transformation to add additional capabilities to supply chains and ensure accountability. Clorox, for example, is investing $500 million in improving its real-time data visibility functions and demand planning.

These are all symptomatic of a global sentiment that supply chains need to be reinforced, with the time-consuming vendor onboarding process representing a potentially weak link in the chain.

2. Decentralized and Fractured Internal Vendor Risk Assessment Processes

For Vendors

Completing a vendor risk assessment questionnaire can be a lengthy and difficult process for any business. Data is likely to be decentralized, and oftentimes specialized personnel are needed to complete questionnaires. In addition to this, vendors will potentially need to coordinate the process across different time zones and organizational departments.

For Manufacturers

On the manufacturer’s side, there are issues arising from having to manually manage communication with vendors, and then maintain and update vendor status data on spreadsheets. This can be tiresome and makes keeping track of vendor status difficult. Ultimately, this creates the opportunity for missed events on the vendor side, generating potential liabilities for your business. Centralizing all data prevents these issues and is especially important for manufacturers who operate globally.

Rapid Scaling Risks

Prior to starting a large project, manufacturers may need to quickly onboard a large volume of vendors and third parties. Manually coordinating questionnaires across multiple vendors can be difficult and time-consuming, and delays in waiting for questionnaires to be returned could disrupt supply chains and production timelines. Delays are likely to be compounded when dealing with a large number of vendors and may result in lost revenue and disappointed customers.

These factors can increase the time needed to complete vendor risk assessments and commence business operations, creating significant potential for delays when processes are not efficiently managed.

3. Data Breaches and Reputational Damage

Failing to conduct a thorough audit of new vendors and suppliers can lead to a misalignment in business processes, standards, or objectives, which can become costly. It is important to audit supplier quality and compliance standards to ensure that business practices align. Neglecting to map out vendor business practices and potential compliance pitfalls can become costly down the line if partner mistakes need to be rectified.

Manufacturers may then incur reputational risk, or damage to their brand, from involvement in incidents that seemingly undermine the organization’s values. A common cause of reputational damage is failure to safeguard sensitive data, which can then shake customer and partner trust in the organization’s integrity or professionalism. Along with the significant financial costs of remediating a data breach, which may include fines from regulators, organizations will have to regain the trust of customers and partners.

Of the 225 manufacturers surveyed, 50% expressed a lack of confidence in the strength of their cybersecurity posture, and 38% had experienced a data breach within the last year that cost between $1-10 million. The damage to customer trust is more difficult to quantify, however, and potentially more difficult to repair. These issues commonly arise from poorly managed vendor and supplier relations and may be mitigated with the implementation and execution of a set of risk assessment protocols before commencing new vendor relationships.

Mitigating Challenges in Manufacturing Vendor Risk Assessments

Forming an effective vendor risk management strategy involves designing a stringent set of onboarding protocols. What is key is that these protocols are standardized and followed before the beginning of all new business relationships.

Be sure to build relationships with vendor CTOs and IT teams to learn about their in-house procedures for pre-empting and remediating risks in the case of an incident. Similarly, liaising with the CFO will help to form an idea of the vendor’s accountability standards for their handling of financial data. Thorough investigations of new vendors will reveal any history of previous breaches or fines for non-compliant behavior. In the case that your organization is involved in a data breach, conducting a thorough risk assessment at the beginning of a relationship demonstrates the fulfillment of your due diligence.

Using a platform like START significantly reduces the time and manual labor expense required to complete and return assessment questionnaires for both manufacturers and vendors, as well as centralizing the data in a single location. This makes it easier to track vendor status, send reminders, and create standardized and customizable questionnaire templates. Get in touch today to find out how START can streamline the vendor risk management processes for your manufacturing organization.

Suggested For You

6 Ways to Streamline Remediation Efforts with Start

Achieving third-party compliance as part of your Third-Party Risk Management (TPRM) program is never an easy feat. Many companies have standards that they hold their third-party partners to, however it can often be a challenge to get those third-parties to make the compliance changes required in order to do business. In this article, we outline […]

5 Challenges of Third-Party Risk Management and How to Overcome Them in 2024

In the course of performing security assessments for our clients, we came to the realization that many were struggling with the sheer volume of assessments they were being asked to perform. More assessments means more data, and handling a lot of data at once that lives between spreadsheets and emails can be chaotic and leads […]

person reviewing documents

Vendor Relationship Management: 5 Ways To Involve Stakeholders

Are you struggling to coordinate efforts between the security team and business stakeholders? Vendor relationship management is a crucial component in the assessment process. Business units see security teams as red tape, causing delays and getting in the way of business overall. Yet, business stakeholders are often essential to helping security teams move swiftly and […]

To top