David England, senior director, Alsbridge
David England, senior director, Alsbridge

Vendor management and governance has traditionally been an overlooked and under-funded domain of the enterprise. That is changing, as effective oversight of the service delivery model and its component parts is emerging as a top CIO priority.

Three key factors account for this trend. First, CIOs are looking for new and better ways to manage the increasing complexity of multi-vendor service delivery models.  Second, stringent regulatory requirements put the responsibility on client organisations to maintain oversight across multiple third-party relationships.  Finally, CIOs are recognising that a cyber-security strategy extends far beyond firewalls and identity protection, and that governance is essential to monitoring, identifying and mitigating the myriad and constantly evolving cyber-security risks that pose an ongoing threat.

Let's start with the multi-sourcing conundrum: The idea behind multi-sourcing is to enable client enterprises to leverage the best-of-breed capabilities of a wide variety of service providers with specific areas of specialisation – a trend reinforced by the growing segmentation of the provider landscape. The problem is, in many cases the model becomes so unwieldy that CIOs spend all their time managing multiple touch points and hand-offs between disparate providers. In the process, the strategic business value that the multi-sourced model was intended to deliver becomes lost. Compounding this problem is the fact that many corporate boardrooms have recently begun to ask pointed questions of the CIO regarding the value being derived from their outsourcing arrangements.

The task of contract rationalisation presents one specific challenge of multi-vendor management. Distributed enterprises are typically characterised by myriad contract types, all with different SLAs and terms and conditions.  

To address this situation, businesses must redefine the terms of existing contracts and then implement a new standardised form aligned with efficient processes. Doing so can expose the deeply entrenched practices, conflicting interests and different layers of relationships within the organisation. For example, any single service provider can have multiple relationships with multiple stakeholders at multiple levels within an enterprise; similarly, perceptions of service provider performance can vary within an enterprise, depending quite simply on who you ask. To create a truly seamless multi-vendor model, the CIO must untangle these complexities and drive visibility across the various touch points between third parties and internal stakeholders.

In terms of regulatory compliance, enterprises in a variety of industry sectors, including financial services, healthcare and pharmaceuticals, are affected. While the specific impacts of evolving regulatory guidelines vary, the bottom line is that client organisations increasingly bear the onus of ensuring compliance. In other words, the consequences of a breach committed by a third- or fourth-tier supplier will ultimately fall to the client enterprise. In this environment, gaining visibility and oversight across the service delivery chain is imperative. 

Segmenting and prioritising providers into high, medium and low risk categories is essential to effective regulatory compliance. High-risk relationships must be identified so the business can understand the type of due diligence and ongoing monitoring needed on an ongoing basis.  Another key is balancing the need for centralised control with the ability to adapt and respond to changes affecting local entities or individual business units. With regulatory standards constantly evolving, organisations are recognising that governance structures and policies can't be hard-wired.

Cyber-governance poses several daunting challenges. One key is to achieve a global/regional balance, one that provides a big picture overview of threats, while enabling sufficient granularity to identify and mitigate risks at a local level. Cyber-governance mechanisms must also be highly responsive to change.  As business processes are constantly evolving, security standards, reporting mechanisms and metrics are changing as well. This means the governance model faces a constant threat of obsolescence. Relatedly, cyber-governance models must accommodate a sharing of responsibility and accountability across multiple departments and business owners.

To address these strategic imperatives, many enterprises are turning to dedicated Vendor Management Offices (VMOs).  Operating as an independent entity without ties to any particular vendor or business unit, the VMO provides visibility across the enterprise, and is ideally positioned to combine high-level oversight together with detailed insight into complex operational details. By facilitating communication and transparency among myriad entities, the VMO can help establish a sound compliance framework as well as ensure process discipline over the long term. The VMO's independence, meanwhile, provides objectivity that is essential to preventing turf battles and ensuring collaboration between multiple providers with potentially conflicting agendas.  

While they can be an effective tools for vendor management and governance, all VMOs are not created equal.  In some cases, they are little more than an extension of the sourcing procurement function.  Such VMO's tend to struggle to get beyond a narrow focus on cost, and rather than providing strategic oversight and operational insight, they do little more than serve as a compliance cop and contract manager.

Other VMOs are spun off from specific business units. While these can be more effective in terms of linking sourcing operations to business results, they often lack an enterprise-wide perspective and run the risk of reverting to a parochial, tower-focused view.

A truly strategic VMO oversees service delivery and value creation across the global business. By focusing on key supplier relationships as well as providing transparency deep into the chain of suppliers, a strategic VMO monitors the pulse of the relationship, gauges results and identifies problem areas.

Traditionally limited to tactical oversight of contract terms, today vendor management is taking an increasingly strategic and holistic view, one that extends across business units and focuses on achievement of business value from sourcing.  For many enterprises, a VMO functioning as an independent entity can deliver the standardisation, consistency, visibility and transparency between stakeholders needed in today's complex and competitive business environment.

Contributed by David England, senior director, Alsbridge