Vendor (3rd party) Risk: Who will win the platform wars?

Over the past seven years we’ve witnessed extensive growth in the vendor risk management cloud-based solutions market (also commonly referred to supplier and third-party risk).   Two major events in 2011 accelerated market expansion; the Tohoku earthquake and tsunami and Thailand floods.  

The market for vendor risk assessment and management solutions shifted from a concept (stuck in the chasm between early adoption and the early majority) to reality as many automotive, electronics and other manufacturers realized the need for greater transparency and monitoring of their upstream supplier network.  Vendor risk management regulation (e.g. HIPAA, OCC 2013-29, MMOG/LE, ISO 9001:2015, IATF 16949:2016) and pressure to comply with more stringent vendor risk assessment requirements by the large hi-tech, automotive, energy, chemical companies requirements led to further market expansion.

The law of physics applies here as well; what goes up must come down or in this case, markets consolidate as solutions become more widely accepted and less unique.  The commoditization phenomenon leads to acquisitions, roll-ups and yes, even the demise of the weak.

What are the implications to your current vendor risk management program?

The big question, which general platform will thrive and which will just survive.   Let’s take a quick look at the market for solutions.  Here’s one way to view the market of direct and indirect solution providers.

  • ERP (Enterprise Resource Planning) and operations platforms that include vendor risk management capabilities as well as APIs to integrate data feeds (e.g vendors such as SAP, Oracle, IBM, QAD).
  • Procurement, Sourcing and Vendor Management platforms that are managed by the CPO and sourcing functions and dedicate entire modules to vendor risk  (e.g. vendors such as Ariba, ProcureWare, Gatekeeper, Ivalua, HICX).
  • Risk Driven GRC, Supply Chain Risk and Data-Risk platforms that are typically managed by sourcing, procurement, enterprise risk management, and/or supply chain risk management functions.  (e.g. vendors such as Resilinc, RiskMethods, Lexis Nexis, D&B, Rapid Ratings, iTrust, Hiperos, Logicgate, Navix, 360 Total Solution, SupplierSelect, Virima)

All provide valuable intelligence to decision makers on how to anticipate and react to vendor risk in the upstream supply chain.  However, the risk driven platforms (GRC, Supply Chain Risk and Data-Risk) platform) market will be the first to see consolidation, acquisition and exiting.  History has demonstrated that risk-based solutions in the technology space ultimately succumb to the OEM providers of performance (firewalls, anti-viral software, desktop and network security hardware/software).   The ability for the risk-based platforms to operate as a stand-alone market for an extended period of time is highly unlikely; market penetration and working capital (or investment) is minuscule in comparison to the activities of the ERP an Procurement platform providers.  All ships rise with tide and eventually, many of the advanced risk monitoring and assessment features will be standard to the broader operational platform offering.

Now is the time to begin assessing how the shift will impact your vendor risk management program.  Questions such as: where is the vendor data maintained and how easily can it be ported or exported to another platform?  Will the same level of risk rigor and associated features be maintained if the risk platform is integrated into and ERP or Procurement platform?  Organizationally, who will be responsible for the conversion, integrity and sustainability of the new/modified solution?  These are just a handful of the many questions that you will need to begin thinking about as the market transforms.

What do you think?  Please comment or send me a note to discuss further.