Vendor Assessments Meet Location Risk
As global supply chains become increasingly complex, it is more important than ever to incorporate location risk into your vendor risk assessment process.
From the outset, it is critical to define risk appetite and risk treatment strategy based on location when considering third-party portfolios. Depending on the nature of service, such considerations go beyond the location of a company's headquarters, extending to where data will be processed and stored.
Below are best practices for aligning vendor risk with various types of elevated location risk:
Political violence or operational risk: If a vendor provides services for you from a location with elevated political violence or operational risk, extra attention should be paid to the vendor's business continuity plan and disaster recovery capabilities. Equally important is a review your own business continuity plan in relation to vendors in locations like these.
Political risk: If a vendor provides services out of a location where there is the potential for regulatory or governmental policy affecting its ability to operate, extra attention should be paid to contract terms pertaining to costs and service-level agreements.
Economic risk: Firms should look at recession, inflation, sovereign default, currency depreciation and capital transfer risks in a vendor's location to cohesively form a view of economic hurdles that could affect performance. Such risks may especially impact sourcing strategy if your firm relies on manufacturing or processing from a vendor in a specific location.
Legal risk: Is there risk that the judicial system in your vendor's location will not enforce contractual agreements due to corruption, inefficiency or bias - or that the government will cancel, amend or frustrate private foreign contracts without due process? This should trigger a prompt review of business continuity plans in relation to your vendor's service. A review of information security objectives should also be made if there is an elevated legal risk in territories where your confidential data is stored.
Tax risk: When there is an elevated risk that the tax burden for private enterprise will increase and affect your vendor - or that taxes will be applied in an arbitrary or non-transparent way - extra attention should be focused on costs that may be passed on to you as a buyer. This may also impact your sourcing strategy.
Security risk: Particular attention should be paid to information, people and physical security control objectives if a vendor performs your services or stores your confidential data in a location with an elevated security risk. Your business continuity plan, and that of your vendor, should be reviewed. You may also consider a higher level of risk assessment and implementing compensating controls.
Incorporating location risk into your third-party portfolio assessments can help you understand your overall risk concentration and react quickly to changes in global events. Continuous location monitoring can be a smart way to manage vendor risk and incorporate it into sourcing strategies as well as your pipeline of vendor deals and renewals.
IHS Markit now includes country and city risk ratings as part of our vendor risk assessments. Find out how we can help you understand your exposure.
S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.