Voted Best Answer
Oct 18, 2016 - 10:03 PM
You will find that the focus traditionally been in suppliers in the top right hand corner (high spend, high strategic value) or top left hand corner (high spend but low strategic value - commodity suppliers eg toilet paper for a facilities management company).
However the brave new world means that suppliers in the bottom right hand corner - low spend, high strategic value - are becoming more and more important. The traditional response would have been to try and shift them to the top right hand corner ie out more and more spend through them, but these days that is not an appropriate response as the services they provide are very specialist and the reason they are the right fit for your organisation is precisely the fact that they are specialist but very, very good at what they do.
I know I keep banging the risk-based approach drum, but it is the way to tackle your dilemma. For each type of service develop a baseline risk assessment and minimum requirements a contract should meet eg for SaaS suppliers, is it clear how to get the data out once the contract ends? If not, does it matter? Is the data critical for the business? If not, then don't worry too much about it, if it is, well you need to put the brakes on and become involved in the negotiation.
Educate your business units that they need to risk assess their suppliers, and help them through the process. After the risk assessment is complete, then take a vow - for low risk suppliers and contracts, let business units negotiate and enter into contracts themselves, subject to the minimum standards being met.
When you are going through the process of developing your minimum standards and checklists, make sure you involve other IT Stakeholders. InfoSec will have an interest in ensuring basic data protection standards are met and that proving access to the application or new hardware won't compromise security. IT Ops will also want a say - after all, there isn't much point in signing up to a contract in a hurry if it is impossible to access because complex firewall configuration changes are required.
obviously the more stakeholders involved the more complicated things get, with the risk that you defeat the purpose of the excercise, so make sure that everyone adheres to the KISS principle - keep it simple s*****d - make sure your risk assessment is short and sweet eg set a limit of 5 questions from each discipline. It sounds hard, but trust me, it can be done!!