The difficulty with quantifying TPRM is that it's a preventative function. TPRM is not a dollar generator, it's a dollar protector. The real quantitative measure is what could be the potential financial impact if there were a breach or supply chain breakdown. From a data/customer perspective, if you can align a specific dollar amount impact with each data element or customer, then you can calculate what the potential impact would be with a vendor if there were a breach. As an example, say Vendor X has sensitive data for 1,000 of your customers, and the company has determined that a breach would result in $100 of loss per customer, then your potential impact is $100,000. You can do something similar from a supply chain side as well, but it would probably have to be driven more off the impact of the loss of a part/component, and how that loss impacts the production. Admittedly, I don't have a lot of experience with supply chain risks, but in either case you need to quantify the impact of a failure, and make the case that with TRPM oversight, you would help reduce the likelihood of a failure or the impact through business continuity testing. Have there been any major breaches in your industry that you could cite?
Obviously, if you're in a regulated industry that requires TPRM (i.e banking), then there is a regulatory risk also related to not having a program in place.
Good luck! Keep us posted if you figure out something that works. Adequately quantifying TPRM either to start a program or increase FTEs can be a difficult conversation for many companies.
Original Message:
Sent: 06-19-2023 02:24 PM
From: Julia Criqui
Subject: How would you quantify the benefits of TPRM?
How would you quantify the benefits of TPRM?
I was recently hired to create a TPRM program at a small biotech company. I am in the Procurement group where my colleagues spend a lot of time negotiating contracts for cost savings, which is easily quantified.
We are all in agreement about the importance and value of vendor management, but my senior management in Procurement is asking me to quantify the benefits. I can point to examples of problems that occurred previously with vendors for whom oversight could have been better, but how can I quantify problems avoided in the future?
Thank you,
Julia