Reporting

How would you quantify the benefits of TPRM?

I was recently hired to create a TPRM program at a small biotech company. I am in the Procurement group where my colleagues spend a lot of time negotiating contracts for cost savings, which is easily quantified.

We are all in agreement about the importance and value of vendor management, but my senior management in Procurement is asking me to quantify the benefits. I can point to examples of problems that occurred previously with vendors for whom oversight could have been better, but how can I quantify problems avoided in the future?

Thank you,

Julia

I am interested in what input people provide on this. We are running on a skeleton crew and automating/centralizing the program's functions would be even more helpful now. The argument for the powers that be always proves challenging.

Hello Julia,

I work in a brazilian TPRM consultancy company so maybe there is a difference between the processes in the countries but I reccomend to you to quantify it from the number of irregularities that you identified before to make a contract with the vendor. 

I don't know how do you do your process but in Brazil it's a regular practical to require a lot of documentations and informations of the supplier before to start a negotiation. So we can identify for our clientes if their suppliers comply or not with the laws and procedures and how many and what kind of documentation they don't comply.

Thank you,

Palloma

I am very intrigued. Following!

The difficulty with quantifying TPRM is that it's a preventative function.  TPRM is not a dollar generator, it's a dollar protector.  The real quantitative measure is what could be the potential financial impact if there were a breach or supply chain breakdown.  From a data/customer perspective, if you can align a specific dollar amount impact with each data element or customer, then you can calculate what the potential impact would be with a vendor if there were a breach.  As an example, say Vendor X has sensitive data for 1,000 of your customers, and the company has determined that a breach would result in $100 of loss per customer, then your potential impact is $100,000.  You can do something similar from a supply chain side as well, but it would probably have to be driven more off the impact of the loss of a part/component, and how that loss impacts the production.  Admittedly, I don't have a lot of experience with supply chain risks, but in either case you need to quantify the impact of a failure, and make the case that with TRPM oversight, you would help reduce the likelihood of a failure or the impact through business continuity testing.  Have there been any major breaches in your industry that you could cite?  

Obviously, if you're in a regulated industry that requires TPRM (i.e banking), then there is a regulatory risk also related to not having a program in place.  

Good luck!  Keep us posted if you figure out something that works.  Adequately quantifying TPRM either to start a program or increase FTEs can be a difficult conversation for many companies.