Extracting continuous value from third-party vendors means methodically assessing their ability to remain best-of-breed amid ongoing technological change and ever-elevating customer expectations. Following our three guiding principles -- and proven framework -- can help.
Falcon Invoice Discounting: Empowering Your Business Growth
Enhancing and Sustaining Business Agility through Effective Vendor Resiliency
1. Enhancing and Sustaining Business Agility
through Effective Vendor Resiliency
Extracting continuous value from third-party vendors means methodically
assessing their ability to remain best-of-breed amid ongoing technological
change and ever-elevating customer expectations. Following our three
guiding principles – and proven framework – can help.
Executive Summary
The ever-growing competitiveness across mature
industries — from financial services to consumer
products — is causing rapidly diminishing margins
of error. Customers expect, even demand,
“always-on” products and services. To deliver on
these expectations, organizations are increasing-
ly including products and services from a growing
list of vendor partners to extend the robustness
and reliability of their end-to-end business capa-
bilities.
For their part, third-party vendors are growing
in maturity and sophistication, and rapidly
becoming an integral and substantial part of
the overall business and IT landscape for many
companies. We recently partnered with a global
financial services firm to strengthen its vendor
risk management capabilities. This client partners
with strategic vendors that offer industry-leading
solutions to support business-critical functions,
such as credit and risk management.
Like other companies in these increasingly
common situations, our client shared an ever-
growing portion of its business and operational
risk with its vendor partners, as any outage or
disruption in the vendor products could result
in a significant financial, operational and reputa-
tional impact. For example, our client experiences
a potential financial loss of several million dollars
for every hour the credit-rating vendor product
is down because such a disruption causes several
business functions and operations to come to a
standstill. We characterize such vulnerabilities as
vendor resiliency risk.
Our experience shows that companies are slowly
but surely improving select parts of the vendor
risk equation in areas such as sourced IT appli-
cation development and support. However, we
see big gaps in companies managing risk across
vendor partners that provide critical value-
added products and services, such as real-time
business-to-business (B2B) data or specialized
services. Consequently, we are seeing strong
interest among companies seeking a formal
vendor resiliency program to rigorously assess
and mitigate financial, operational and reputa-
tional risk. We partner with these clients, focusing
on two key areas:
• Internal process maturity to understand and
measure key resiliency risk. This includes
objective tools and frameworks, as well as a set
• Cognizant 20-20 Insights
cognizant 20-20 insights | april 2014
2. 2
of service level agreements (SLAs) that cover
vendor adherence, emphasizing strong vendor
performance-tracking capabilities.
• The ability to assess critical process and
technology vulnerabilities within vendor
products and address shortcomings with
focused performance improvement plans.
We have defined three guiding principles for
companies to strengthen vendor resiliency:
1. Assume full accountability for end-to-end
resiliency within products and services,
including capabilities enabled through
vendor products. Customers and regulators
are increasingly holding companies account-
able for the full range of their products and
services (including support of vendor products).
Companies need to build strong capabilities
to assess and mitigate risk across all vendor
products. Prioritizing vendor products can help
companies manage risk more effectively by
optimizing available resources and increasing
focus on critical products.
2. Ensure a well-coordinated and comprehen-
sive approach to manage vendor product
resiliency. Various groups across business,
technology, operations, procurement and
vendor management functions need to
coordinate their efforts to effectively mitigate
resiliency risks. Additionally, companies need
to adopt a comprehensive approach, going
beyond the standard availability and business
continuity planning (BCP) attributes of vendor
products. Companies need to look internally,
as well as focus on additional aspects of their
vendors’ capabilities, such as technology and
process capabilities (i.e., change and incident
management). They then should adjust SLAs,
contracts and performance monitoring, accord-
ingly.
3. Ensure a sustainable focus on vendor resil-
iency, adjusting to a continuously evolving
vendor landscape. To remain agile in times of
change, companies should utilize objective and
flexible frameworks and tools that are manage-
able and able to handle a wide array of vendor
products.
Additionally, we recommend a set of core and
actionable success factors for vendor resiliency
initiatives. These include ensuring leadership
commitment to vendor resiliency, concentrating
on objectivity, adjusting SLAs and implementing
quick-win opportunities, such as strong commu-
nication models with vendors and coordinated
execution of BCP testing.
In the case of the aforementioned financial
services firm, we helped the company establish
strong internal processes to manage vendor
performance, along with a scorecard-based
resiliency improvement program for critical
vendor products. These resiliency measures
will result in a swift drop in outages that should
reduce the financial impact of downtime by 40%
to 50% (see sidebar, page 7).
In the sections that follow, we describe vendor
resiliency and the three guiding principles in
greater detail. We also outline a robust framework
that can help drive any organization’s resiliency
program, both internally and with vendor
partners. From there, we propose a set of key rec-
ommendations that companies across industries
can start to act upon.
Defining Vendor Resiliency
We define vendor resiliency as a set of core
process and technology capabilities related
to vendor products and services that ensure
seamless integration, optimal and sustainable
performance, and highly available “always-on”
operations. Highly resilient vendor products/
services demonstrate:
• Optimal integration with the organization’s
value chain.
• Maximum change coordination with organiza-
tions.
• Robust technology and architecture composi-
tion.
• Strong incident management capabilities, with
the ability to swiftly address challenges.
• A robust backup or disaster recovery infra-
structure with seamless switch-over capa-
bilities, along with sound business continuity
plans and testing.
Vendor Resiliency Programs
Organizations with a heavy reliance on third-party
partners are increasingly establishing dedicated
vendor resiliency programs. Such programs are
intended to ensure minimal business disruption
resulting from outages due to vendor product
failure, both in terms of frequency and impact.
Effective vendor resiliency programs are
structured, well-defined and focused on sus-
tainability. Well-designed programs include the
following:
cognizant 20-20 insights
3. cognizant 20-20 insights 3
• A proactive, ongoing and disciplined review
of technology/architecture capabilities, opera-
tional readiness, BCP and readiness testing,
and alternative sourcing where necessary and
feasible.
• A focus on a disciplined assessment of process
maturity in key areas such as performance
monitoring, change coordination, incident
management and contract management.
• An objective methodology, heavily reliant
on measurable and well-defined metrics and
corresponding SLAs that align well with the
company’s business goals.
Key Drivers
Several trends are converging to elevate vendor
resiliency to a level that is on par with the most
strategic focus areas within many organizations.
These include:
• Growing reliance on vendors as part of the
core value chain. Vendors are becoming
extremely sophisticated, serving multiple
leading organizations across industries.
These vendors are then able to leverage
their experience across these organizations
to continually enhance their products and
services. Vendors are rapidly transitioning
from supporting organizations in noncore
areas to playing critical roles within their core
value chain. (For more on this topic, read “The
Fluid Core: How Technology is Creating a New
Hierarchy of Need and How Smart Companies
Are Responding.”)
• Customer demand for high availability and
reliability. Several factors, including 24x7
business cycles across industries, increased
globalization and growing reliability across
all products and services, are transforming
customer expectations for “always-on” applica-
tions with close to 100% availability.
• Regulatory requirements for organizations
to take full ownership of their solutions,
including enabling solutions from vendors.
Regulators such as the Consumer Financial
Protection Bureau (CFPB) and Office of the
Comptroller of the Currency (OCC) within
the financial services industry are increasing
mandates for organizations to take full
accountability for their end-to-end services,
including vendor oversight.1
• Increased risk from new types of threats,
coupled with growing impact and frequency.
Companies across industries face greater and
more sophisticated threats, ranging from infor-
mation security and data breaches, to cards
and payments threats, to threats targeting vul-
nerabilities in parts of global supply chains.
• Relentless focus on cost-effectiveness,
faster time to market, customer satisfac-
tion and overall agility. These focus areas are
driving companies to evaluate vendor solutions
as accelerators and regard vendor resiliency as
a strategic focus area.
Guiding Principles for Enhancing
Vendor Resiliency
As these trends demonstrate, organizations
need to establish vendor resiliency as a strategic
and sustained focus area to meet customer and
regulator demands. Increased vendor resiliency
will enable organizations to accelerate their
reliance on vendor partners, while addressing
sophisticated and pervasive threats, all with a
laser focus on cost. In our work with clients that
have varying degrees of maturity in this area, we
have outlined a set of three guiding principles
that organizations can follow as they launch or
strengthen their vendor resiliency programs.
Guiding Principle #1: Assume full accountability
for end-to-end resiliency within products and
services, including capabilities enabled through
vendor products.
With customers and regulators holding companies
accountable for their products and services as a
whole, organizations need to build strong capabil-
ities to adequately manage end-to-end resiliency.
Because vendors are so diverse in terms of the
scale and size of customers they serve, their
internal process and technology maturity, their
financial strength and their people, organizations
need to adopt resiliency measures that are firm
yet flexible (see Figure 1, next page). Consider
any medium- to large-size organization: These
companies typically engage 40 to 100 unique
vendors with different levels of complexity and
maturity, ranging from globally sophisticated
vendors to small niche players.
Full accountability implies that organizations
have extensible capabilities that enable them to
effectively cover all types of vendors. To attain
4. cognizant 20-20 insights 4
this comprehensive level, vendor resiliency needs
to be a core and strategic program that is well
supported by organizational leadership.
Additionally, companies need a structured meth-
odology to evaluate the criticality of vendor
products. Companies cannot afford the same level
(frequency and depth) of resiliency assessment
and follow-through across all vendors. They need
to focus more closely on business-critical vendors.
From our experience, the criticality among vendor
products in a typical medium to large company
follows the Pareto principle closely; that is, 20%
of these products are critical and pose 80% of
the major resiliency risks. As such, the focus
needs to be on this 20%.
Guiding Principle #2: Ensure a well-coordinated
and comprehensive approach for managing
vendor product resiliency.
In our experience, we see widely distributed
vendor management responsibilities across
different business, technology, operations, pro-
curement and dedicated vendor management
functions. This variance is the result of years
of business evolution and changing priorities,
and often is a vestige of the past, when vendors
focused more on noncore products and services.
But as vendors become strategic partners and
play at the heart of the core value chain, their
distributed focus is increasingly becoming a
major hindrance and is exceedingly counter-
productive in managing overall vendor resiliency.
Companies need to leverage different groups and
their capabilities in streamlining cross-functional
management of resiliency risks.
Another factor is the breadth of objectives
that companies need to include. Tradition-
ally, companies have thought of resiliency as
focused on system availability and BCP readiness.
However, our experience shows that availability
is more a reflection of resiliency, and BCP is just
one aspect of a structured toolset that addresses
resiliency risk.
In today’s complex environment, resiliency risks
across vendor products can be attributed to a
range of drivers, each capable of posing financial,
operational and reputational risks. These risk
drivers include suboptimal vendor management
processes, such as change coordination with
vendors, incident and post-incident management,
ongoing technology and architecture evaluation
of vendor products, etc.
Similarly, a whole set of technology and archi-
tecture risk drivers contribute to resiliency risks.
Some of these include the health of the overall
technology stack, the disaster recovery infra-
structure, switch-over capabilities, etc. Addition-
ally, companies often do not optimally manage
their internal vendor management capabilities.
Along with a well-coordinated effort, companies
need to focus on developing robust and objective
frameworks that can serve a wide range of vendor
products. Our framework (outlined later in this
paper) provides a dual approach, focusing equally
on internal capabilities.
Guiding Principle #3: Ensure sustainable
focus on vendor resiliency, adjusting to a
continuously evolving vendor landscape.
All major industries are experiencing the trans-
formative forces of disruptive change wrought by
new business processes and accelerated adoption
Figure 1
1. Determine vendor product criticality:
Business impact of potential outage within
vendor product.
Regulatory considerations.
Data/information security criticality,
based on data being transacted.
Type of service (synchronous,
asynchronous, batch).
2. Adjust depth and frequency of ongoing
resiliency assessment/deep-dives:
Objective scorecard-based evaluation.
Coordinated business continuity planning/
performance testing.
Ongoing technology/architecture assessment.
Adjust Resiliency Assessment Based on Product Criticality
5. of social, mobile, analytics and cloud technolo-
gies, or the SMAC Stack.™ Companies and their
vendors are responding by rapidly evolving to
address customer demands to more quickly
transform. As such, a vendor resiliency program
must become a strategic focus that is sustained
over time. The implications on organizational
transformation and sustenance include:
• The vendor resiliency assessment and asso-
ciated performance improvement planning
need to be objective and fast paced. We work
with clients to develop a rich set of objective
tools, including a detailed RFI on various
process and technology resiliency elements,
and an associated resiliency scorecard that
highlights key focus areas.
• The vendor resiliency program needs to be
ongoing, while prioritizing critical products.
The toolset — RFIs and scorecards we build for
our clients — facilitates a continuous focus by
allowing vendors and companies to prioritize
incremental change, as well as each change’s
resiliency implication.
Vendor Resiliency Framework and
Approach
Based on our work with clients across industries
— and from the transformative changes that
we have witnessed in vendors’ sophistication
and their role within the core value chain of
companies — we have developed a comprehensive
and extensible vendor resiliency framework. This
framework leverages and aligns with the three
guiding principles described above.
Overarching Framework
Our vendor resiliency framework takes an
objective view, providing a clear set of focus
areas (e.g., business resiliency, incident and
change management, technology and archi-
tecture assessment, ongoing governance) and
a supporting set of tools and artifacts. The
framework offers a holistic
approach to resiliency, but to
work well, it requires a high
level of coordination and
engagement among internal
stakeholders and vendor
partners.
A key feature of the framework
is its dual-pronged approach,
which simultaneously focuses
on enhancing internal process
maturity, while addressing
specific risks of targeted
vendor products. Addition-
ally, the framework is dynamic;
it evolves through continuous attention to
both proactive and reactive aspects of vendor
resiliency (see Figure 2).
Approach and Methodology
We have defined a structured and mature
approach for more effectively utilizing our vendor
resiliency framework (see Figure 3, next page).
Following this approach and methodology will
ensure:
• A high level of engagement from vendors and
internal stakeholders.
5cognizant 20-20 insights
Figure 2
Vendor Products:
Focused Resiliency Assessment
Internal Process Maturity:
Vendor Resiliency and
Performance Management
Vendor Resiliency
Focus Areas
Stakeholders and stakeholder engagement model.
Key processes, such as incident management,
change control/coordination,
contract management.
Technology and architecture assessment and
governance.
Ongoing vendor performance evaluation
and reporting.
Resiliency assessment dimensions, request
for information and discussions.
Technology and architecture composition.
Vendor engagement processes
(communication model, change coordination,
performance evaluation, etc.).
Ongoing vendor resiliency assessment using
scorecards.
Business Resiliency
Incident Management
Change Control &
Coordination
Technology/Architecture
Composition
Performance/Service
Quality Tracking
Ongoing Vendor
Management
A
B
C
D
E
F
Enhanced Vendor Resiliency
A key feature of the
framework is its dual-
pronged approach,
which simultaneously
focuses on enhancing
internal process
maturity, while
addressing specific
risks of targeted
vendor products.
6. cognizant 20-20 insights 6
• Use of industry best practices and guidelines in
relevant areas.
• Heavy reliance on the set of key resiliency
dimensions on all aspects of analysis, such as
RFI, scorecards, assessment focus areas and
performance improvement plans.
A strong and successful vendor resiliency program
typically pivots around the following goals:
1. Ensure leadership commitment to vendor
resiliency; establish a program lead
across business, technology, operations,
procurement and vendor management
functions. Sponsorship from top leadership
will help streamline the approach to vendor
management and performance tracking across
teams. A principal lead accountable for the
overall program will help with conflict resolution
and consensus-building across teams, institu-
tionalization of the enhanced vendor resiliency
measures, and continuous improvement.
2. Strengthen your vendor resiliency program
with objectivity. A critical success factor is
the level of objectivity within the resiliency
assessment and monitoring program. We use
flexible and extensible scorecards to help
ensure objectivity (see Figure 4, page 8).
3. Increase vendor accountability for resiliency
by closely examining and ensuring that
vendor performance SLAs align well with
business objectives and criticality, and by
defining clear implications for SLA non-
adherence. We often find that clients have
gaps in these areas, such as:
>> Lack of adequate SLAs that measure critical
metrics.
>> SLAs that are very broad and do not reflect
business criticality.
>> Nonstandard SLAs, which make vendor com-
pliance difficult.
>> A lack of clear implications for vendors for
SLA non-adherence.
We recommend that companies utilize industry
standards and institutionalize a core and limited
set of SLAs to monitor key aspects of perfor-
mance, availability, scalability, BCP, etc., and then
use these consistently across all vendor products.
Additionally, organizations need to carefully
Figure 3
Recommended prioritization
based on impact and effort
Organizational Inputs
Vendor Resiliency Assessment Inputs
Vendor Inputs
Vendor Resiliency Assessment and Target State Recommendations
Discussions &
Workshops
Process Maps
Resiliency RFI
Vendor performance management processes
(teams, SLAs, reporting, etc.)
Other relevant processes (incident and changeOtOthher relleva tnt processes ((iin icidde tnt a dnd chhange
management, contract management, etc.) Discussions &
Workshops
Product
Documents
Performance
Reporting
Industry Best Practices and Frameworks
1. Performance SLAs and metrics
2. Industry-specific vendor guidelines
3. Industry trends (business and technology)
4. Reference architectures
A B C D E F
Business
Resiliencyy
Incident
Managementg
Change Control &
Coordination
Technology/Architecture
Compositionp
Performance/Service
Quality Trackingy g
Ongoing Vendor
Managementg
Recommendations to enhance internal process maturity Recommendations to enhance resiliency within
specific vendor products
Tools and artifacts to enhance process maturity and enable
a strong vendor resiliency program
Implementation and change
management plan
Stakeholder
Engagement
Model (RACI)
Resiliency
Scorecards
Other artifacts
• Communication model
• Process catalog
• SLA & metrics model
• Governance model
• Etc.
Utilizing the Resiliency Framework
7. Quick Take
We recently partnered on a vendor resiliency
program with one of the largest retail mortgage
servicers in the U.S., a subsidiary of a large mul-
tinational bank. We started by focusing on a
small set of vendor products but soon discovered
that significant opportunities existed within the
client’s internal processes and capabilities.
Business Challenge
Our client acts as a principal gateway orga-
nization, responsible for integrating 80 B2B
vendors that provide real-time information-cen-
tric products (such as credit rating and fraud
monitoring) to the parent company’s core retail
mortgage servicing platform. The client is expe-
riencing a significant increase in business and
transaction volume and, hence, has been relying
more heavily on its vendor partners. Consequent-
ly, the client wanted a structured approach and
capabilities to assess and mitigate resiliency risks
within these vendor products.
An immediate goal was to address/reduce recent
spikes in outages within critical vendor services,
which were impacting business functions on the
order of several million dollars for every hour of
downtime.
Solution
As discussed within our proposed framework, we
approached this resiliency project in two parts:
• Part 1: We partnered with different client teams
and stakeholders on a comprehensive internal
maturity assessment of key vendor perfor-
mance management processes and capabili-
ties. We engaged stakeholders across different
business, technology, operations, procurement
and vendor management areas to develop
a “current-state” understanding. Additionally,
we analyzed key processes such as incident
and change management, performance track-
ing, SLA and contract management, along with
their ongoing governance. We also analyzed
existing vendor performance metrics, SLAs and
reporting and utilized an objective scorecard to
baseline and highlight gaps and opportunities
associated with our client’s vendor manage-
ment processes. Finally, we developed a priori-
tized set of recommendations to address the
identified gaps.
• Part 2: We engaged
the target vendors in a
structured and objective
resiliency assessment of
their specific products uti-
lizing RFIs and informal dis-
cussions to assess their pro-
cesses and capabilities across
key dimensions. We also assessed
key technology and architecture dimen-
sions, such as technology stack and infrastruc-
ture health, performance tracking, BCP readi-
ness, etc. Additionally, we looked at issues and
outages associated with the target products
and utilized an objective resiliency scorecard
to summarize our findings on key resiliency
risks and opportunities. Finally, we devel-
oped a prioritized set of recommendations to
address resiliency gaps across these target
products. We highlighted quick-wins such as
launching a strong communication model and
more frequent execution of coordinated BCP
and performance testing. Longer term rec-
ommendations included enhancement of per-
formance monitoring, addressing technology
and architecture gaps, and strengthening BCP
capabilities.
Benefits
Implementing the recommended resiliency
measures will result in a swift reduction in
outages associated with these products. In the
first 12 to 15 months, we estimate that the client
will see a reduced financial impact of 40% to
50% associated with outages within the target
products. Given that an outage within just one
of the target products has an impact of several
million dollars per hour, a reduction in outages
across several products will result in substantial
financial savings over time.
Additionally, the streamlined vendor resiliency
processes and capabilities across a dozen teams
will result in a reduction of 30% to 40% in
aggregated effort through more effective cross-
functional collaboration. With the set of objective
tools and measures to run an effective and sus-
tainable vendor resiliency program, the client can
now continue expanding strategic partnerships
with industry-leading vendors.
Vendor Resiliency Program Pays Off for
a National Mortgage Servicer
7cognizant 20-20 insights
8. cognizant 20-20 insights 8
define objective and adequate implications for
SLA non-adherence, usually in terms of financial
implications formalized clearly within contracts.
4. Identify and implement quick-win oppor-
tunities to expeditiously and significantly
enhance vendor resiliency. Some quick-win
opportunities include:
>> A strong communication model between
the company and the vendors. An up-to-
date communication model across the com-
pany and its vendors can drive optimal coor-
dination across scenarios, such as incident
management, change coordination, BCP
testing and performance testing.
>> Regular and coordinated BCP testing.
Many of our clients and their vendors have
established strong BCP testing plans but fail
to execute in a coordinated fashion on a reg-
ular schedule. This leads to a lack of readi-
ness and a significant increase in resolution
timelines during an outage. Regular coordi-
nated testing can significantly enhance di-
saster recovery switch-over readiness and
minimize the impact of potential outages.
Looking Ahead
Vendor resiliency is becoming a top agenda
item for organizations that increasingly rely on
a greater number of vendor partners to play a
substantial role across their core value chains. As
a result, third-party vendors are becoming more
mature and are increasingly providing industry-
leading products and services that companies
across industries rely on for core business
functions. Despite their increased reliance on third
parties, most companies take a fairly fragmented
approach to vendor management, tasking several
groups across business, technology, operations,
procurement and vendor management functions
to play different oversight roles.
We strongly believe that vendor resiliency needs
to be driven centrally with a formal program
and a program lead accountable for optimizing
the organization’s cross-functional effort for
effectively assessing and mitigating resiliency
risks. Quick-win opportunities can significantly
boost vendor resiliency, such as maintaining
an up-to-date communications model, more
effectively governing existing BCP test plans,
adjusting SLAs to reflect business criticality, and
providing hands-on coordination of effort across
existing teams. An effective change management
initiative can significantly catalyze any organi-
zational transformation associated with vendor
resiliency.
Finally, vendor resiliency programs need to be
sustained as a strategic capability in order to
continuously assess and mitigate risks resulting
from the ever-evolving nature of business — both
internally and across vendors. We believe it’s
imperative for companies to pause, assess and
launch or strengthen their vendor resiliency
programs in order to leverage compelling
products and services offered by increasingly
sophisticated vendors and sustain their competi-
tive advantage.
Figure 4
Scorecard for Assessing Vendor Product Resiliency
VVereryy HiHighgh
HiHighgh
Moderate
Low
cy
Business Resiliency
Vendor financial strengththh
Functional scalabilityy
Business criticality
Ongoing Governance DimensionsOnggoooing GGoovvern
iliency governanceVenndddor reessiliie
ance testingPerfoorrmman
A management and adherenceSSLA ma
Incident Managementmeenentt
Issue notificationion
Problem analysis and resolutions and reessoolluutti
Post issue resolutttiioon
Change Control and CoCoorrddiinnatioonn
Change impact assessmesmmeenntt
Change coordination
Technology Capability/ArchitectureTeecchhnnolo
pability/architectureTecchh ccaaappaa
ervice qualityPPPllaattform serv
uationOngoingg eevvaallua
Performance/Service Quality Trackingormannccee//SServ
Performance measurement and trackingPerformance measurree
Technology/architecture performanceechnologyy/aarrcchhiittec
Service quality monitoringqqualityvvicee quality m
Vendor
Inputs
VVendorr
ReResilienncyy
SScoringg