Rothstein - Managing IT Procurement Risks
Rothstein - Managing IT Procurement Risks
Rothstein - Managing IT Procurement Risks
MANAGING IT
PROCUREMENT RISKS
Jay R. Rothstein
I. EXECUTIVE SUMMARY
Managing procurement calls for just the right skills and experi-
ence. Risks abound, and rote controls may actually cause more
harm than good. Make sure your executive team, business prin-
cipals, procurement office, IT, and internal auditors form a solid
alliance for this high-risk area.
No Bad Deals!
Poorly negotiated deals are a major threat to business assets. But a
well-formed framework for procurement management will protect
assets, mitigate risks, contribute to the system of internal controls,
ensure compliance, optimize business terms for acquisitions—even
provide incentives for effective practices. A procurement manage-
ment framework provides strategic advantages and helps ensure
technology is best used to achieve business goals. It can literally
save you millions.
There is no substitute for experience in building and managing
the procurement framework. It must provide effective controls
across the entire organization with expertise melded from
many areas.
and deals to reach the award stage (just prior to contract nego-
tiation) before reaching Procurement and Legal. So it is impor-
tant to structure the procurement management framework with
rewards for consistently involving Procurement and Legal early
in the process for the role they can play in delivering savings
and negotiating favorable terms. The objective is to prevent deals
falling through the cracks with potentially costly consequences.
Case Study
Here is an example of how a procurement officer works with his
clients, his attorney, and the supplier to negotiate savings and
mitigate risk.
The client asked Supply Chain Management, in November, to
negotiate contract and business terms for tax forms processing
to meet year-end deadlines for the calendar tax year. Procure-
ment took the challenge and supported the client in developing
volume requirements and consolidating operations for fourteen
work groups across the firm. Procurement achieved savings of
more than $1.7 M (more than 22%) over a three-year term. Key
components of the savings included reductions for:
Measurements
The following measurements apply to the operations of Supply
Chain Management:
Factor $/Number %
Global Application
Procurement executives consolidate results such as the above into
aggregate figures for the firm. Table 3 represents a target matrix
for all procurement and may include a separate breakout for cate-
gories other than IT.
Factor $ % $ %
Total Spend
Touched
Impacted
Directed Source
Not Impacted
Rate of Savings
Actual Loss/Potential Savings
Risk/Control Matrix
The matrix in Table 4 is a framework for controlling procurement
risk. It addresses “bad deals” from business and contractual view-
points. It does not address deals that fail because of inadequate
technical due diligence.
Auditors use Risk/Control Matrices to ensure they are on track
with the Audit Charter and audit objectives. The Risk/Control
Matrix is also an essential tool for designing a system of controls.
Most Risk/Control Matrices include additional parameters such as
R-1. The firm’s Operating Funds F-1. Instances of procurement are C- 1. The executive team consults and builds consensus
are paid out at higher levels either Not Touched or Touched but with senior management of the Lines of Business to
than required. Not Impacted. work with Supply Chain Management and Legal on all
major acquisitions.
C- 2. The executive team consults and builds consensus
with Internal Audit, Supply Chain Management, and
Risk Management to monitor supplier contacts
throughout the firm.
F-2. Clients request Directed Sources C-3. The executive team directs senior management of
rather than engage in Competitive the Lines of Business to work with Supply Chain
Bids. Management in performing competitive bids on
major acquisitions in the absence of Mitigating
Circumstances.
F-3. Clients approach Supply Chain C-4. The executive team directs senior management of
Management late in the procurement the Lines of Business to approach Supply Chain
life cycle. Management early in each procurement life cycle.
C-5. Security reports all initial visits of supplier sales
personnel to contacts at the firm.
F-4. Clients pursue acquisitions on a C-6. The executive team directs senior management
transactional basis rather than of the Lines of Business to handle significant
through corporate agreements. transactions through Supply Chain Management and
Legal for existing contracts or new initiatives.
C-7. The executive team directs senior management of
the Lines of Business to work with Supply Chain
Management to standardize and rationalize disparate
products of similar functionality.
F-5. Supply Chain Management lacks C-8. The executive team directs Supply Chain
adequate resources to address Management and Legal to perform a cost-benefit
major acquisitions. analysis of staffing levels within Supply Chain
Management and Legal vis-á-vis requirements to
address the annual spend, and adjust resource levels
accordingly.
R-2. Unnegotiated contracts and F-6. Clients sign and/or negotiate their C-9. The executive team directs senior management of
client-negotiated contracts do own agreements. the Lines of Business to negotiate contracts through
not manage risk effectively. Supply Chain Management and Legal or other
authorized negotiators.
C-10. The executive team works with Human
Resources, Internal Audit, and the Lines of Business
to develop, promulgate, and enforce authorization
requirements for making acquisitions.
R-1 – R-2 F-1 – F-6 C-11. The executive team directs Risk Management
and Supply Chain Management to evaluate the
applicability of this analysis to the procurement of
non-IT products and services.
C-13. The executive team directs Risk Management,
with the support of Supply Chain Management, to
lead a cross-functional team in accomplishing
procurement management goals.
VI. CONCLUSION
In the procurement of technology, or any product or service,
the operating funds of most companies are at risk of being paid
out at significantly higher levels than required. That is because
it is easier to respond reactively to the proposals of suppliers
than to take a critical, proactive stance in managing a full life-
cycle procurement initiative. Procurement risk is accentuated in a
financial-services environment because of a corporate culture that
encourages quick, decisive action over more extended procure-
ment processes. It is further accentuated in technology acqui-
sitions because of the complexity and cost of the products and
services.
The primary factors contributing to this risk are as follows:
1. Supply Chain Management is not involved in major acquisi-
tions.
2. Clients using Supply Chain Management but ordering Directed
Sources, thus negating the cost advantages of competitive
bids.
3. Clients approaching Supply Chain Management late in the
procurement life cycle.
4. Clients pursuing acquisitions on a transactional basis rather
than through corporate agreements (“silos of procurement”).
5. Supply Chain Management not having adequate resources to
address major acquisitions.
Touched
Impacted
Not Impacted
Sole Source
Directed Source
Mitigating Circumstances
Competitive Bid.
Many companies are also at risk for contracts that are either (1)
not negotiated or (2) negotiated by clients rather than procure-
ment and legal professionals. The key to managing these risks
is to institute audit and controls in the procurement process
focusing on the Lines of Business; and secondarily, to engage the
support of Human Resources, Internal Audit, Security, Supply
Chain Management, and Risk Management.
Recommended measures within this framework focus on key
directives by the executive team to senior management:
Lines of Business
1. To work with Supply Chain Management and Legal on all
major acquisitions
2. To perform Competitive Bids to the extent possible on major
acquisitions
3. To approach Supply Chain Management early on in each
procurement life cycle
4. To work with Supply Chain Management to standardize and
rationalize disparate products of similar functionality
Human Resources
5. To include requirements for Cost Containment within the job
descriptions and annual reviews of senior management
6. To develop authorization requirements for acquisitions
Notes
1. Section 103 of the Sarbanes-Oxley Act of 2002 directs the
Board to establish auditing and related attestation, quality
control, ethics, and independence standards and rules to be
used by registered public accounting firms in the preparation
and issuance of audit reports as required by the Act or the
rules of the Securities and Exchange Commission. Auditing
Standard No. 5: An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial State-
ments was approved by the Securities and Exchange Commis-
sion on July 25, 2007 and is effective for audits of internal
control over financial reporting required by Section 404(b) of
the Sarbanes-Oxley Act of 2002. www.pcaobus.org
2. See: The Institute of Internal Auditors’ “International Profes-
sional Practices Framework” available at www.theiia.org
Acknowledgment
The author wishes to express his appreciation to Charles Le Grand, Prin-
cipal Advisor, TechPar Group, for his outstanding contribution in editing
this paper, and to Bernard Plagman, Chairman, TechPar Group, and
Dr. Charles Popper, CEO, TechPar Group, for their professional mentoring
and encouragement.