Becoming Approved Supplier

Getting to (Possibility of) Yes

“Nobody ever got fired for buying IBM.”  In the 1960’s, large companies were not willing to take a chance on other computer sellers.  IBM was the safe choice, even if more expensive.   Fortunately, risk management has come a long way.

The good news: Smaller companies can become “approved vendors” and compete head to head with the big, established players.  Even one big customer can be a game changer for a small business.

The bad news: The approval process is long, hard, and complicated.  There is no guarantee of success, and you might some of the criteria intrusive or even unfair.

You Will Be Assimilated

The “Approved Vendors” list is about extending the reach of Corporate risk management upstream to its suppliers:  Can your Firm deliver to the standards the Corporate demands of itself?  Could your Firm’s staff trigger any negative response by the Corporate’s customers, staff, and critics?    

“Supplier Risk Management” 

Prospective large corporate customers will assess your risk in any or all of the following dimensions:

  • Financial: Sufficient funding to remain viable, deal with downturns, and maintain service/product quality.  This includes adequacy of insurance coverages and refinancing risk if you’re dependent on term loans or even equity risk (e.g. Your majority shareholder is facing divorce or personal bankruptcy).
  • Reliability: Consistent quality of products & services based on documented and proven operational processes and controls (eg ISO 9001).  Also includes key person dependency.
  • Business continuity:  Ability to maintain (or rapidly restore) service levels during a crisis, natural disaster, technology outage or other disruptive event.
  • Operational risk: Ability to prevent or at least detect & mitigate issues caused by people (intentionally or accidentally), processes, technology and external events.
  • Information Security: Maintain confidentiality and integrity of client data, defend against internal and external threats and “data leakage”, ensure control over software development life cycle, and mitigate risks from external / upstream technology vendors / platforms.
  • Regulatory Compliance: All necessary licenses and certifications, no tax liens, key staff pass background checks.  No business connection to jurisdictions or stakeholders subject to sanctions.  Proper disclosure of dealings with  politically exposed persons  and government officials.
  • Reputation:  This is a broad, subjective, and potentially unfair area.  Basically, is there a way for your firm to embarrass your potential customer?  Are your HR policies consistent with your prospective customer?  For example, do you have the same commitment to diversity & inclusion?  Would your staff members comply with the prospective customer’s social media policy, or will their staff come across potentially inflammatory political, religious or vulgar content associated with your young company.

You may not mind your staff wearing Trump hats or Taiwan flags when they work, but that sort of thing is simply not acceptable in most multinationals.  Right or wrong, they have policies designed to avoid turning off customers and regulators.  They have dress dress codes and social media policies for the same reasons.

Deep Water Management has been on both sides of the Supplier Risk Management process, both as a gatekeeper and in a startup trying to get through.

If you want large corporate clients to approve your firm, give us a call.