Complying Vendor? ...or Not?

There is little doubt that we all live in a world of increasing compliance.   It truly is an all-encompassing word.   Wikipedia describes compliance as:

“….. conforming to (environmental) laws, regulations, standards and other requirements”[1]

However, the world of compliance has been slowly but surely starting to permeate and impact the process of efficiently and effectively managing the supplier base in a wide range of companies.    The issue is simple in most cases.  How do procurement and supply chain professionals ensure that suppliers who provide goods and services have current, valid and appropriate compliance certification?


The major issue for many organisations is that the list of compliance requirements can grow quickly – whilst the overhead to manage the process is inexorably increasing.     

The scale of the problem is highlighted in a paper (undated) by BIFM (British Institute of Facilities Management). The guide (Statutory Compliance in FM Procurement), explains, in some detail, the range of compliance requirements that organisations managing vendors in this space have to consider.It is stark reading. They neatly categorise (and list) what they term as hard compliance requirements in this particular domain:

  • Permits to Work;
  • Employers duty compliance;
  • Asbestos;
  • Confined Spaces Regulations;
  • Lifting Equipment;
  • Boilers and pressure vessels.
  • Fire safety;
  • Electricity;
  • Water Hygiene…

The list goes on.  

If GDPR (General Data Protection Regulation), the world is a complex place.   So how does the BIFM suggest that organisations manage the supplier base?   Their guidance proposes that:

“The best ways to ensure that your supply chain and/or workforce continue to deliver compliance are to - request compliance statements from your supply chain in any regular reports you receive.   Include compliance on the agenda of regular meetings with suppliers.   Have compliance included as a KPI in any performance monitoring regime instigated on service delivery contracts.”

This is an excellent attempt at articulating the options open to organisations.   However, it is unremarkable in that almost any support or industrial lobby would recommend the same approach.  We can make the problem even more complex by simply asking – how can organisations manage vendors over time – with expiring certifications, renewals and contracts.

The simple answer is in data terms – you can’t. The sheer volume of compliance requirements, start/end dates, compliance types and categories - means vendors simply shift the onus on to the procuring organisation.    The capacity for many companies to manage this is often delegated to the old office favourite – a spreadsheet.

However, the advent of supplier relationship management tools, if equipped to manage this function, should create the capacity to effectively manage the detail, timing and dates of compliance-based records.   In effect, it is in the suppliers’ best interests to ensure that the details of compliance requirements are kept up to date and accurate.

The principles work in very simple terms. A vendor:

  • Has most to gain from accurate, compliance details;
  • Have the most up to date information;
  • Can leverage the capacity to deploy new compliance regulation adherence as a value add;
  • Would be failing as suppliers if they were to have an issue and be seen to have not complied. Competitively, this could be a disastrous outcome.

It does raise the question of why so few organisations have so little capacity to manage this process both efficiently and effectively. The answer is comparatively simple.

Many technologies in the SRM space fail to address the vendor relationship as the process is seen as purely a procurement and finance-based domain. In the European arena, the process of managing vendors is now getting increasingly more complex.  To that end, one of the key elements for the future is going to be a more holistic approach to managing these relationships.  The complexity of managing what may be a wide range of compliance checks and certifications is likely to move to vendors administering their own data and self-certifying compliance.

In volume terms, the data management logistics are frightening.  As an example, if 10-15 fields are required to register a compliance – and there are 200-300 vendors within the vendor portfolio that require a single certification, this means a procurement team may be managing up to 3000 fields.  Dates may change, certifications may expire, the vendor may lose the certification…the list of events that require data maintenance can become excessive.  In effect, procurement teams have more pressing things to do - it will drop down the task list and data will decay.

Vendors have to manage these details as the best data – is data gathered at source.  All the technology should do is alert the procurement or buyer that things have expired. After all, this is what technology is designed to do – make the process easier to manage.