Contracting Excellence Journal

Articles, news and insights from World Commerce & Contracting staffers and over 70,000 Members.

Subscribe and never miss out. There's always something going on here!

Supplier risk isn’t just a major issue for Fortune 500 businesses. Organizations of all sizes need to recognize the responsibility for managing all third-party relationships based on a heightened level of interest and concern in recent years. This is especially true in highly-regulated industries like finance, healthcare, and food services, which operate under constant, intense scrutiny and massive regulatory oversight. With fines that can be in the tens of millions, the potential for being audited and penalized due to non-compliance is compelling companies to re-evaluate how supplier information is collected and how contracts are managed.

In today’s demand for immediate information, social media and hypermobility, organizations must watch carefully how suppliers interact with customers, other businesses, and the larger marketplace. 

Supply-side risk means accelerating technology adoption

Our responsibility for managing suppliers and supplier contracts is greater than ever. The COVID-19 pandemic has exacerbated the pace for adopting related technology by up to five years, according to some researchers.

Even mid-size organizations can work with thousands of suppliers, which means handling volumes of exponentially multiplying data. It’s not unusual for companies to have 1500 pieces of data associated with each 3rd party, and up to five supplier information systems to coordinate it all.

Keeping track of all this data is a massive effort, especially if you can’t easily connect the relationship between the suppliers and their binding contracts. This complexity is compounded when you consider the level of supplier importance to the organization. For instance, a newly onboarded, non-strategic supplier generally should not get the same level of attention as a strategic supplier that has been in place for years. Regardless of the level of supplier engagement, the need has become universal to centralize processes and data to clarify and understand supplier contractual obligations and the potential risks they hold.

How organizations are managing these efforts is built directly into the process of how supplier documentation — contracts, certifications, and third-party information — is collected and managed.

Many large organizations have already invested millions to develop these processes by using a variety of Enterprise Risk Management (ERM) frameworks, Governance Risk and Compliance (GRC) and/or centralized vendor management programs. 

Unfortunately, most small- to mid-tier-organizations ($500M - $10B in U.S. revenue) with limited resources remain ill-equipped to manage these efforts for a handful of reasons:

  • The level of risk compliance is often too difficult to track since many requirements are buried deep in custom documents relying on key employees and inefficient manual processes to monitor. 
  • Third-party risk comes under different department jurisdictions, so it’s often not centrally owned.
  • The costs of deploying consulting and technology efforts are seen as prohibitive. 
  • A reliance on stand-alone systems with inadequate company-wide integration has proven ineffective. 

Achieving the goal of risk mitigation requires having a process and technology in place that:

  • consolidates and sharesall the data between contract management, procurement and supplier management so that only one system is required;
  • increasesefficiency and productivity while freeing teams to focus on other activities; and
  • maintainsone unified business process for contract management and supplier management across the company to increase compliance, reduce visibility and management time.

Given the current economic and social environment, and the need to act quickly and efficiently requires a best-practice approach that simplifies the very complex problem of third-party risk management. 

Let’s explore how this works from several industry-specific perspectives.

Role of contract and supplier management in the financial industry

It takes due diligence! For financial organizations, addressing third-party risk has partly translated into managing a complex workflow of compliance and risk prescribed by regulatory agencies that dominate the industry. These include1:

  • Comprehensive Capital Analysis and Review (CCAR)
  • Consumer Financial Protection Bureau (CFPB)
  • Financial Industry Regulatory Authority (FINRA)
  • Office of the Comptroller of Currency (OCC)
  • USA Patriot Act

Since the financial crisis of 2008, few have dominated the post Dodd-Frank regulatory wave2 as much as the CFPB, which is responsible for consumer protection in the financial sector.

In financial services, third-party risk also comes from outsourcing services and marketing through telemarketing, and call centers. According to the CFPB, using outside vendors can pose additional risks, especially if their providers are unfamiliar with consumer financial protection laws, or have weak internal controls that, in the end, can harm consumers.

Not only can failure to comply with CFPB rules3 result in fines up to millions of dollars, CFPB has also begun holding financial institutions responsible for the actions of the companies they contract.

Third-party risk protection also delivers financial protection

Although maintaining regulatory compliance (and avoiding massive fines) is clearly an ongoing concern for the finance industry, identifying the challenges are generally easier than successfully managing them. However, by bringing contract and supplier management technology together, firms are one step closer to closing the gap in understanding third-party commitments, and the risk of exposure they pose based on the ability to easily tie contractual commitments to supplier profiles.

This requires a combination of robust supplier onboarding and certification, and contract management workflows that empower the ability to:

  • conduct thorough, due diligence to verify that service providers understand and are capable of complying with various laws through certification management;
  • request and review the service provider policies, procedures, internal controls, and training materials to ensure that service providers conduct appropriate training and oversight of employees or agents who have consumer contact or compliance responsibilities;
  • use contract management to create custom clauses that establish clear expectations about specific regulatory compliance requirements, as well as describe the appropriate and enforceable consequences for violating any compliance-related responsibilities;
  • use supplier risk and performance best practices for establishing internal controls, and use ongoing monitoring to ascertain whether the service provider is complying with the law; and
  • make sure supplier management customizes workflows, and takes prompt action to fully address problems identified through the monitoring process.

Because of regulatory compliance and potential fines, financial services organizations don’t have much of an appetite for third-party risk. But it’s nothing compared to the food industry.

Non-compliance in food safety -- how third-party risk can be a recipe for disaster

Since the beginning of this year, public health has been front and center around the world; everyone has experienced the impact firsthand. Food safety breaches, while generally much more localized, can elicit the same concerns.

Like most industries, food service must adhere to strict regulatory compliance. But unlike most industries, noncompliance regarding quality and safety in the food supply chain is not only a business challenge with severe reputational, financial and punitive (and perhaps professional or personal) damages, but can potentially pose a huge public health risk as well.

Consider the following examples that prompt reasons why food safety concerns are critical to the industry:

  • One company is being investigated for allegedly bagging peaches as a likely source of a salmonella outbreak that has sickened and hospitalized people across nine U.S. states.
  • Grocery chains have recalled onions linked to nearly 900 salmonella cases.
  • For the second time in a year,a company is recalling its (brand name) flour from a mill linked to an outbreak of E coli contamination.

The challenges of food safety and traceability, supplier sourcing, and the evolving role of supply chain intelligence are some of the biggest concerns in the industry. One recurring issue is the inability to easily collect and manage the proper information required for helping keep food safety programs in line and maintaining a high level of integrity.

Moreover, as part of the wider food safety initiatives, certifying organizations are advocating more frequent certification renewals and the commitment of senior executives to promote food safety and continuous improvement within their food facilities. This in turn has put greater pressure on food service organizations to improve the collection process of certifying information from suppliers.

One food safety standard may rule them all...eventually.

Probably no other organization has as much impact globally in this regard as, the Global Food Safety Initiative (GFSI). Formed in May 2000 and managed under The Consumer Goods Forum, GFSI provides thought leadership and guidance on food safety management systems necessary for safety along the supply chain.

GFSI and its global partners audit and certify more than 100,000 food operations and facilities in 160 countries. Organizations seek to achieve certification to a GFSI-recognized plan by completing a successful third-party audit against any of its recognized programs, from the farming of animals to pre-process handling of plant products or feed production.

Therefore, to mitigate the challenges of ensuring food quality and improving overall food safety, food services companies increasingly need automation and certification reminders to keep on top of GFSI and similar requirements, which are frequently audited by certifying organizations and their affiliates.

Food services providers, including retail grocery chains and restaurants, can improve the efficacy of supplier management by building certification and contract management workflows directly into onboarding while continually managing their supply base. This should provide methods for easily integrating supplier information from different sources.

For instance, part of deploying supplier management at one retail grocery outlet included developing custom dashboards for linking information never before combined into one place within the organization. This included a geographic locational understanding of the risk based on noncompliance with GFSI, non-GFSI and other animal certifications.

As a result of this technology, hundreds of users were then tagged to key business units capable of assessing the risk and compliance metrics of over 50,000 suppliers. The company has also developed unique approaches for understanding the speed of supplier onboarding efforts and the areas where high risks could be avoided by using compliance overview planning and detailed dashboards that integrated with third-party data providers.

Maintaining ongoing regulatory compliance through verified supplier information comes down to creating a holistic process and a technology approach to help manage all supplier data collection efforts -- including social compliance (diversity and sustainability), insurance information and supplier contracts -- with necessary food quality certifications.

Perhaps the only industry more tied to maintaining public well-being than food service, is healthcare.

Healthcare providers leverage supplier and contract management for Stark Law4 compliance

Modern society has passed laws to manage the complexities and conflicts of healthcare. Consider the ethics of referrals and payment, like those of the Stark Law, enacted to prevent referral sources — namely physicians and physician extenders — from inappropriately profiting from referrals. 

Started as part of a series of federal laws in 1990, the original legislation prohibited a physician from referring a Medicare patient to a clinical laboratory if the physician or his/her family member(s) has a financial interest in that laboratory. The revised Stark Law in 1993 extended the provisions to include Medicaid patients and Designated Health Services (DHS) other than clinical laboratory services.

Digging deeper into Stark Law, the DHS designation offers a long list of providers. According to the Centers for Medicare & Medicaid Services (CMS), these include: 

  • clinical laboratory services
  • physical therapy services
  • occupational therapy services
  • outpatient speech-language pathology services
  • radiology and certain other imaging services
  • radiation therapy services and supplies
  • durable medical equipment and supplies
  • parenteral and enteral nutrition
  • equipment and supplies
  • prosthetics, orthotics and prosthetic devices and supplies
  • home health services
  • outpatient prescription drugs
  • inpatient and outpatient hospital services.

Avoiding conflicts of interest

This highly complex nature of Stark Law means hospitals must be very careful about compensation arrangements with physicians. For instance, organizations must be able to designate the differences between employed physicians, independent physicians and medical groups, and recruitment agreements. Stark Law compliance becomes critical for independent contracts and recruitment agreements.

Not having the ability to collate and monitor all these designations can be a challenge in trying to understand how physician relationships are being tracked.

Furthermore, contracts between physicians and hospitals must fit within the strict seven safe harbors of Stark Law to fully alleviate violation risk.  Examples:

  1. The contract's duration must be at least one year.
  2. The contract must be in writing and signed by both parties.
  3. The contract must specify aggregate payment which is set in advance.
  1. Payment must be reasonable and reflect fair market value.
  2. Payment must not relate to volume or value of business.
  3. The exact services to be performed must be outlined.
  4. The services must be commercially reasonable.

Civil penalties for violating the law can be severe.  These include:

  • denial of payment for the service billed;
  • $15,000 civil penalty for each claim submitted as a result of an improper referral;
  • refund of every payment received for services that were referred in violation of the law;
  • $100,000 civil penalty for entering into a scheme designed to circumvent the law; and
  • exclusion from federal healthcare programs and possible additional liability under the Federal False Claims Act.

Although physicians must be aware of Stark Law, they also must understand that many states have adopted their own self-referral laws that can differ significantly from the federal law.

Working with healthcare clients as part of an effort to avoid third-party risk helps healthcare organizations enforce the Stark Law statutes -- ranging from managing supplier information and supplier relationships to signing contracts that need to be in place before physicians are reimbursed, or reimbursing physicians’ groups for services they perform in hospitals.

The problem is that many hospitals still have no central controls. Individuals tend to be responsible for whatever contracts are relevant to their functions, and those signed contracts are on paper and not stored electronically.

Without the proper systems, there is no way of knowing how many contracts exist or whether all contracts have undergone appropriate review and approval. Although healthcare providers may have policies in place, in theory, there is no true ability to be confident of compliance without systems such as supplier and contract management.

Contract and supplier management technology is mandatory in helping organizations evaluate how well healthcare organizations are managing physician contracts. This is because they provide the ability to:

  • centralize and segment suppliers;
  • manage agreements between providers and referral sources through eSignatures;
  • implement extensive supplier and contract search capability; and 
  • automate alerts based on document and contract initiation/renewals.

Healthcare providers can improve compliance to Stark Law by:

  • increasing control in the contract management function across different jurisdictions;
  • improving the ability to enforce appropriate review and approval processes;
  • reducing the risk of non-compliance with Stark Law provisions, including non-monetary compensation; and
  • improving overall visibility through linked supplier information, certification and contracts dashboards.

Managing third-party risk is the responsibility of everyone in every department regardless of whether your organization is in one of the industries covered here or not. It is essential to have an executive team mandate a thorough, vetted strategy behind the effort. But, without the technology that links all the data points, documents, contracts and myriad other details, there’s little chance of establishing a sustainable, effective risk management process.

That’s why you always need to keep your suppliers close, and your contracts closer.


  1. Sources:
  1. Dodd-Frank wave refers to a financial regulation arising from the Great Recession of 2008.
  2. CFPB rules
  3. Stark Law defined


Julien Nadaud, a recognized global visionary in eProcurement and spend management, was the Founder, Chairman and CEO of b-pack, which joined Determine, Inc. He designed the Determine Cloud Platform, which seamlessly integrates the full suite of modular source-to-pay and contract management solutions. Julien now serves as the SVP of Innovation for Corcentric, after Determine was acquired by the company in 2019.

Corcentric is a global provider of market-leading source-to-pay, order-to-cash, and fleet solutions. From the mid-market to Fortune 1000 businesses, Corcentric delivers technology, managed services, and strategic advisory focused on reducing costs, optimizing working capital, and unlocking revenue. Corcentric was named a 2020 ’50 Providers to Know’ by Spend Matters, a leader in IDC MarketScape: Worldwide SaaS and Cloud-Enabled Accounts Payable Automation 2019, and a Strong Performer in The Forrester Wave™: Source-To-Contract Suites, Q4 2019. Learn more at


Julien Nadaud, Chief Product Officer, Determine and SVP of Innovation, Corcentric

View All Articles

About Globality

Globality’s stated mission is to “give all companies an opportunity to compete and win based on the merits of proven performance, expertise, and passion.”

Topics from this blog:
> Back to all posts
    Download our
    Ten Pitfalls Report

    Download the Pitfalls Report

    See the February Edition of the Contracting Excellence Newsletter
    See the December Edition  of our Contracting  Excellence Newsletter

    Posts by Topic

    see all

    Recent Posts

    World Commerce & Contracting Membership Types & Pricing

    Take a look at the various membership types, or take a better look by becoming a FREE Trial Member

    Membership Types & Pricing