View the original post here.
If you’ve ever sold into an enterprise business, you know the pain of the procurement process.
When we speak to companies tackling the compliance process for the first time, we find that many businesses pursue certifications after requests from their customers and partners. Whether you get stuck answering security questionnaires, or don’t have a shining SOC 2 report to share, businesses eventually need to demonstrate their security postures to bring in new business.
That’s where the enterprise procurement process comes in.
What is enterprise procurement?
In short, enterprise procurement involves a series of processes through which large institutions identify, evaluate, and purchase critical vendor services.
There are a series of steps in the procurement process that enterprises follow. While we’re not going to touch on all of them here, we will focus on the significant impact of your compliance certifications. Our experts know how enterprise companies evaluate vendor services and we’ll point out how to navigate the procurement process.
Why does the procurement process exist?
Let’s start this story at the beginning.
Picture it: the year is 2012. Big banks outsource technology and operations to third-party vendors for ease of use and efficiency. The downfall? Little to zero oversight into vendor security processes, resulting in breaches, and at worst, unavailability of services to the market. In the wake of multiple data-related incidents, the financial industry started the push toward SOC 2 compliance by 2013.
Our co-founder, Eva Pittas, worked at Citigroup at the time and managed the response to regulators. Over time, the regulations imposed by banks onto their vendors and partners set the benchmark across industries.
The proliferation of solutions through digital banks turned the industry toward automation. Consultants began to assist with demonstrating compliance. However, the lack of quality solutions pairing expertise and automation are far and few between. This is why Eva cofounded Laika with Sam Li and Austin Ogilvie.
Identifying and evaluating vendors
When enterprises identify a need to fulfill a service, they face the “build it or buy it” conundrum. More often than not, they pick “buy.”
Based on the need, the business researches vendors to satisfy requirements, and begin the evaluation process. In an ideal situation, the vendors are ranked according to the risk associated with the need.
For example, if a bank needs to obtain a vendor to process loans, it’s a highly critical process. In turn, the vendor ensures a secure process through appropriate compliance. We’re referring to this process as “risk ranking.”
Enterprises review multiple vendors to determine which is the best and safest offering. The procurement team examines features, functionality, cost, security, and compliance controls. This team involves compliance and risk management, legal, and even an independent procurement team to move the process forward.
Based on the risk rating, the company determines expectations around uptime, SLAs, and the criticality of the need. If the process is a low criticality, vendors can expect fewer requirements, but for high criticality needs, the requirements are more stringent and may involve a long assessment period, similar to that of an audit.
It’s likely that your company fields security questionnaires during the procurement process, which are usually used as the first line of evaluation by the enterprise. These questionnaires can be hundreds of questions long and are intended to assess your current security posture, among other features of your business.
These questionnaires examine the controls in place to protect the operations of your business. As we know, each SOC 2 or ISO 27001 or any compliance framework should be unique. Enterprise buyers need to see that you have taken steps to implement processes to ensure the availability of services and the integrity of data processing.
Once you pass this initial inspection by the procurement team, they’ll dig into specifics.
Vendor risk assessments
Vendors execute risk assessments at least annually or with significant changes to operations or the business. This should be a core part of a vendor management process.
Like risk assessments conducted for ISO 27001 or SOC 2, the assessment should speak to remediated risks and identify areas for improvement, as well as a path to improvement. You can work with the buyer to understand key controls that can improve your product or service. This shouldn’t be considered a make-or-break, but a building block to growth.
Regulated industry risks increase over time. These assessments should be the first step to examining the impact a delay or break in service could impact the business and its consumers.
If your business provides a highly critical service, you should expect an annual audit by the enterprise, on top of whatever compliance frameworks you need to keep up-to-date. Some enterprises may ask to visit your offices or facilities to perform an in-person audit.
This audit can seriously impact your reputation. During Eva’s time at Citibank, big banks commonly leveraged a particular vendor to perform a critical task. One of the banks examined the vendor’s compliance and security posture and found noncompliance. As a result, the CEO rang the alarm to rival banks and warned them about this vendor’s noncompliance.
Ultimately, this move protected consumers, and effectively ruined the reputation of the vendor.
How does Laika prepare customers for the procurement process?
Most of our customers experience high growth rates after implementing a compliance framework. Our team helps prepare for their first round of procurement by focusing on what enterprise buyers expect in robust compliance postures.
Quality Compliance Programs
As we preach, not all compliance implementation and audits are created equal. Yours should be unique to your business offering. This means the quality of your audit report weighs heavily on any due diligence process.
When you are selling a service to other businesses, the industry expects you to grow and improve your offering over time. Your compliance program should reflect this.
We work to educate our customers on what types of questions to expect, how to answer security questionnaires with speed and accuracy, and understand how their services may be assessed and audited by buyers.
Laika’s robust library contains answers to hundreds of questions that may appear on a security questionnaire. We store all compliance-related information in one place, for ease of reference. Our compliance architect team executes risk assessments with your growth plans in mind.
For more information on how enterprise buyers read a SOC 2 report, check out our post here.