Fordway Blog

How to use ITIL 4 for best practice supplier management

[fa icon="calendar"] Mar 27, 2020 11:03:36 AM / by Neville Armstrong

ITIL supplier management

Photo by Michael Judkins from Pexels

One of the ways in which ITIL 4 differs from its predecessor is in its increased emphasis on supplier management. ITIL V3 defined ‘4 Ps’ (People, Products, Processes and Partners) of Service Management. In ITIL 4 these become the ‘4 Dimensions of Service Management’, and there is an increased focus on partners and suppliers – an important and necessary change given the growing use of cloud-based services and increasing supplier dependencies.

Putting this into practice means first understanding your organisation’s dependence on third parties in delivering services to your customers and then managing these relationships accordingly. Key factors to consider include the corporate culture and strategic focus of each organisation in your supply chain and the value that each provides in terms of cost, capacity/elasticity, capabilities and compliance (what I term the 4 Cs).

Governance and policy need to be wrapped around supplier management to ensure that the value of each supplier is known and any risks remediated (including the supplier’s role in business continuity planning). ITIL Supplier Management provides a best practice baseline. This can then be tailored to accommodate common ISO standards such as ISO9001, ISO14001, ISO22301, ISO27001 and ISO20000 to ensure that the policies developed either comply with existing organisation governance or provide a basis for future strategic development to achieve these standards.

Policy development can be streamlined by first tiering suppliers in terms of how critical they are to your organisation and the associated risks if the services they provide were constrained or removed. This will create two broad categories: strategic (critical/high importance with high risk) and tactical (low importance with low risk), with appropriate subgroups within each category of suppliers with similar importance. We would also recommend identifying secondary or backup suppliers for each critical supplier and maintaining low level relationships with them.

Top tier suppliers should have well defined and maintained contracts, full industry certifications, SLA management, regular service meetings and joint service improvement programmes. We recommend that your supplier relationship policy requires top tier suppliers to hold, as a minimum, the same industry standards as your organisation, such as ISO9001 and ISO14401 for quality and environmental and ISO27001 and CE+ for security. Lower tier suppliers could have a subset of these certifications to align with their supporting role. For top tier suppliers you should have interfaces between both organisation’s practices such as service portfolio management, demand management, change management, security management and business continuity management. Within the policies it is recommended that communication paths are identified at all levels of organisational operation and management and ensuring that supplier meetings are attended by peers from each organisation.

Another tip is to understand how critical your organisation is to your top tier suppliers, as any organisation will inherently manage its most important customers differently from the way it manages the less important ones. This is particularly important with respect to major incident management and business continuity. Understanding that ranking will help in developing the SLAs with that supplier. Once you realise that there are dependencies in both directions, you can manage the relationship in a way that is mutually beneficial to both parties and is optimised for value creation. Interfacing practices can be streamlined, and service support and service changes made using a collaborative and agile approach.

Organisations should also consider their full supply chain for service delivery. Any indirect change in that chain should be planned and communicated to all interested parties, as it could impact on each organisation’s risk management, particularly with respect to data security.

Reference customers are a common concept in the supply chain. It is important for the customer as well as the supplier that any business development is recognised, and benefits applied to increase overall value from the relationship. Any shared risk should be met with shared reward. Similarly, any constraints on a supplier’s or customer’s business should be communicated, managed and supported. All contracts should include provision for failure or cessation in the relationship and should be supported by dispute management procedures, along with agreed exit and transition plans.

In summary, organisations should take an open, trusted and aligned approach to supplier management, and ensure that everyone in the supply chain takes collective responsibility for delivering value.

Topics: IT Transformation, ITIL, Strategy

Neville Armstrong

Written by Neville Armstrong