As a global retailer, Abercrombie & Fitch Co. (A&F) does business with an expansive range of vendors — from textile, office product, and store fixture suppliers to data centers, tax consultants, and construction services — around the world. Traditionally each of the company’s individual risk areas, including legal, corruption, information security, and finance, independently vetted third parties using a combination of email, spreadsheets, and manual tracking. The risk area teams asked vendors to fill out a questionnaire and subject matter experts (SMEs) used the responses to assess risk, conduct due diligence, identify gaps, and mitigate issues. If they decided the level of third-party risk was acceptable, the company moved forward with selection and contracting.
“The main challenge was that we had a rather siloed risk mitigation process,” said Forrest Deegan, Chief Ethics & Compliance Offer at Abercrombie & Fitch Co. “Our risk-area teams could conduct due diligence only when they were aware the vendor was coming in, which led to inconsistent timing of reviews and self-inflicted fire drills. We needed to consolidate and align our risk management and compliance efforts across the organization.”
After establishing a steering committee and a project team, Deegan set out to make third-party risk management the “front door” into the company for new vendors and to ensure that the right information was getting to the right people on a consistent basis. The project team started by creating a vendor questionnaire and mapping out the journey on paper. They developed logic and workflows — complete with triage and escalation — in macro-enabled spreadsheets. With these tools in place, they started piloting the process with ten vendors to test its viability.
“We didn’t even get through all ten vendors before deciding we needed an automated system,” explained Deegan. “The pilot process was overburdening the SMEs in each risk area, so things broke down quickly. We realized we couldn’t run it on paper.”
That’s why, in 2016, Abercrombie & Fitch Co. began its search for an automated system to streamline end-to-end third-party risk management activities and capture key documentation to fulfill regulatory requirements and ensure compliance. The project team was looking for a flexible, configurable platform that was capable of handling their unique workflows and scaling seamlessly as their vendor base continued to grow.
After evaluating numerous solutions, A&F selected ProcessUnity’s Vendor Risk Management solution, a software-as a service (SaaS) platform that automates key phases of the third-party risk management lifecycle — assessment, onboarding, due diligence, reporting, and more — to help identify and remediate risks posed by critical vendor relationships. ProcessUnity’s platform provided unparalleled configurability for building out the retailer’s questionnaire-based workflows with extensive logic that triggered specific actions and escalations by risk area. The solution also offered comprehensive management-level reporting to monitor progress, reduce operational exposures, and ensure that results would stand up to regulatory scrutiny.
“We wanted to start with an internal questionnaire and have various avenues of logic and escalation come out of it based on responses, which could then roll back into one uniform response out to the third party where needed,” commented Deegan. “Only ProcessUnity demonstrated the ability and capacity to allow us to recreate the logic-driven workflow we’d developed within their system, while streamlining activities for the risk areas and vendors alike.”
According to Deegan, ProcessUnity’s people were as much of a differentiator as its powerful software functionality. Instead of making a hard sales play, they approached the opportunity from the perspective of seasoned experts who had successfully automated complex third-party risk processes for many other clients.
“At our first meeting, ProcessUnity came to us with a detailed presentation of how their system would work in a business like ours,” Deegan said. “It was clear from the start that they understood third-party risk management inside and out, and would provide valuable insight and guidance as we transformed our vision into reality.”
Abercrombie & Fitch Co. purchased ProcessUnity in October 2016 and completed the initial implementation within just six weeks.
“It was the most thorough and precise implementation process I’ve seen in my career,” stated Deegan. “ProcessUnity came to us with a project plan that included detailed timelines and objectives. Beyond a few tweaks to names and responsibilities, the project was executed precisely as planned with real progress being made every day.”
Since deploying ProcessUnity, A&F has enjoyed the benefits of a standardized, consistent approach to third-party risk management powered by a centralized system of record. The procurement function now serves as the “front door” for new third parties and ProcessUnity automatically routes the right information to the right people to ensure proper vetting — backed up by a documentation trail — across all key risk areas.
The retailer is taking full advantage of ProcessUnity’s reporting capabilities to gain real-time visibility into the state of third-party risk and demonstrate to regulators the existence of a consistent, reliable and repeatable program. Interactive dashboards give management visibility into ongoing risk assessment progress, remediation activity status, and vendor ratings, while drill-down capabilities allow risk managers to quickly find details in areas of concern. In 2017, Abercrombie & Fitch also extended their implementation by integrating Tableau reporting software for advanced analytics and data visualization.
In 2018, Abercrombie & Fitch turned to ProcessUnity for a connector to Refinitiv World-Check One, an intelligence service that continuously monitors vendor organizations and their employees to identify issues that may signal heightened risk.
“ProcessUnity shares our enthusiasm for innovation and partners with us to make it happen,” added Deegan. “When we wanted to integrate World-Check into our onboarding and due diligence process, they partnered with us — developing the connector, which we then piloted and helped refine. That integrated functionality has been a big win for us.”
Looking ahead, Abercrombie & Fitch Co. will continue to work with ProcessUnity to fine-tune its third-party risk management process — and the system behind it — to build on the success the company has seen to date.
“The establishment of a third party ‘front door’ and the implementation of ProcessUnity VRM has really energized our procurement team,” concluded Deegan. “Thanks to ProcessUnity, we’ve eliminated silos and aligned people, processes, and technology around a standardized third-party risk management program. The investment has really paid off and now we’re working to drive progress forward.”
Request a Demo