As a global retailer, Abercrombie & Fitch Co. (A&F) does business with an expansive range of vendors — from textile, office product, and store fixture suppliers to data centers, tax consultants, and construction services — around the world. Traditionally each of the company’s individual risk areas, including legal, corruption, information security, and finance, independently vetted third parties using a combination of email, spreadsheets, and manual tracking. The risk area teams asked vendors to fill out a questionnaire and subject matter experts (SMEs) used the responses to assess risk, conduct due diligence, identify gaps, and mitigate issues. If they decided the level of third-party risk was acceptable, the company moved forward with selection and contracting.
“The main challenge was that we had a rather siloed risk mitigation process,” said Forrest Deegan, Chief Ethics & Compliance Offer at Abercrombie & Fitch Co. “Our risk-area teams could conduct due diligence only when they were aware the vendor was coming in, which led to inconsistent timing of reviews and self-inflicted fire drills. We needed to consolidate and align our risk management and compliance efforts across the organization.”
After establishing a steering committee and a project team, Deegan set out to make third-party risk management the “front door” into the company for new vendors and to ensure that the right information was getting to the right people on a consistent basis. The project team started by creating a vendor questionnaire and mapping out the journey on paper. They developed logic and workflows — complete with triage and escalation — in macro-enabled spreadsheets. With these tools in place, they started piloting the process with ten vendors to test its viability.
“We didn’t even get through all ten vendors before deciding we needed an automated system,” explained Deegan. “The pilot process was overburdening the SMEs in each risk area, so things broke down quickly. We realized we couldn’t run it on paper.”
That’s why, in 2016, Abercrombie & Fitch Co. began its search for an automated system to streamline end-to-end third-party risk management activities and capture key documentation to fulfill regulatory requirements and ensure compliance. The project team was looking for a flexible, configurable platform that was capable of handling their unique workflows and scaling seamlessly as their vendor base continued to grow.