Why third-party risk management is now a business essential
As modern business and enterprise operations have become increasingly complex, and more often relying on third-party suppliers, the risk many supply chains have become exposed to has also become more difficult to address. Supply chain expert Andrew Black – a Principal at consultancy Efficio – explains what firms can do to adapt to the challenging environment.
Organisations are increasingly reliant on third-party suppliers to deliver business-critical products and services to their clients and customers. However, managing third-party risk is essential.
While partnering with third parties can provide scalability and opportunity for growth in new markets, it also requires monitoring their compliance to safety procedures, ethical business practices, environmental policies, cybersecurity practices, and more.
Why now?
As supply chains evolve into multi-dimensional networks, organisations need to develop new tools and processes for identifying and monitoring risks in their supply bases. This is a result of several new trends, including changes in consumer preferences and a heightened interest in understanding where and how products are being made. Recent years have demonstrated how important managing the environmental impact of supply chains is for organisations to retain consumer loyalty.
Consumer purchasing patterns have also evolved; there is an expectation that products will always be available at short notice and with easy return options. This means organisations now need to be far more active in monitoring their upstream and downstream supply chains.
Furthermore, events such as Brexit, the pandemic, and the Russian-Ukraine conflict have driven the realisation that supply chain disruptions are likely to become more common in the future. In order to survive these changes, businesses will increasingly need to pay attention to four major risks within their third-party supply base:
Reputational
For example, sourcing components or products from countries under sanctions can quickly damage your reputation.
Financial
Suppliers with poor financials also pose a risk to your organisation, as their insolvency can impact your ability to conduct business if they cannot be rapidly replaced.
Health, Safety, and Environment
Poor supplier performance in these areas could threaten the safety and well-being of your employees or endanger your reputation.
Cyber
Organisations are increasingly falling victim to cyber-attacks, including ransomware and industrial espionage.
Avoid third-party failures
So far, organisations have typically focussed on monitoring the financial risks of their suppliers because this is the easiest to assess from the outside. As the potential risks multiply, organisations will need to do two additional things.
First, get access to better, but harder-to-find data (for example, the environmental impact of a supplier operating in another country).
Second, set up a system of collaboration with your suppliers, either in the form of contractual KPIs or informal information sharing.
Use information and insights
The challenge, however, is that accessing the right information to feed into risk KPIs and risk monitoring processes can be costly and time-consuming. It also often requires the goodwill of second-, third-, and fourth-tier suppliers, who may not have strong incentives to provide their manufacturing, financial, environmental, and other information.
The solution is to be rigorous in whittling down the large list of potential risks to those that could significantly impact your organisation and then implementing processes and information flows for ongoing monitoring of those risks. Where you can, improve your organisation’s resilience to risk, whether that be through increasing inventory, multi-sourcing of suppliers, or in-housing some aspects of the manufacturing process.
Another step is to set up dedicated supply chain risk monitoring teams that work cross-functionally to identify, monitor, and manage risks. These teams may draw upon information from in-house teams or relevant external information providers. Having access to such information is becoming increasingly important as organisations seek to prove that their supply chains are “green” or free of unethical labour practices, but it is also hard to source – and so assembling a dedicated team should ease this process.
Data-driven assessments are key
Ultimately, risk monitoring is only as good as the data that drives it. As risk moves up the agenda of management teams, there is a growing need for data-driven third-party assessment. This is for two reasons:
First, it facilitates more automated, and hence more rapid, risk monitoring instead of the current labour-intensive approach. If your organisation can identify the right data feeds and build the right tools to utilise that data – such as data-driven dashboards to simplify monitoring and reporting – much of the drudgery of risk management can be automated.
Second, it reduces the possibility of overlooking or missing emerging trends. Historically, a lot of risk management has consisted of slow, labour-intensive work. It is easy to miss risks as they occur, and so risk management teams end up becoming more focussed on incident response rather than pre-emptive risk identification and mitigation. Instead, consolidating the right data feeds into a risk dashboard means processing a larger volume of potential risks, as well as the identifying new trends early and acting on them before they become genuine issues.
Multi-functional management
Finally, it is important to recognise that third-party risk management is multi-functional. Financial risks will need input and action from the finance function, cyber risks from the IT function, and reputational risks from across the business. Supplier risk teams, while they may report to supply chain or procurement managers, should be set up as a separate team with a mandate to work cross-functionally. Having departments solely dedicated to managing third-party interactions will help prevent third-party breaches from falling through the cracks.
In today’s outsourced environment, focussing on third-party risk management initiatives to protect the reputation and revenue of the organisation is crucial. Planning and implementing a proactive approach can help to alleviate risks and maximise third-party benefits.
Efficio is a global tech-enabled procurement and supply chain consultancy. It operates across 13 offices in Europe, North America and Middle East.