How to analyse third-party risks in the supply chain
Do you really know your risk? With any third party that a company employs, there is an increased risk of being exposed to a security breach, a reputational issue, or a human rights or environmental issue that could be hidden in the supply chain.
We tend to think that disruptive events only happen once in a lifetime, when in reality we should schedule them as a regular part of supply chains and manage them accordingly. Proper governance and rigorous supply chain review are essential.
What risks do third parties in the supply chain pose? The most obvious risks are cyber security or finance. Imagine one of your supplier’s suppliers has a ransomware attack propagating down the chain. Your security is only as strong as the weakest link in the supply chain. An event like this could seriously affect your ability to do business.
But there are less obvious, more recent risks from suppliers. We increasingly see new threats from areas such as environmental, social and governance (ESG) and human rights.
Perhaps there are modern day slavery practices you haven’t discovered that are deeply embedded in the supply chain, or a supplier has been found guilty of corruption or other unethical behavior. Claiming ignorance is no longer sufficient, and you could lose your hard-earned reputation if you are associated with such practices.
You need the right processes in place to identify and prevent these types of problems early on.
Management of supplier relationships
The key to good supplier management is good information. What information do you need to mitigate your risk? I’m often asked, “How do I assess my supply chain risk?” The answer lies in the information you receive from that chain.
First, look at the information you have available internally. What is the acceptable level of risk in your own company? Every organization has a different risk appetite. A risk heatmap is a great way to visualize the impact and probabilities of different risk categories so you can develop the appropriate response.
Then look outside – where are there risks in the supply chain? Each of your suppliers should first conduct a detailed risk assessment, and this needs to be more than ticking the boxes (regulators become familiar with this). Monitor for seven different areas:
Unwanted news or events to the supplier that could impact your business. This can include things like litigation, data breaches, or corporate controversies
- geopolitical risk. Are there inherent risks in the environment in which the supplier operates?
- Environmental, Social and Governance (ESG) Risk. These can be, for example, negative environmental impacts or human rights violations
- Modern slavery outlawed in a growing number of jurisdictions
- corruption and bribery
- sanctions or their risk
This is not a one time exercise. By the time you’ve conducted an assessment, it could be out of date, so your assessment should be continuous and use real-time data that gives you the right information to deal with supply chain changes as they occur.
Sanctions could change quickly. Personnel changes could entail new reputational risks. A corporate scandal could break out. The process must be dynamic, not static.
The role of technology
It is simply not possible for one person – or even an entire team – to oversee all changes and movements that could pose a risk within the supply chain. This is where technology can help.
A good third-party risk management system can provide you with the information you need to monitor and mitigate risk, as well as keep track of your suppliers’ contractual obligations and performance (including their ability to meet those obligations).
It should address three core areas:
- Supplier controls and contractual obligations related to the products and/or services provided by the supplier. This should include monitoring mitigation schemes that the supplier has contractually agreed to (and any changes to those schemes).
- Performance, including the supplier’s ability to meet business expectations and maintain risk control throughout the life of the relationship (not just at a single point in time, e.g. at the beginning of the relationship)
- Supplier risk profile, including a consideration of what risks are inherent in the relationship and what controls the supplier has in place to mitigate them.
In a world where threats are constantly evolving, managing third-party risk in the supply chain is complex. Things change quickly, and if you don’t monitor and address those changes, your risk could be detrimental to your business.
Conversely, understanding your risk and the risk profile of your suppliers is a competitive advantage. Your reputation is less likely to be disturbed or damaged. And you’re more likely to attract customers who can trust your business to be secure.
Sri Rangachary is Senior Director at ISG, a data analytics specialist.