How to analyse third-party risks in the supply chain

Do you truly know your exposure to risk? With every third-party supplier an organisation uses, there is increased risk of being exposed to a security breach, a damaging reputational issue, or a human rights or environmental issue that could be buried within the supply chain.

We tend to think of disruptive events as happening once in a lifetime, but in reality, we should plan for them to be a regular feature of supply chains and manage them accordingly. Proper governance and rigorous supply chain review are critical.

What are the risks posed by third parties in the supply chain? The most obvious risks are cyber security or financial. Imagine if one of your supplier’s suppliers has a ransomware attack that spreads up the chain. Your security is only as strong as the weakest link in the supply chain. An event like this could severely disrupt your ability to do business.

But there are less obvious, newer risks from suppliers. Increasingly we’re seeing emerging threats from areas like environment, social and governance (ESG), and human rights.

Perhaps there are modern day slavery practices that you haven’t spotted, deeply embedded in the supply chain, or a supplier has been found guilty of corruption, or other unethical behaviour. It’s not enough anymore to claim ignorance, and you could lose your hard-won reputation by association with such practices.

You need the right processes in place to catch and head off these kinds of issues, early on.  

Managing supplier relationships

The key to good supplier management is good information. What information do you need to mitigate your risk? I’m often asked: “How do I assess the risks from my supply chain?” The answer is in the information you get from that chain.

Look first at the information you have internally available. What is the acceptable risk level in your own business? Every organisation will have a different appetite for risk. A risk heat map is a great way to visualise the impact and likelihood of different risk categories, so you can develop the appropriate response.

Then look externally – where is there risk in the supply chain? Each of your suppliers should complete a detailed risk assessment in the first instance, and this has to be more than a tick-the-box exercise (regulators are getting wise to these). Monitor for seven different areas:

Adverse news or events to the supplier that could impact your business. This could include things like litigation, data breaches, or corporate controversies

• Geo-political risk. Is there inherent risk in the environment in which the supplier operations?
• Environment, social and governance (ESG) risk. This could be negative environmental impact, for example, or a breach of human rights
• Modern slavery, which is outlawed in a growing number of jurisdictions
• Corruption and bribery
• Sanctions, or the risk of them

This is not a one-off exercise. The minute you’ve conducted an assessment, it could be out of date, so your assessment should be continuous, using real-time data that gives you the right information to deal with changes, as they happen, in the supply chain.

Sanctions could change, rapidly. Changes in personnel could bring new reputational risk. A corporate scandal might break. The process needs to be dynamic, not static.

The role of technology

It’s simply not possible for a person – or even a full team – to monitor every change and movement that could pose risk within the supply chain. This is where technology can help.

A good third-party risk management system can give you the information you need to monitor and mitigate risk, as well as keep on top of contractual commitments and the performance of your suppliers (including their ability to meet those commitments).

It should look at three core areas: 

• Supplier controls and contractual commitments relating to the products and/or services being provided by the supplier. This should include monitoring mitigation systems the supplier has agreed to in a contract (and any changes to those systems)
• Performance, including the supplier’s ability to meet the expectations of the business, and maintain risk controls over the entire lifespan of the relationship (not just at a single point in time, for example at the beginning of the relationship)
• Supplier risk profile, including looking at what risks are inherent to the relationship, and what controls the supplier has put in place to mitigate them.

In a world where threats constantly evolve, managing third-party risk in the supply chain is a complex business. Things change, quickly, and if you don’t monitor and address those changes, your exposure to risk could be damaging to your business.

Conversely, there’s a competitive advantage to understanding your risk exposure, and the risk profile of your suppliers. You’re less likely to experience disruption or damage to your reputation. And you’re more likely to attract customers who can be confident that your business is secure.

Sri Rangachary is a Senior Director with ISG, a data analysis specialist.