Third-Party Risk Management — A Take-Charge Approach

Supply chain organizations today are accountable for developing and managing performance goals, and maintaining key relationships internally and externally — all while working most efficiently and effectively.

Unfortunately, they work on achieving these business needs, without factoring in the exposure to various sources of risk beyond their control, including:

 

• Planned vs. actual demand
• Volatility of pricing, business environment, politics, logistics, capacity and economic cycles
• Cost and timing of new products to market
• Change in regulations
• Managing issues with respect to third-party supplier corruption
• Market changes in technology and operational quality issues

 

These, and other everyday sources of uncertainty impact the management process at its foundation, disrupting planning, execution, performance, and accountability. The result is an “estimated vs. actual” gap in organizational performance. A “take-charge” risk management approach helps in mitigating issues caused by these performance gaps before they lead to full blown risk.

By elevating and communicating third-party risk management as a key organizational strategy, management can develop plans to optimize performance across a chosen range of potential supply and demand outcomes.

This is a more effective approach in managing third-party risk compared to adopting the typical “our best guess” or “could be” outcome. Being strategically aggressive towards third-party risk management allows enterprises to gain key insights and establish procedures to maintain control over potential loss of economic performance.

Proactive Due Diligence Management

Business management is based on plans for revenue and cost, and supporting plans for products, markets, capital expenditures and operational execution. These plans drive resource investments, customer commitments and coordination with third-party partners. Supply management relies on these third-party relationships to drive performance plans, profit incentives and financial accountabilities.

A proactive analysis and due diligence plan is critical to scoping, assessing, prioritizing solutions and implementing a “take-charge” third-party risk management framework. A well-designed due diligence and “approach process” can help support an ongoing comprehensive risk management solution that can optimize and drive risk mitigation.

For instance, many organizations lack risk management structure, rigor and consistency across business units, functions and regions. There is a strong need for proactive and real-time ability to track as many identified critical risks that can affect business operations and company reputation.

Identification of Third-Party Sources

One of the first steps an organization should take with regard to third-party suppliers is to identify and define the types of commercially contracted relationships they manage. This will help to determine which third parties should be considered “in scope” and would be subject to risk-based due diligence. It is also important to analyze which supplier relationships are critical based on revenue contribution mapped to the type of services/products provided for production, as well as regional, socio-political, regulatory restraints and market trend dynamics.

An organization should begin — during the scoping of a third-party risk management exercise — to identify a list of critical third-party relationships with whom it contractually engages in supply/source dependency.

*Here is a sample list:

Joint-Venture Partner

An individual or organization entering into a business agreement with another individual or organization (and possibly other parties) to establish a new business entity and to manage its assets.

Consortium Partner

An individual or organization pooling resources with another organization (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status.

Agent

An individual or organization authorized to act for or on behalf of, or to otherwise represent, another organization in furtherance of its business interests. Agents may be categorized into the following two types:

- Sales agents (i.e. those needed to win a contract)

- Process agents (e.g. visa permits agents)

Advisor and other intermediary

(e.g. legal, tax, financial advisor or consultant, lobbyist)

An individual or organization providing service and advice by representing an organization towards another person, business and/or government official.

Contractor and Sub-Contractor

A contractor is a non-controlled individual or organization that provides goods or services to an organization under a contract. A subcontractor is an individual or organization that is hired by a contractor to perform a specific task as part of the overall project.

Supplier/Vendor/Service Provider

An individual or organization that supplies parts or services to another organization. It can also provide functional support (e.g. communications, logistics, storage, processing services).

Distributor

An individual or organization that buys products from another organization, warehouses them, and resells them to retailers or directly to end-users.

Third-Party Risk Management Process

Building practice guidelines that are well conceived will help organizations thoughtfully design and implement a risk-based third-party proactive due diligence framework. Figure 1 shows the recommended approach for third-party risk management.

To ensure successful implementation of a take-charge risk management approach, the organization should develop a communication and support plan for internal and external stakeholders. A few things to consider while developing a communication and support plan:

 

• Have people been chosen in identifying risk factors?
• How will we communicate with all those who should participate?
• Have we identified, socialized and agreed on what roles different stakeholders should play in the process?
• How will internal stakeholders be informed regarding the issues?
• What risks are we planning to discuss with external stakeholders?
• Have we developed a touch point strategy in case a risk event does occur?
• Who will be central to communication of risk reporting and key data repository information?
• What will be the PMO structure and how will it operate?
• How will contingency plans be created, evaluated and implemented?

 

The organization should also clearly define roles, responsibilities, accountabilities and authority for all the stakeholders through the use of a Responsible, Accountable, Consulted, Informed (RACI) chart. This helps is having faster escalations to the right stakeholders. Figure 2 depicts a sample RACI chart used by GEP for a client.

Data Gathering and Analysis

Organizations should begin with casting a large net over the areas in which they plan to locate key data regarding third-party suppliers. The use of multiple data sources for risk monitoring increases the likelihood of uncovering potential issues or 'detectability' of risks. There are many sources of data that should be researched during the assessment phase of risk identification. Examples include external free market information, financial data and operational data sources. Free market sources can be news articles on supplier, industry and region. Blog articles, trend forecasts, social media interactions, industry conferences, subject matter experts, etc., are also good sources of information.

Financial areas of data sources can be D&B credit ratings, supplier financials, stock pricing, World Economic Forum (WEF) business competitiveness data, and analyst forecasts on supplier, industry or region.

Various short-, medium-, and long-term third-party risk attributes can be mapped across risk areas:

Operational or production data sources include internal spend data, inventory levels, supplier scorecards, FMEA scores, contract data, supplier audit data and supplier surveys. The identified third-party risk areas from these various sources should then be captured in a risk assessment tool that will classify and cluster this data for evaluation with respect to the financial value at risk and associated probability of risk occurrence.

Risk Prioritization

A “take-charge” risk management approach needs to factor in a risk horizon for planning and prioritizing. Risks identified should be prioritized based on business impact and likelihood of their occurrence.

Short-Term Risks

A short-term risk horizon includes risks that are expected to have an immediate impact on the organizational business and should be addressed immediately. These short-term risks might include an unplanned supplier shutdown or a hurricane near the supplier's facilities resulting in inadequate inventory stock to meet a client's production plan requirements. They could also be bribery or corruption allegations against a third-party supplier which will have an immediate impact on market reputation. All these short-terms risks require contingency plans to ensure continuity of supply.

Medium-Term Risks

Medium-term risks are the ones that need to be addressed within a budgetary or financial period to ensure continuity within the budgeted timeframe and to mitigate potential financial overruns (for example, a supplier failing certain audit norms). The sponsoring organization will need to identify and develop an alternative supplier within a short time frame. If the organization decides to continue with the same supplier, it will likely need to reinstate a new process and ensure that the problem is addressed in future audits.

Long-Term Risks

Long-term risks have a strategic impact on the business with an effect timeline between one to five years. Example can be an estimated vs. actual supply gap due to increased demand from competition or capacity limitations. They can also emerge due to poor forecasting of internal demand. New technology advances such as 3D printing technology and their effects on the injection and thermo-forming industry can impact capacity buildup and pricing in the market. Suppliers typically use new technology and take advantage of it through the use of extended controlled supply and demand pricing levels.

Once an organization applies risk calculations and likelihood scenarios to these identified areas of risk, an executive dashboard should be created and shared with key management stakeholders. The reporting “dashboard” presents the different risks involved after considering the value at risk and likelihood of occurrence. A mitigation and contingency plan for each identified 'high' risk can then be developed. Plans can include elements such as risk description, type of risk, length, associated financial value of loss, likelihood or probability, mitigation plans, responsibilities and timelines for correction. It is important that an organization meets with its high-risk third-party suppliers to agree on future audit procedures and governance measures that require suppliers to demonstrate confidentiality, privacy, integrity of processes (internal controls), and delivery of performance.

A Project Management Office (PMO) group should be involved in monitoring each mitigation strategy that is linked to various risk areas. The PMO group should have a central role in coordination with third-party supplier risk initiatives and interact with legal, internal audit, finance, compliance, business operations, and public relations. Finally, third-party compliance procedures should be enacted to help monitor the program's progress and adherence to compliance areas such as legal, security, quality, trade, international transactions and supply movement.

Following are some recommended action items to ensure that the implementation and ongoing oversight phase is controlled correctly:

 

• Collect data on daily, weekly, monthly, quarterly and half-yearly basis for each third-party supplier type
• Run risk management models and validation checks to ensure consistency
• Ensure proper communications externally (surveys, site visits)
• Communicate with stakeholders on the dimensions of risk
• Liaise with other functions (legal, audit, finance, compliance and BUs) as needed
• Agree on corrective or preventive actions and assist as needed — especially with high-risk suppliers — and implement recommendations
• Ensure that the decisions are carried out and the risk is mitigated
• Repeat the process and convert into longer term effective risk management operations (Third-Party Compliance Program)
• Conduct monthly steering committee meetings to ensure third-party risk goals are met

 

Conclusion

While it is impossible to completely eliminate risks, enterprises can adopt a “take-charge” risk management approach to minimize their impact on business performance. Developing and implementing such an approach requires prioritization of risks, mitigation planning, and active involvement of all the key stakeholders. For successful implementation of proactive due diligence and risk management strategies, the organization must effectively communicate and apply key supporting measures at various operational levels to ensure that they are clearly understood and practiced correctly by all the stakeholders. The aforementioned approach guidelines can help an organization plan and implement a proactive, resource effective program to meet management's core legal, financial and operational risk management requirements.