A
growing number of organisations have recognised the increasingly uncertain risk
picture that results from relationships with third parties. There appears,
however, to be much disagreement about how to effectively identify, quantify,
and mitigate such risks.
Service-provider risk management
In a recent study conducted by ChainLink Research, nearly 50% of organisations indicated that risk assessment played a “critical and mandatory” role in their service provider selection. However, more than 70% of the surveyed organisations reported having no resilience and risk-mitigation standards to which they hold their service providers accountable.
Furthermore, the ChainLink research noted that “the thoroughness of the risk
assessment varies greatly, depending on the company”. Companies lack the
ability to extend risk assessment to subcontractors and tend to focus on the
easiest risks to quantify, such as financial viability or business-continuity
plans.
Supply-side partner risk management
In another study, by Compliance Week magazine, more than 90% of the surveyed
corporate executives said they believe conducting a vendor-risk assessment is
either important or very important. At the same time, though, more than half
were dissatisfied or at best had neutral feelings about their company’s current
approach to vendor-risk assessments. As Compliance Week summarised:
“Vendor-risk assessments continue to confound many companies, even while they
say that getting a handle on supply-chain risk is at the top of their priority
list.”
The top difficulties cited by the survey respondents included a lack of good
data on vendors, poor visibility into the use of subcontractors, and
limitations in comparing vendor risks.
Types of third-party risk relationships:
Demand-side partner risk
management
Demand-side third-party relationship risk tends to be industry-specific, and
varies depending on the method of delivery to customers (direct or
multichannel, for example). Often companies lack the infrastructure or
technology to have adequate monitoring in place and handle the volume of
demand-side relationships. It is common for companies to rely solely on the
self-reporting of information.
Risk management of other
relationships
Companies often fail to achieve the value they had expected a relationship to
yield. Many times, organisations realise only in retrospect that the foundation
of a particular relationship was never solid – because at the inception of the
agreement, planning was lacking and incentives for success were not built into
the agreement.
The figure below represents a typical supplier risk and relationship management
matrix.
To
successfully address the broad range of third-party relationship risks,
businesses must be competent and skilful when identifying, analysing, and
assessing risk, and then developing risk strategies and metrics. These efforts
can be complicated by a variety of factors, both internal and external.
Internal challenges:
Ownership of risk
responsibilities
Clearly establishing ownership of third-party relationship risks presents a
significant challenge to most businesses. Multiple layers of ownership often
exist, so it might not be clear who has responsibility for the third-party risk
management framework for the entire organisation and who has responsibility for
the review and ongoing monitoring of individual relationships.
Reactive approach to
risk management
In most organisations, adequate risk management involving third-party
relationships is not addressed until a problem has already arisen. By that
time, risk exposure has increased and the opportunity to mitigate is
diminished. A proactive risk assessment of the relationship at the time it is
established, and periodically throughout the course of the relationship, is
thus key.
Traditional metrics that
don’t include risk
The supplier scorecards that are often used for vendor selection and to reward
procurement teams typically focus on metrics related to quality, cost, and
delivery, but give little consideration to relationship risk including the
likelihood and associated potential cost of adverse events. The metrics also
don’t take into account the cost of monitoring and managing the risks.
External Challenges:
Complex, global supply
chains
One effect of globalisation has been a dramatic increase in the complexity of
identifying and assessing risks. Assessing and auditing compliance in remote
relationships, however, can be costly and complex. Contemporary highly
integrated supply, value, and information chains further complicate risk
assessment. Traditional ways of evaluating and mitigating risk are often
inadequate in an environment of shortened product life cycles, fragmentation of
the supply chain, just-in-time inventory practices, and other business tools that
were once considered exotic but today are the norm.
New disclosure
expectations that increase exposure to reputational risk
Today’s businesses are expected to disclose a much broader range of
nonfinancial information to demonstrate their compliance with various
environment, labour, security, privacy, and social standards. Because these
disclosures are often highly dependent on the assertions and reports of
third-party service providers, suppliers, and partners, the means for verifying
the accuracy of third-party data can be extremely limited. Most organisations
do not adequately address risk management involving third-party relationships
until a problem has already arisen.
Complex invoicing
Supplier relationships that are sensitive to prices of commodities such as raw
materials and fuel often involve complex methods of invoicing. In such
instances, prices are often pegged to a market index or other third-party
standard, which adds another layer of complexity to monitoring and contract
compliance activities. Moreover, any hedging tools must be designed carefully
to take such variations into account.
Developing and implementing an organisational supplier risk management
programme, and working effectively to manage risks associated with third-party
relationships, will ensure reduction in costs, effectual management of risk,
focus on core capabilities, and an increase in innovative supplier solutions.
Contributed by: Andrew
Hillman,
Chief Executive Officer of Bespoke Group and Publishing Editor of Bespoke
Procurement Bulletin
Article first appeared in Bespoke Procurement Bulletin:
www.bespokesourcing.co.za/articles/178839-third-party-risk-management-cause-for-concern-by-andrew-hillman