Proactive management of third-party risk in supply chains

The broad array of risk-related challenges that businesses face today makes it clear that an uncoordinated or case-by-case approach to third-party risk management is no longer adequate. At a practical level, a successful third-party risk management program is typically implemented in three steps, as follows:

1. Establish ownership and buy-in.

Planning for change is critical to successful third-party risk management in organisations where the ownership of such risk is dispersed among multiple stakeholders and owners. This planning requires cross-functional coordination, executive leadership and oversight, and clear goals and objectives. The mission of most organisations often includes a focus on strengthening the overall relationship with the third party.

Success factors:

·         Clearly establish risk ownership

·         Obtain cross-functional input from various stakeholders

·         Develop a third-party risk management road map

2. Evaluate risks

Understanding the risk profile of the entire organisation helps focus efforts on the areas of highest risk, which allows the assignment of adequate resources to address specific clauses in an agreement or specific types of relationships or categories of risk. Developing a comprehensive risk landscape is often a helpful first step in evaluating the various risks in a relationship. This step helps avoid taking a one-size-fits-all approach and instead drives focus on the areas of risk and reward to the organisation.

Success factors:

·         Identify the high risks inherent in the third-party relationships

·         Quantify identified risks

·         Establish a plan for moving forward

3. Audit, monitor, and assess

The risk landscape spurs initiatives to audit, inspect, benchmark performance and costs, verify, and gain assurance or attestation. A successful third-party risk management program has an appropriate level of:

·         risk measurement and monitoring

·         performance measurement and monitoring

·         incident tracking

·         evaluation of the value received from the relationship

These activities are important for determining when or whether to renegotiate the terms of an agreement. The companies that are most successful in this auditing and monitoring function are those that work to enhance the data they have about their relationships so that they can predict areas of risk more accurately and automate relationship monitoring more effectively.

Success factors:

·         Customise the assessment to the relationship

·         Use automation to streamline the process

·         Analyse trends of incidents across relationships

 The figure below details the process that should be followed for the effective management of supplier risk and compliance, using the same approach described above:


Engaging executive management

As already stated, third-party risk planning requires cross-functional coordination, executive leadership and oversight.

The following are some questions related to third-party risks that CPOs, executive management and board members should consider:


·         Does our company have a full inventory of its relationships and agreements?

·         Have we performed an assessment of the risks to the business or the brand for each of the relationships we have?

·         Who owns the assessment of risks?

·         What are the key relationship risks and processes in place to manage them? Who is responsible for risk management and monitoring?

·         How do we know that our relationships are complying with the agreements in place?

·         What are the company policies related to auditing agreements for compliance?

·         How do we know our relationships are complying with laws and regulations?

·         Which of our key relationship agreements or statements of work have not been reviewed by legal counsel in the past three to five years?

·         What procedures do we follow to reassess the risks associated with a relationship prior to the renewal of a contract?

·         What types of risks are considered in the selection or renewal process?

·         Are any significant risks not considered?

·         Do our standard agreements address the key risks of most relationships?

·         How do we know the reports we rely on from our third-party vendors are accurate?

·         Have we tested our business continuity plans with our principal third-party relationships?

·         How dependent are our third parties on subcontractors and subservices?

·         What risks are associated with these organisations?

Of course, not all supply chain failures can be avoided, but efforts need to be made to identify supply chain risks and recognise early indicators of failure so that their impact to the business can be mitigated.

The most effective and proven practices for managing supply chain risk is to pre-qualify suppliers properly, measure supplier performance and engage in effective evaluation and audit with suppliers to proactively address any supply chain risks.

Contributed by: Andrew Hillman, Chief Executive Officer of Bespoke Group and Publishing Editor of Bespoke Procurement Bulletin