Back to Hub

Procurement must identify third-party risk: Owning and mitigating threats

Business performance relies heavily on the strength and efficiency of relationships external to the organization. Our third-party partners’ performance, and exposure to risk, can make or break our own profitability, reputation and overall success if we do not monitor and manage these partnerships strategically.

As supply chains grow, and become ever more interdependent, and as outsourcing booms as an alternative to growing in-house talent, our exposure to risk grows too, and becomes harder and harder to mitigate.

The far-reaching effects of failure to identify third-party risk are becoming a board-level issue, and it is procurement organizations that are taking a leading role in helping to proactively identify, mitigate and manage them. But the precise consequences of disruption are difficult to measure and quantify, as the scale on which this is now taking place is generally much larger than in the past, with new risks like the threat of high-profile business failure, accountability for illegal third-party action or regulatory enforcement with punitive fines.

Third-party risk goes beyond the supplier

By risk, we often think of supplier risk, or supply chain risk, but in reality, third-party risk goes way beyond that. The whole ecosystem that surrounds a business is susceptible to a dangerous ripple effect from any failure — be that from the supplier, the distributor, the support services provider, the sales or marketing agent, and any affiliated bodies, subsidiaries or joint ventures.

In industry today, there exist significant differences in how risk is perceived by hardcore procurement people and risk-focused people, even though the latter tend to be part of the procurement organization. Basically, procurement people rely on software and have a tactical view of risk, while the risk professional tends to be far more strategic in perspective. Like them, the CPO has to take that strategic view, which means figuring in risk before sourcing even begins, but that’s hard to sell.

Things to think about strategically for risk

From planning to strategic sourcing all the way through to vendor selection, supplier selection, due diligence, contract negotiation, monitoring and termination — that circle is a very strategic operation. It is not a transactional process and takes time and effort to do well. Thinking that the risk involved is supplier-related is short-sighted, because risk can come as much from upstream as it can from downstream.

Your channel partners, distributors and agents all pose different nuances of risk, different again from those posed by the supply chain, and many companies struggle to understand how far-reaching that impact can be. There are several important things to think about strategically when considering risk:

  • Data modeling — Understanding how far-reaching that risk can be is a data modeling challenge. How are supply chain entities tracked? How are they inter-associated? This is needed for business to make data-driven decisions.
  • Look beyond spend — Most companies still only look at spend as one of the main dimensions of risk or as the driving force behind risk, but spend is really only one leg of the stool. You have to look at criticality and strategic importance of all relationships, which could be either upstream or downstream. Simply thinking about supplier or vendor risk is too limiting.
  • Contract — There are so many possible integration points throughout the cycle of third-party management to identify — from planning to due diligence and third-party selection, based on the nature of the work and the profile of the third-party you are going to work with. So how do you even structure a contract for that? It requires a very strategic approach that drives certain contract clauses: You need to let your legal, procurement and sourcing teams know what is more important contractually and which areas to focus on based on the risk profile.

A holistic view

Practically speaking, what organizations are still missing in the industry today is a holistic solution. All aspects of third-party risk management (TPRM) need to be woven into the overall sourcing contract and P2P use cases. They have always been treated as a siloed problem — which they are not!

TPRM must start from pre-sourcing before you even decide to create a sourcing event. Even professionals who understand this don’t necessarily have the right solution to help them do it well and in a seamless way. You really need a seamless solution that can integrate all the points.

To get to this holistic picture you don’t just need tools, you need advice and help with a structured and strategic approach, especially in conducting assessments on third parties — which, ironically, is a huge market for outsourcing!

So what does this full approach look like?

  • Risk — You need an accurate picture of the current situation, with risks scored and prioritized, based on their likelihood of occurrence and potential impact on business.
  • Governance — Once risks are identified and prioritized, you need a comprehensive risk mitigation plan based on short-term, medium-term and long-term risks. The right people must be in place to implement and manage the risk management plan.
  • Mitigation — Having a plan in place is not enough on its own. Risk mitigation initiatives and their progress must be monitored and tracked to make sure they are working in the real risk environment, with contingency measures in place.

Whose risk is it?

You have to think about risk downstream as well as upstream. For CPOs, that means thinking about the whole host of third parties between you and your customer.

You can outsource that work, but you can’t outsource the risk.

Every third-party company in your ecosystem may be representing you, but when things go wrong, it’s still your problem. So the CPO should not forget that risk can also come from the third parties that are usually downstream and not in the P2P system.

The other very difficult area of risk mitigation for procurement is services. For example, outsourcing corporate website management is a whole project, involving many services, like copy writing, design and administration all bundled under one agency. This by nature is hard for procurement to mitigate, as there is no one formula, unlike for a widget or product; the risk is nuanced and tends to be subjective. But risk must be factored in at the time of sourcing, otherwise it becomes a siloed implementation.

Inherent risk

One of the things you have to do in the risk mitigation process is “pre-sourcing.” For optimum mitigation, when your business units ask for a product or service, you need to set up at least an inherent risk model that is driven off the product or service classification that you use, which most large companies have.

Inherent risk, the natural level of risk in the work being done by a third party, is especially prevalent for services work, so the first step is to establish an inherent risk profile based on the capabilities and competencies of your chosen third party (like information security, business continuity, reputation, privacy, regulatory risk, etc.). From that, you drive due diligence.

After the contract is negotiated, you then have to be able to draw upon the covenance in the contract to enable you to monitor that risk through the lifecycle of that relationship. Some of these contracts are long-term, which you will not be revisiting every year, but remember, the risk doesn’t go away at the end of the three-year contract. Risk must be continually monitored. If you consider giving them more business — that may change the risk profile, which could involve remedial action. You also need a plan for what happens if that relationship breaks down.

A question of priority

In reality, lack of CPO awareness is not the issue with risk mitigation, it has to do with how much priority a company gives it, and that is driven by what the imperatives are. If there is a regulatory imperative, risk will be given more attention. Another big driver for risk priority is fear, especially that of cyber-attacks. And, unfortunately, the other thing that deters a company from giving risk a high profile is often cost — the cost to the business.

However, reputationally, risk is moving more toward the forefront of companies’ minds. They begin to realize that a holistic third-party management program that is well integrated with all interventions is paramount for business continuity. However, it is not a trivial endeavor in effort and cost.

It’s a question of priority. Supply chain risk, especially contractor risk, is a hard problem to solve and it is often quite costly to do in-house. Tools alone, no matter how sophisticated, will get you only so far. Getting expert advice from a third party with the ability to solve your problem beyond software is key. Experience matters. You need expertise with an integrated view of risk and an in-depth understanding of the damage it could do. Prioritizing risk is key.

Who is responsible for risk in a firm today?

The job of identifying and communicating risk is vast. But it all flows through one department that has to administer it — and that is procurement. While certain aspects like compliance and information security are the premise of the CCO, it is the CPO who has overall responsibility for all of procurement’s execution strategy. Procurement is an important line of defense against risk.

What can the CPO do to kick-start the process of taking risk more seriously?

  • Changing mindsets is hard to tackle, but fear is a good motivator, so communicate the consequences of not doing so.
  • Portraying risk as a strategic differentiator rather than a problem to solve, will elevate risk management as a priority: A better risk profile will make you a better company for your customers.
  • Present risk as more of an opportunity than a cost — future-thinking CPOs need to be able to do this, even while they are caught in the quicksand of daily challenges.
  • Justify the expenditure (which is not easy). How do you prove that a bad outcome didn’t happen? Give frequent examples of problems emanating from poor third-party management, with the message: Do we want this to happen to us?

The best outcome is to have risk tightly integrate with all procurement strategies. Many organizations already have a solution, but unless integrated, it works in a silo — bribery or fraud, for example.

A holistic system will give visibility across the spectrum of risk and enable real-time monitoring using embedded analytics. It will allow you to work closely with supply chain partners to develop efficiencies and give you the flexibility to rapidly adapt to supply chain disruptions and execute new corporate strategies with minimum impact.

And remember, real supply chain resilience will come not only from supply market intelligence and powerful diagnostic tools, but from your risk adviser, supported by world-class infrastructure and a rich knowledge base of supply chain best practice methodologies.