Third-Party Risk and What to Do About It
In March 2011, a major earthquake and tsunami hit Japan. Beyond the immediate devastation inflicted on residents of the area, the disaster revealed a significant vulnerability to unexpected parts shortages and supply chain disruptions in a broad range of industries. Unprepared companies around the world suddenly found themselves confronting ripple-effect issues from quality control and customer service to business interruptions.
Supply chain and other third-party risks are understandably capturing increased attention these days. The potential repercussions of disruptive natural and human-made events, whether isolated or simultaneous, highlight the importance of planning for and managing such risks. The companies that have identified their risks in advance and planned for these contingencies are the ones best positioned to survive the disruptions that result when third-party risks manifest.
The Current Environment
A 2012 survey of U.S. manufacturers found that 75% of the respondent corporations had experienced harm from the action or inaction of a third party—for example, lost customers because of a third party’s poor-quality service, data breaches resulting from a third party’s poor security practices, or supply chain issues stemming from a third party’s poor disaster recovery procedures. These risks have always existed, but the significant jump in the use of third parties has compounded them. Moreover, today’s supply chains are more accurately described as “supply webs,” with multiple tiers of vendors that serve a manufacturer’s own vendors. This more complicated configuration makes it more difficult to identify where the risks lie and manage them appropriately.
Yet many companies have been slow to manage their entire risk profiles, and third-party risks are often among those overlooked. Few organizations assign an “owner” to third-party risk specifically; instead, ownership of such risk management activities tends to be spread out across the company and conducted with no enterprise-wide governance or reporting on risk management efforts. When each business segment manages its own third-party risks from a silo, it’s difficult, if not impossible, for a company to see all of its risk exposures. Indeed, many companies are unable to produce a list of their first-tier suppliers, let alone their second- and third-tier suppliers.
Third-Party Threats
Many companies rely heavily on third parties like material suppliers and vendors to help them meet both their contractual obligations and consumer demand. This reliance is not without its risks, though, including the following:
Regulatory and legal violations. Regulation and enforcement have intensified globally. For example, public company manufacturers must satisfy certain requirements for using “conflict minerals” (cassiterite, wolframite and other minerals from the Democratic Republic of Congo and bordering countries), and more and more industries are becoming subject to privacy regulations regarding consumer and financial data. The U.S. government is also stepping up its enforcement of laws like the Foreign Corrupt Practices Act (FCPA) to confirm compliance. Domestic companies could be found liable for the illegal actions of their suppliers in foreign countries. Even if absolved of guilt, the cost of an FCPA investigation could exceed 5.1% of a company’s total market capitalization.
Breaches of systems and data. The media are rife with reports of systems and data breaches at high-profile companies. Even manufacturers with robust data security systems remain susceptible to breaches as a result of weaknesses in the systems of third parties that possess sensitive information or are granted access to systems or intellectual property. Even when the breach is caused by a vendor, the responsibility still lies with the company to report and resolve the issues caused by the breach.
Reputation damage. Unexpected revelations about, for example, distant suppliers’ poor labor and environmental practices can infect their domestic customers too, shaking stakeholder confidence even in companies with solid reputations otherwise. A number of well-known global brands have taken reputation hits from labor issues with overseas suppliers. The risk of reputation damage is particularly worrisome given how brand has come to account for a significant percentage of companies’ intangible assets. An Oxford Metrica study suggests that a company that experiences an “extreme reputation event” has an 80% chance of losing at least 20% of its value (over and above the market) in any single month, in a given five-year period. In each case examined in the study, the value loss was sustained.
Financial dependence. Volatile commodity prices have produced rapidly changing cost structures for suppliers in virtually every industry, leaving companies that direct their business to a single supplier of a vital item or service at risk of unpredictable price swings or shortages. Such companies also make themselves dependent on their suppliers’ viability—where will they turn if the primary supplier of an essential component goes out of business?
Systemic events. Companies look to third parties to control increasingly critical portions of their IT infrastructure. Resilience and continuity of systems--as well as human resources--are challenging companies as they consider potential events that can have significant impact on their business.
Geopolitical events. Events like the Arab Spring can have business effects far beyond the involved countries’ borders. If a company outsources system development to a turbulent foreign country, how will it react in the face of uprisings and potential Internet blackouts that could make suppliers and vendors located there unavailable?
Three Steps for Effective Third-Party Risk Management
A successful third-party risk management program can be implemented by taking the following actions:
1. Establishing ownership and buy-in. Ownership for third-party risk management should be centralized, rather than dispersed among multiple owners and other stakeholders. Making a dramatic change like this requires cross-functional coordination, executive leadership and oversight, and clear goals and objectives, as well as a clear road map for third-party risk management.
2. Evaluating risks. The company must determine the risk profile for extended enterprise, so that it can focus its risk management efforts on the areas of highest risk. Each third-party relationship should be evaluated in terms of quantified information, integrity, technology and financial risks.
3. Auditing and monitoring. The program should provide for ongoing risk measurement and monitoring, performance measurement and monitoring, incident tracking, and evaluation of the value received from each relationship. These activities are important for determining when or whether to renegotiate agreements with third parties. The companies most successful in this auditing and monitoring function are those that work to enhance the data they possess about their relationships so that they can predict areas of risk more accurately and automate relationship monitoring more effectively.
Surviving in the New World
The complex extended web of relationships with third-party suppliers and vendors is the lifeblood of many companies today. Their risks are also your risks and require appropriate management on your end. Taking the steps above to improve your third-party risk management can provide peace of mind and continued success for the long term.
Rick Warren, CIA, CRMA, is a principal with risk consulting services at Crowe Horwath LLP in the Atlanta office. Mike Varney, CPA, CIA, is a principal with risk consulting services at Crowe Horwath LLP in the Cleveland office.