Blogpost

How to Prevent Third Party Risk Management from Running Aground

Before the massive container ship Ever Given was dislodged from the banks of the Suez Canal, the event captured global attention and triggered enlightening refresher courses on supply chain risks, logistics innovations, scenario planning, maritime risks, politics, history and even physics. The Suez snafu also generated concerns about high-seas piracy, plenty of clever Internet memes and some eye-popping statistics – like this one: if removed and placed end-to-end, the 20,000-plus shipping containers on the Ever Given would reach a length of 75 miles.

 

Here’s another surprising stat that’s relevant to the current state of third party risk management (TPRM): During the past 10 years, an average of about 100 container ships are lost or critically damaged in accidents. The shipping industry’s risk management proficiency could use improvement – just like TPRM programs in more than a few organizations.

 

The problem, according to maritime experts cited in a recent Atlantic article, is a widespread lack of bridge resource management (BRM) maturity. The term – also referred to as Bridge Team Management – is a decision-making and risk management framework designed to leverage all available resources, expertise and information during critical operations and amid fluid conditions. BRM is also intended to overcome the longstanding tendency of ship captains to operate with absolute authority and unquestioned power. While the shipping industry contends with the ineffective BRM, the airlines industry – from which the BRM framework was adapted – has thrived, notes Atlantic writer David Graham: from 2009 to 2019, he notes, not a single fatality occurred on an U.S. airlines flight.

 

As I mentioned in a previous post, less than half of all organizations have “fully mature” TPRM programs, and one-third of companies have only “ad hoc” programs – or no TPRM processes at all – in place. That level of maturity veers closer to shipping than it does to the airlines. This is a concern given that third party risks, just like global supply chain and logistics challenges, are continually shifting and quickly intensifying.

 

Santa Fe Group Senior Advisor Gary Roboff groups the factors currently driving third party risks into different categories, including:

  • Socioeconomic forces: This diverse grouping of issues ranges from the industrial espionage and sabotage (e.g., intellectual property (IP) theft, that’ s become commonplace in the manufacturing sector) to geopolitical risks to regulatory compliance mandates to climate risks. Before the blocked Suez Canal impeded global supply chains, a fire in a Japanese chip factory caused major automakers to reduce production and temporarily close some factories. The sustained freeze that struck Texas in February curtailed production of plastics in the state’s massive petrochemicals manufacturing segment, which also sent supply chains reeling.
  • Technological forces: These challenges include cyberwarfare, ever-increasing instances of cyberattacks by criminals and hackers, and risks associated with other advanced and emerging technologies, such as quantum computing. “The accelerating pace of IoT usage inside companies and among their vendors frequently extends far beyond the boundaries of prudent data security and third party risk management practices,” notes Santa Fe Group Senior Advisor Charlie Miller . “The challenge in not keeping up could pose some spine-tingling IoT scenes in the coming months.”
  • Demographics and talent management: “Gaps in availability of talent and burnout are increasing threats, in part due both to the changing nature of population pyramids and geopolitical forces,” Roboff notes. For example, when borders are sealed due to a pandemic, a weather-related disaster or a geopolitical flare-up, talent pools are lost or compromised. Plus, as larger numbers of older workers retire,” Roboff adds, “skills gaps are beginning to have a significant impact on risk management. The historical knowledge of organizations is being lost during this retirement process.”

 

TPRM professionals confronting these challenges may gain some useful insights from the shipping industry’s post-Ever Given improvement plan. The strategy is straightforward, according to a leading industry expert Graham cites:

  • Develop and implement more up-to-date and rigorous BRM guidelines;
  • Overcome a pervasive resistance to change; and
  • Increase investments in risk management capabilities.

 

A similar game plan would work well for organizational TPRM programs. Besides, a set of up-to-date and rigorous standards already exist in the form of the Shared Assessment Program’s TPRM Framework – a system of best practices that fundamentals that serve as the foundation for mature programs.

 

As organizations (i.e., outsourcers) increase their reliance on third party partners, there is a growing risk that insufficient evaluations and monitoring of vendors could lead to critical damage. Reducing those risks requires some organizations to dislodge their TPRM programs from a lagging state of maturity.