Answer the following questions as if your company’s future depends on it — because it does:
- Does your third-party risk management team understand the incremental risks associated with an increasingly complex supply chain?
- Does your team express that understanding in quantifiable terms?
- What is the level of confidence that your team has it under control?
Last spring, we wrote about how increasing numbers of vendors and interdependencies in complex supply chains can create an opaque view of operations that makes it difficult to readily recognize and mitigate risks. Each new link or service expansion in the outsourcing chain presents the enterprise with a potential threat and a potential opportunity. The deciding factor often boils down to how well your managers understand the complexities of your supply chain, and their ability to quickly assess the risks presented at any stage in the chain.
The challenges of complex supply chain management were present before the pandemic; however, the current operating environment has significantly heightened the risk. An enhanced level of competence in managing and understanding third, fourth and Nth party monitoring, by identifying relevant risk indicators and producing actionable metrics, is no longer just an option. We believe organizations that cannot clear these hurdles must identify gaps in their processes and respond by establishing and implementing a Corrective Action Plan consistent with company protocols. Nearly two years into the pandemic, these practices are now essential for maintaining enterprise resilience and business continuity.
The opacity of complex supply chains has kept pace with the growth of Third Party Risk Management (TPRM), and for some sectors and industries, surpassed it. So, let us ask the question in a different way: Is your organization really paying attention to what it’s receiving from third parties and identifying both every participant in the value chain, and its location? The current concern and remediation challenges from the Log4j situation have placed a spotlight on the critical importance of knowing all internal and external exposures from anyone using Java. Ransomware and fraud continue to be major threats to most enterprises, but they are not the only ones that can cause damage via third, fourth, and Nth parties. The risk assessment and management practices your organization undertakes to mitigate these threats must now be applied, to various degrees, throughout the entire supply chain.
After the Colonial Pipeline incident last summer, your teams should have an understanding of how a complete failure of the electrical grid can cause as much, or more, damage to your business as an efficiently designed and deployed ransomware attack. Do they know how to assess your company’s risk to both scenarios? Can they identify and assess how dozens, even hundreds, of other events can create incremental harm that can cascade into a debilitating crisis?
Are your contracts sufficiently comprehensive? Responsibility can be passed on to a 3rd or 4th party, but accountability cannot. Contracts set the parameters, but they do not predict risk, prevent an event or support remediation. That is the lesson of the pandemic as we have watched it play out across the globe. Furthermore, once the pandemic is no longer the disruptive and destructive force it has been since March of 2020, we can be certain new challenges, both operational and regulatory, will emerge in the “new normal.
Success in managing complex outsourcing and supply chains requires proactive governance of your TPRM program. Boards and C-level managers should ask questions that reveal what your managers and practitioners know and do not know. What’s known needs to be assessed, challenged, and monitored. What are unknown needs to be identified and then subjected to the same correction protocols.
Meeting these challenges is not just about cyber hygiene, which remains important. It’s about relationships — between your teams and your partners. For example, an enterprise might have well-defined, articulated rules and processes for adhering to internal ESG (environmental, social, and governance) expectations and goals. However, many organizations find those expectations are unrealistic for their suppliers, who may ignore or even subvert them. Internal teams with close supplier working relationships are most likely to accurately identify, document, and address problems within a reasonable time frame.
Two more key questions:
- Do you know what you want from your TPRM team and its processes?
- Have you told your third-party risk experts what you want from them, and do they understand how to get it?
If there are doubts, bringing in an external partner to review and assess the comprehensiveness of your processes and your team’s knowledge levels is a good standard practice.
Experience has shown that internal information and process silos can hinder your goals if left unaddressed. Such silos or isolated departments can result in duplicated efforts and costs. They can also undermine assessment results that can in turn undermine your entire TPRM program. Identifying these silos, mitigating their impacts, and preventing new ones from forming should be part of the overall TPRM process.
Shared Assessments has examined these issues and questions in depth. In response, we have developed assessment tools that provide C-Suite executives with the means to get the right answers from their teams. Having this knowledge, and acting on it, can make all the difference in avoiding an attack or challenge arising from a third, fourth, or Nth party, and staying resilient, and maintaining continuity during a challenge or crisis that originated from deep inside a complex supply chain.
Aggressively managed TPRM programs lead to TPRM maturity, improved resilience, increased agility, and improved loss avoidance. C-suite executives should assess the aggressiveness of their organization’s third and Nth party assessment programs. The TPRM team should be able to comprehensively demonstrate that the organization’s processes incorporate full-spectrum risk intelligence monitoring and leverage current intelligence to provide focused, risk category-specific reviews. Complex supply chains are difficult to manage, but achieving these three goals can significantly improve program governance and third (Nth) party risk management:
- Know, update, and inventory your complete supply chain.
- Understand the level of cross-vertical exposures.
- Identify and implement monitoring programs and related metrics that are appropriate to tracking changes in risk exposure across the chain.
Shared Assessments continues to monitor and evaluate best practices for complex supply chain governance. A vital component of successful programs is assessments based on data sets that are appropriate to increasingly complex supply chains and outsourcing environments. We are committed to assisting your teams to conduct effective, focused, and timely risk assessments because today’s rapidly changing risk environment will only grow more complex tomorrow.