Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
Organization face multiple supplier risks ranging from IT and security, operational, financial, legal, brand and reputational risks. Unmitigated risks can severely obstruct growth, hit the profit margin and decline in client and employee confidence. Read this article to understand the key elements for managing global supply chains effectively.
When the globalization wave swept in around 20 years ago, it promised to swell the economies of rich and poor countries alike, and offered opportunities to businesses to tap into the potential of newer markets. Organizations were able to net in massive profits by increasing outsourcing and third-party involvement in their regular day-to-day processes. Besides the appeal of expansion, companies saw numerous opportunities and benefits: production and support units could be outsourced to countries where labor is inexpensive, allowing them to focus on core business activities; gaps in operational capabilities, expertise, and experience could be easily filled with access to resources and specialized skills overseas; and business capabilities could be advanced by allowing third parties to provide goods and services that may not have been a part of their core business function. However, few were prepared for the undercurrents that threatened to rock the boat: the complexity of global supply chains and the assessment of the risks involved.
In an interview with The Wall Street Journal, fashion designer, Raf Simons, said “Fashion is such an octopus. You're connected to so many people: suppliers, pattern makers, production teams, marketing teams, vendors...”1 This stands true for any industry. Quite often, when organizations deal with multiple third parties, it does begin to feel much like an octopus, with their supply chains stretched further than they ever thought possible.
Large companies or designer labels don’t actually manufacture, but focus on designing and selling their product; automobile companies would outsource manufacturing and assembling to countries where raw materials and labor can be procured at a lower cost and are more readily available. However, all of this comes with enormous risks which can have devastating effects if not planned for and mitigated in time.
Take the 2013 data breach that shook the foundations of Target Corp. and brought to light just how vulnerable companies can be before their third parties. Two years later, the company agreed to settle for $39 million with several US banks.2
Since late 2010, Boeing’s 787 Dreamliner has been grounded because it has been unable to source sufficient parts through its supply chain3. More recently, Toyota reported that it would have to stop its production temporarily due to shortages of parts following an explosion at one of its suppliers.4
While sourcing raw materials, resources, and information through the supply chain, or outsourcing business process to third parties, organization face multiple third-party risks ranging from IT and security risks, operational risks, and financial risks, to legal risks, and brand and reputational risks.
The astonishing number of incidents that have rocked the business world, such as data breaches, supply chain disruptions, and fraud, have often been linked to poor third-party risk management. Organizations are continually faced with challenges in managing a vast network of suppliers, including conducting due-diligence assessments, monitoring supplier performance and stability, and making sure that risks to the organization’s sustainability are kept in check. Additionally, organizations need to ensure that their suppliers are compliant to regulations and standards, as well as corporate guidelines.
MetricStream conducted a survey in 2015 of more than 100 supplier compliance and governance professionals, which revealed that more than 50 percent of the respondents faced issues of non-compliance around management systems and documentation, and 29 percent highlighted non-compliance issues on environment, health, and safety standards5. This calls out the urgency for organizations to step up efforts to identify and mitigate supply chain risks.
Regardless of who is to blame, organizations are left with huge repercussions in terms of data loss, a decline in client and employee confidence, reputational damage, financial costs, and legal penalties. In short, accountability cannot be outsourced. This cannot be stressed on too much, and regulators demand that organizations take on a more proactive approach to identify and assess their third-party risks.
The complexity of global supply chains lies in the fact that it is vulnerable to political and economic changes, communication failures, non-compliance with source-country regulations and guidelines, as well as terrorism and natural disasters. Many organizations have accepted this as the new cost of doing business, only to face the crippling effects of things going wrong.
However, these need not be acceptable conditions under which organizations do business. The key lies in identifying high-risk areas, assessing and implementing risk mitigation strategies, and developing a contingency plan for when disaster strikes. While this may appear to be a tall order, in the long term, it proves to be more cost-effective than responding to issues and incidents after they occur.
In a survey conducted by PwC, 74 percent of surveyed companies did not have a complete inventory of all third parties that handle the personal data of their employees or customers; and 73 percent lacked incident response processes to report and manage breaches by third parties that handle data.6 These are alarming statistics, considering the damages that data breaches by third parties can inflict on an organization.
Organizations can no longer think of third parties only from a cost-savings perspective. They have to create a well thought out risk management plan that helps increase visibility into vendor risks across the enterprise, identify which risks require the most attention, and implement effective controls and mitigative actions when an issue arises.
Building robust global supply chains can only happen when organizations strengthen their relationships with their suppliers, and involve them in the supply chain risk management process. The relationship formed between the two companies should be beneficial to both, enhancing performance, and improving profits.
Nissan and Renault are unique examples of this line of thinking. Their guideline, The Renault-Nissan Purchasing Way, 7 is a commended best practice that emphasizes the need for organizations to build strong relationships with their suppliers, where the supplier is aware of the organization’s principles and objectives, and collaborates with the organization to promote customer success and ensure sustainability for both parties.
Robert J. Schneider, Managing Principal, Risk Management, ISO, in an article on Supply Chain Risk Management, stated that “risk managers - in cooperation with senior management - must embed risk management practices into all mission-critical points along the supply chain. By teaching risk management techniques to key supply chain personnel, risk managers can encourage the use of appropriate risk-based decision-making techniques.”8
That being said, risk management should begin at the strategic level. Organizations need to implement a holistic third-party management solution that consolidates all supplier-related data and provides deep visibility into risks across the global supply chain. Such a program needs to draw in from all facets of the organization – be it operations, sales, marketing, finance, legal, and IT – identify and prioritize critical risk-areas, and implement effective controls.
However, before conducting risks assessments, it is imperative to consider factors such as who the suppliers are, and what services they provide during the on-boarding and screening process. Suppliers can then be categorized according to the risk they bring in, based on the product or service they offer, their country of origin, as well as their operational locations. To make sure this process yields efficiency, risk assessments need to be periodic to determine changes in risk levels, identify new risks, and ascertain how secure suppliers are. It would also do well to keep a check on fourth-parties or sub-contractors – usually by adding a restrictive clause in their contracts to inform and get approvals for any sub-contracting.
It goes without saying that technology plays a critical role in strengthening these processes by streamlining the entire cycle of third-party management, and providing visibility into risks and compliance issues. An integrated technology solution offers organizations a common platform, which can scale across the global supply chain, to gather information on supplier contracts, profiles, factory details, and certifications on a common repository. Additionally, these advanced solutions also source industry content to aggregate, validate, and enrich third-party data, helping organizations to identify high-risk third parties. This allows organizations to garner real-time intelligence on their entire global supply chain to make better-informed business decisions.
Furthermore, it is vitally important for organizations to ensure that they have a robust business continuity and disaster recovery strategy in place. Suppliers and third parties should be included to ensure that in times of disaster, effective measures can be taken across the entire supply chain to keep the business running.
John W. Henke, Jr. author of OEM Profitability and Supplier Relations, President and CEO of Planning Perspectives, Inc., and Professor of Marketing at Oakland University in Michigan said, “All of the major automakers could be making hundreds of millions dollars more annually if they focused more on improving their supplier relations.”9 Communication, effective controls, validation of those controls, and strategic disaster recovery planning should all tie into the supplier-organization relationship.