Drive a Connected GRC Program for Improved Agility, Performance, and Resilience
Power Business Performance and Resilience
Discover ConnectedGRC Solutions for Enterprise and Operational Resilience
Explore What Makes MetricStream the Right Choice for Our Customers
Find Everything You Need to Build Your GRC Journey and Thrive on Risk
Learn about our mission, vision, and core values
When the globalization wave swept in around 20 years ago, it promised to swell the economies of rich and poor countries alike, and offered opportunities to businesses to tap into the potential of newer markets. Organizations could net in massive profits by increasing outsourcing and third-party involvement in their regular day-to-day processes. Besides the appeal of expansion, companies saw numerous opportunities and benefits: production and support units could be outsourced to countries where labor is inexpensive, allowing them to focus on core business activities; gaps in operational capabilities, expertise, and experience could be easily filled with access to resources and specialized skills overseas; and business capabilities could be advanced by allowing third parties to provide goods and services that may not have been a part of their core business function. However, few were prepared for the undercurrents that threatened to rock the boat: the complexity of global supply chains and the impact of the risks involved. Here are the 5 essential aspects of managing supply chain risks in today’s world:
The astonishing number of incidents that have rocked the business world, such as data breaches, supply chain disruptions and fraud, have often been linked to poor third-party risk management. Organizations are continually faced with challenges in managing a vast network of suppliers, including conducting due-diligence assessments, monitoring supplier performance and stability, and making sure that risks to the organization’s sustainability are kept in check. Additionally, organizations need to ensure that their suppliers are compliant to regulations and standards, as well as corporate guidelines.
MetricStream Research’s recent survey on “How Organizations Are Managing Third-Party Risks” revealed interesting insights on the approach of organizations to incidents involving suppliers, evaluating the associated risk posture, response to loss impact, and the adoption of technology to prevent future incidents. The survey was conducted across 85 respondents from 40+ organizations. According to the survey, one out of five organizations reported risk exposure due to suppliers. Most of them reported a loss impact of more than $1 million. Regardless of who is to blame, organizations face huge repercussions in terms of data loss, a decline in client and employee confidence, reputational damage, financial costs, and legal penalties. In short, accountability cannot be outsourced. This cannot be stressed on too much, and regulators demand that organizations take on a more proactive approach to identify and assess their third-party risks.
The complexity of global supply chains lies in the fact that it is vulnerable to political and economic changes, communication failures, non-compliance with source-country regulations and guidelines, as well as terrorism and natural disasters. Many organizations have accepted this as the new cost of doing business, only to face the crippling effects of things going wrong.
However, these need not be acceptable conditions under which organizations do business. The key lies in identifying high-risk areas, assessing and implementing risk mitigation strategies, and developing a contingency plan for when disaster strikes. While this may appear to be a tall order, in the long term, it proves to be more cost-effective than responding to issues and incidents after they occur. Organizations can no longer think of third parties only from a cost-savings perspective. They must create a well thought out risk management plan that helps increase visibility into vendor risks across the enterprise, identify which risks require the most attention, and implement effective controls and mitigative actions when an issue arises.
Risk management should begin at the strategic level. Organizations need to implement a holistic third-party management solution that consolidates all supplier-related data and provides deep visibility into risks across the global supply chain. Such a program needs to draw in from all facets of the organization – be it operations, sales, marketing, finance, legal, and IT – identify and prioritize critical risk-areas, and implement effective controls. However, before conducting risks assessments, it is imperative to consider factors such as who the suppliers are, and what services they provide during the on-boarding and screening process. Suppliers can then be categorized according to the risk they bring in, based on the product or service they offer, their country of origin, as well as their operational locations. To make sure this process yields efficiency, risk assessments need to be periodic to determine changes in risk levels, identify new risks, and ascertain how secure suppliers are. It would also do well to keep a check on fourth-parties or sub-contractors – usually by adding a restrictive clause in their contracts to inform and get approvals for any sub-contracting. Collaboration on this front may help – In November 2017, American Express, Bank of America, JPMorgan Chase and Wells Fargo announced an innovative solution to manage third-party risk assessment in the form of TruSight1. The objective of TruSight, according to their official note, is to “combine best practices and simplify the process of conducting third-party risk assessments of suppliers and partners across the financial services industry.” The path taken by this consortium of leading banks may pave the way for more such associations to effectively handle third-party risk assessments. It is vitally important for organizations to ensure that they have a robust business continuity and disaster recovery strategy in place. Suppliers and third parties should be included to ensure that in times of disaster, effective measures can be taken across the entire supply chain to keep the business running.
It goes without saying that technology plays a critical role in strengthening these processes by streamlining the entire cycle of third-party management, and providing visibility into risks and compliance issues. An integrated technology solution offers organizations a common platform, which can scale across the global supply chain, to gather information on supplier contracts, profiles, factory details, and certifications on a common repository. Technology can also help manage business continuity plans effectively and aid organizations to bounce back quickly in the event of a third-party risk event. Additionally, these advanced solutions also source industry content to aggregate, validate, and enrich third-party data, helping organizations to identify high-risk third parties. This allows organizations to garner real-time intelligence on their entire global supply chain to make informed business decisions.