In today’s economy, all companies operate in an increasingly complex network of actors that represent both a threat and an opportunity. As a result, 3rd-party risk management is broader than pure supplier risk management. Yes, supplier risk is crucial as a disruption in your supply chain will in turn lead to a global disruption in your business. But 3rd-party risk is much more than your suppliers – it’s your investors, distributors, counsels, advertisers… and of course, your customers!
The traditional approach, consisting of performing due diligence, is no longer sufficient, to my mind. Not only does it only cater to the present moment and not any future evolutions, but most of all your degree of control is very different from one party to another.
Take your suppliers. Relying on them often helps you be more agile as it can be a quicker and sometimes more affordable way to increase delivery capability or reduce direct costs. For this type of 3rd party you can have some type of control and you can define indicators to ensure all goes well: service level agreements, quality controls, etc.
Now, let’s take your customers, the ultimate 3rd party. If they disappear, so does your business. Again, you have some degree of control: payment terms for example, and you can also access publicly available financial information if you’re concerned about their health.
Outsource responsibility, but not accountability
In both cases, the conclusion is identical. If they’re part of your strategy and help you achieve your objectives, then they need to be taken into account in your overall enterprise risk management strategy and as such, included in your risk profile and reported to the board.
Leaving these risks to your procurement department is not sufficient.
Indeed, your company will ultimately be fully accountable for actions carried out by 3rd parties on your behalf. This includes manufacturing of goods or delivery of services but also goes beyond to compliance and reputational risks as well.
Should one of your agents carry out an illegal activity on your behalf, you might be facing prosecution. Even if this is not the case, if the name of your company or product is associated to irregularities, your brand and image will be affected.
Adopt a risk-based approach for continuity of operations
Treat these 3rd parties like your own departments. By including 3rd parties in your risk and control process, you will increase your oversight and reactivity.
To start, I suggest focusing on the most “risky” 3rd parties. To identify them, as for any critical asset or process, start by performing a risk analysis. What would be the impact on your business of a 3rd-party misbehaviour?
For those 3rd parties that could seriously threaten the continuity of your operations, include them in your business continuity plan. This also means having the right dedicated contacts within these companies – an account manager might not be the right stakeholder during a crisis.
Also, when possible, carry out preventative actions, such as source backup suppliers, diversify your customer base, etc.
Personally, I don’t believe managing 3rd party risks should be a very different approach to managing other strategic risks. Yes, there is an additional complexity in how to mitigate them, but for their identification and assessment, I believe they should be treated as your other value-added activities.
Would you agree with this candid opinion?
Want more best practices for doing business in today’s complex business environment? See Taking Advantage of the Collaborative Economy: Mistakes to Avoid.