A full-blown radar for third-party risk

Supply chain risk is an issue faced by companies across all sectors and all shapes and sizes, and the complexities of third-party assurance can be hard to navigate. In his article for Instrumentation Monthly, Crossword’s Chief Product Officer, Jake Holloway, shines a light on the industrial sector. He discusses the third-party assurance (3PA) challenges facing this sector with its complex supply chains, outlining why technology has a big role to play in simplifying processes and managing risk.

Businesses need to manage many risks, with their impact and complexity growing all the time, placing a greater burden on staff. Risks are simply a factor of doing business: if a company wants to grow or enter new markets then it takes calculated risks on what the outcomes might be. If it wants to change its products or services, it will undertake extensive research to inform those decisions, thus minimising risk and assessing the investment levels required.

The third-party problem

For the industrial sector, there are other risk areas, with its complex use of third-parties to extend supply chains, bring in outside expertise, supply operational technology, outsource business processes, or support functions such as Operation Technology (OT) and Information Technology (IT). When taking on any third-party in this way, organisations often require the service provider to provide assurance that it has sufficient controls to manage financial, operational and regulatory risk that relate to their specialism, and the service they will provide.

In its broadest terms an organisation wants to be sure a future supplier:

  • Is who it claims to be

  • Is experienced at delivering the services it claims to offer

  • Will not embarrass or place at risk the reputation of the company

  • Is financially stable

  • Is qualified and accredited as required

  • Is fully compliant with the relevant regulations in all countries of operation

Companies will, or at least should, look at all of these areas as part of the supplier selection and onboarding process, in what we would call pre-contractual risk assessments and evidence gathering. Making sure that all the paperwork and checks with regulators point to them meeting all criteria. Once fully onboarded, that supplier will be regarded to have provided Third-Party Assurance (3PA) and be ready to supply its services. That assurance lowers risks for the company.

3PA and supplier management

Supplier management processes are something that every company should have in place to monitor the performance of all third parties recruited to perform functions on behalf of companies. This should be a cyclical process that strives for continuous improvements and minimised risks. 3PA issues should be part of this process but aren’t always.

Each of the four main categories of 3PA risk should all be represented as part of the supplier management process and therefore regularly assessed: Financial & Regulatory; Compliance; Corporate Social Responsibility (CSR) and finally Technology & Data. The reality is that we know this does not happen and there are always gaps in how companies assess their 3PA.

Take, for example, the Modern Slavery Act which requires companies with revenue of over £36 million to produce a Slavery and Human Trafficking statement, indicating the steps they are taking to prevent modern slavery abuses in supply chains and operations. All companies should have published their first statement by 30th September 2017, and although an estimated 8,000 of the 9,000-11,000 required to comply have published statements, only 2% meet the minimum statutory requirements laid out in the Act.

There are over 15 general areas of 3PA risk that fit under each of the categories outlined above, and that is before you dig down into individual pieces of legislation, or special requirements for specific vertical markets.

Another aspect that makes 3PA so complicated is that each area of risk may need to be measured at different frequencies and falls under the responsibility and expertise of different departments within the company. How do you manage that efficiently, securely, and gain a single view of an individual supplier’s risk assurance, as well as a company-wide view?

The fallout from a company not keeping a constant grip on its regulatory and other risks is just too great: lost contracts, legal battles, loss of reputation, or even the loss of the right to trade in a heavily regulated sector.

Out of the silo and onto the radar

Technology can play a key role in giving risk and compliance professionals the control and visibility they need across the organisation, moving risk compliance from a siloed and reactive activity, to a connected, proactive continuous process that delivers a complete view of a company’s third-party risks. A radar view, that can highlight underperforming suppliers, regulatory risks and drive business improvements, whilst lowering the costs of risk assurance, and storing confidential information securely.

Find out more about how Crossword Cybersecurity can support companies with third party assurance

You can read the full article in Instrumentation Monthly here.