Mitigating risk in a connected world: The importance of Nth party risk management

Wes Loeffler, Product Manager, Archer

Below is an insight into what can be expected from Wes’s session at Vendor & Third Party Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How has the geopolitical landscape evolved, and how has this had an impact on third parties?

Geopolitical events, specifically the conflict in Ukraine, have had various impacts on third party risk management, including:

  • Supply chain disruptions – according to Dunn & Bradstreet there are 374,000 businesses worldwide reliant on Russian suppliers (90% located in the U.S.), and 241,000 businesses worldwide reliant on Ukrainian suppliers (93% located in the U.S.). This has disrupted the supply of semiconductors, oil, metals, wheat, corn, and other commodities.
  • Transportation disruptions – Logistical routes including the Black Sea have been severely impacted, forcing suppliers to find alternative routes of transportation.
  • Reputation impact – organizations reliant on vendors or banks within Russia have been forced to rapidly identify and onboard alternative providers.

The conflict has shined a light on the importance of location-based risk management. Companies with suppliers or operations in the region have been forced to reevaluate their third-party risk management strategy, including diversifying suppliers, increasing inventory levels, and developing contingency plans for future disruptions. Other than the direct impact, organizations found to be doing business with certain institutions in Russia can be subject to regulatory penalties, fines, and an impact to their reputation.

Can you share some light on the increasing importance of ESG within third parties, and how we can mitigate risk in this area?

Incorporating ESG factors into third-party risk management can help organizations reduce their exposure to risks that may arise from the actions of their suppliers, vendors, or partners. A critical third party with poor ESG practices can have a downstream impact on the enterprise’s reputation, regulatory compliance, sustainability credentials, and ability to deliver key products or services to customers. Similarly, by considering social factors such as labor practices and human rights, organizations can ensure their vendors prioritize diversity and inclusion. This can help mitigate human rights violations, labor disputes, and reputational damage.

To mitigate third party ESG risk, organizations should adopt a comprehensive approach that considers multiple factors.

  1. Conducting third party due diligence to assess their ESG practices. This includes reviewing their sustainability policies, carbon footprint, labor practices, and legal and regulatory issues.
  2. Organizations should set clear ESG standards for suppliers that are communicated, monitored, and enforced.
  3. Firms should monitor third-party ESG performance to ensure vendors are meeting established ESG standards. This could involve reviewing sustainability reports, regulatory compliance, or audits.
  4. Hold third parties accountable. Vendors that violate ESG performance requirements included in contracts should be forced to remediate deviations or incur stipulated penalties.
How has supply chain risk management evolved?

Prior to COVID, many organizations focused almost exclusively on third party risk management, and rarely considered the impact of a 4th or nth party failure. COVID, the conflict in Ukraine, and supply chain cyber-attacks have forced the evolution of this approach. The recent microchip shortage is a perfect example. Many organizations had built-in third-party redundancies for the acquisition of microchips. What they didn’t realize – these third parties were reliant on only a handful of producers of components used in microchips. When these producers were impacted by COVID, the Suez Canal blockage, and the conflict in Ukraine the microchip supply chain ground to a halt.

Unfortunately, supply chain risk management is complex, dynamic, and labor intensive. According to a survey conducted by the Ponemon Institute, the average enterprise has 5,800 third parties. Applying that same number to each third-party results in 33.6 million companies. Managing risk at that scale is not feasible. To combat this, organizations have embraced the approach of managing the supply chains supporting their most critical products and services. This involves identifying critical third parties as well as nth parties supporting them. This includes understanding the ESG posture of those organizations as well as location-based risks within those supply chains. This typically necessitates the use of automated tools, such as supply chain cataloging products, blockchain, and continuous monitoring solutions.

What does the future ahead look like for third party risk management?

Moving forward, I expect third party risk management to continue to intersect with supply chain risk management, ESG, and operational resilience.  This will require organizations to embrace data-driven and automated technology solutions. Likely involving the use of artificial intelligence and machine learning to identify and analyze risks in real-time, as well as the use of blockchain to improve security across supply chains. Companies are likely to collaborate more tightly with their suppliers and partners to manage risk. This will involve sharing data and information on risks and working together to develop solutions to common challenges.

Regulatory requirements for third party risk management are likely to increase moving forward. Governments and regulatory bodies are likely to increase the regulations around third-party risk management to protect consumers, companies, and critical infrastructure. This could include mandatory assessments of third-party security protocols and risk management practices. One example is the Digital Operational Resilience Act, or DORA, in the European Union. DORA places a heavy emphasis on third party resilience, requiring firms to identify critical third-party service providers, documenting risks inherent with these vendors as well as the associated controls, and understanding the information communication technology (ICT) risks inherent to critical third parties.

Additionally, there will be an increased focus on building resilient systems and processes to manage third-party and supply chain risks. This will involve implementing redundancy measures, investing in business continuity planning, and conducting regular testing and simulations.