This content has been archived. It may no longer be relevant

Reviewing future guidance on treatment of critical suppliers and implementation challenges

The views and opinions expressed in this article are those of the thought leaders as individuals, and are not attributed to CeFPro or any particular organization.

Paul Huggett, Head of Third Party Risk, Business Services, Resilience & Agility, Nationwide Building Society

How would you define ‘critical’ in a third-party risk perspective?

 There’s the obvious translation of the PRA definition of ‘Material’ which makes sense as a starting point given the focus on resilience and the ability to correctly provide services to customers.

I also think there is a wider view where companies should assess their supplier community against their ability to deliver the company strategic objectives. Suppliers that might not have a first order impact on service and product delivery could be critical with a longer term view, especially strategic change partners.

Why should organisations look to have a holistic oversight of the industry?

 It’s simply good business practice.  An awareness of the industry and the broader environment informs strategy, shapes service design and pricing that have a direct impact on the demands of the supplier base.  Suppliers can often bring their own insights to the table from the buyer, and more interestingly, other industries.  Innovation can come from multiple sources!

An appreciation of the state of the industry and the macroeconomic and geopolitical factors at play are also key inputs into a good quality supplier risk assessment, our suppliers don’t work in a bubble with the buyer.

Why is it important to focus on cloud suppliers?

 To state the obvious, cloud is everywhere and underpins so much in our industry. It’s not going away.  It offers huge benefits in terms of scale, cost and security but the resilience downsides are significant especially as it exists at all levels in the supply chain with suppliers of all sizes utilising the technology.  An outage of any sort has large scale repercussions, even from less Material quarters of the supplier base.

I would add that the scale of the services and the potential impact also makes Cloud providers a clear target for malicious actors, offset by the level and sophistication of security that the biggest providers can apply.

How can you best enhance resiliency of the supply chain?

 Improvement starts with understanding. One of the main challenges is the level of visibility of the deeper supply chain and how interconnected everything now is.

The pandemic taught us that a real resilience event will not be simple and confined to a ‘material’ supplier. Individual continuity and exit documentation and related testing are useful to a point in that help prepare the business mentally for the worst in their own space, but real insight comes from more complex scenario planning and testing, ideally with key suppliers around the table with the buyer of their services.

I think companies need to be prepared to look wider at the ripple effect a real world event would have, such as the capacity and services challenges from the implementation of a material supplier recovery plan, to the shifts in customer behaviour it may drive.  It’s complex and that makes it interesting!

What are the main impacts if concentration isn’t managed within the cloud industry?

I don’t think we can ‘manage’ the concentration here.  The market has already coalesced to such an extent that we have Cloud concentration risk that is almost impossible to unpick. The traditional options of splitting suppliers and taking a dual source approach to Cloud services still presents a significant risk at the macro scale as both providers are critical at the macro scale, and issues with services of either would likely have an impact on core services. There are also challenges of interoperability and ease of switching cloud hosted software and services for the buyer which introduces further risk.

With the UK and European regulators now grappling with the concentration risk I would argue it’s better to firstly be aware of the concentration risk (and make sure the management body of your company are too) and looking for balance, possibly prioritising some fiercely prioritised non-cloud capability for the most critical activity based on the buyer’s own business objectives. Secondly, to support the regulators as they develop new approaches with the Cloud Providers to improve their resilience capabilities, something that all buyers of these services can benefit from.

Paul Huggett will be speaking at the upcoming Vendor & Third Party Risk Europe Summit 

You may also be interested in…

Have you made your free account? 

Melissa will be speaking at Risk Americas 2023 in NYC on May 22-23.