Reviewing potential risks within the supply chain ecosystem

Desmond Campbell, Vice President, Compliance Oversight and Operational Risk, Barclays

Below is an insight into what can be expected from Desmond’s session at Vendor & Third Party Risk Europe 2023.

The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How can contractual requirements prevent risks within fourth party oversight?

Historically, many vendors are less cooperative when asked to provide visibility of their third party ecosystem. Transparency is challenging and it becomes complex to identify the supplier’s supplier. This complexity could be linked to the fact that organizations can oftentimes have over 5000 suppliers, each of those suppliers in turn have a plethora of suppliers themselves, leading to a complex ecosystem to monitor.  Therefore, before firms get to the contractual requirements, they need to seek confirmation and identification of the supplier’s third party ecosystem and beyond.

A Request for Information/Proposal (RFP) is the starting point to allowing organizations to embed questions on how a vendor proposes to deliver the service.  This line of questioning can then be enhanced during formal negotiations during the supplier risk evaluation process, allowing organizations to include a range of questions on how the supplier engages their suppliers. A range of questions can be explored, including how is the Nth party engaged? When will the Nth party complete activities? Will the Nth party retain information on the client? When will the relationship end with the Nth party (if this is applicable)?

It is important to understand positions before articulating contractual requirements. Upon completion of scheduling within a contract, organizations must ensure performance mechanisms are in place and that they understand the activities of Nth parties to integrate a provision of assurance and continuity of service. Ensuring business continuity management and exit planning strategy is aligned to the delivery of services and forms part of the contract is also a key step.

What are some expectations involved when operating with an extended supply chain?

The assumptions and expectations:

  • Understanding the vendors ecosystem is key to the delivery of goods and services for any third-party relationship.
  • When operating with offshore vendors, there is a likelihood that lead times could be greater, therefore appropriate stock provision or replenishment needs to be appropriately managed to receive goods/service on time.
  • Understand the geo-political, climate situation or social issues impacting the suppliers to ensure disruptions are minimized.
  • Ensure business continuity and exit strategies are clearly in place and updated in the event of a disruption.
How can we develop controls at a fourth party level and beyond?

Controls at the Nth party level need to be imposed on the third party. With that being said, we need to ensure questions are asked to incentivize the third party to be transparent and divulge information regarding their suppliers.  In principle, to ensure the following:

  • External standards and certificates – Ensure that the third parties’ vendor has the relevant external standards, processes, procedures, and certificates in place during the due diligence of the third party. With appropriate governance structures in place, if any incidents occur down the supply chain, that escalation procedures are in place to highlight to the third party and in turn escalate to the client organization.
  • Relevant international ISO standards and encryption – As with the aforementioned point, it is essential that the third party and their suppliers have the relevant international standards in place such as ISO 27001 and encryption ISO 18033 protocol, especially when managing the client’s data and/or infrastructure.
  • The following references to regulatory standards/frameworks are the minimum requirements which should be held by the third party and their suppliers:
    • Data privacy
    • Anti-bribery
    • Sanctions
    • Cyber-security
    • Cloud Services
    • Business continuity management
    • Disaster recovery management
    • Compliance with relevant global regulatory handbooks or frameworks
  • Business Continuity management (BCM) and Exit Plan Strategy – Client organizations regularly make the mistake of not having the appropriate plans in place. The pandemic caught out many organizations who were ill placed to communicate their strategy to ‘keep the lights on’ and meeting the demand on their clients.

Having the appropriate tools such as a BCM or exit plan strategy will help in the navigation of how an organization will treat risk, and what best to do if the client needs to exit a contract quickly.  It is also worth noting that the third party and its suppliers are also clients, so in terms of disruptions, all parties need to work together to mitigate any risk.

  • Financials – The supply chain is an intrinsic and complex web of organizations which could, if not managed correctly, bring down multi-national companies. Having a clear understanding of the third party and companies which serve it with provisions of goods and services is crucial to the sustainability of client organizations.  If one company in the supply chain enters administration or liquidation, this could ricochet up and down the supply chain. Appropriate due diligence of the third party and their supplier through the use of risk rating agencies is important to the sustainability of the client organization
What do some best practices look like when reviewing cross sector supply chains?
  • Structured organization – The activities of the supply chain begin within the client organization. With the formalized approach of engaging and managing the direction of the third party, there is little room for ambiguity of intention and there is a clear structure in place to manage the vendor and its suppliers.
  • Supply chain strategy – Having a supply chain strategy in place, with clear sight of the third party and its supplier is paramount. Understanding the environment of all vendors and their dependencies, with a full overview of the third-party structure.  This will enable the client organization to set assumptions and expectations based on the track record of the vendors.
  • Performance management – The performance mechanism is not only for the third parties, but for the whole ecosystem. Therefore, have key performance indicators, Service level Agreements and service reporting in place to enable the client organizations to set the expectations of ‘what good’ looks like and be able to benchmark relevant performance requirements.
  • Managing third party risks – The third party ecosystem is a complex web of organizations. Data is being communicated up and down the supply chain continuously and in some cases, vendors are being used indirectly by multiple vendors, therefore managing risk, and having key controls in place is a must.  Cyber security and data breaches are on the increase and many attackers are targeting Nth parties pushing dangerous malware or attacking infrastructure up-chain, impacting the sustainability of all involved.  Continuous monitoring, rights of audits (including onsite audits) and seeking assurance from the third party that its ecosystem can sustain a threat is so important.
  • Strengthen supply chains through software initiatives – All the above points can be easily managed through the investment of a governance, risk and compliance tools integrated with procurement tools (if procurement has a standalone tool). There are many third party risk tools which can be used in multiple areas within an organization to ensure the on-boarding and continuous management of a third party and its suppliers are captured in one single repository.  Ensuring your GRC tool can integrate into the control tool (i.e., data privacy, cybersecurity, anti-money laundering and sanctions) will enable an integrated approach to supply chain management with the risk controls in place to forecast, mitigate and report on risk events.