There is growing interest in U.S. manufacturers seeking domestic sources of supply. Some companies have already experienced an increase in secondary supplier orders as product demand exceeds production capacity. In other cases, some suppliers have reduced manufacturing operations, which has opened the door for those seeking new customers.
As you plan to form new supply chain relationships and pursue new business opportunities, many organizations seek relationships that provide higher organizational value. Discrepancies with how partners and vendors are vetted, selected and managed to introduce variables into the ecosystem create threats that can erode organizational value.
Would it be helpful to understand the financial impact of cyber risk across your ecosystem? Would it help to know how you compare to your competitors? These seem like obvious questions, yet companies are wasting resources negotiating risky suppliers’ relationships. Inconsistent evaluation and oversight increase the probability of future disruption and loss. Would you like to know which vendors pose the most risk to your company? Let us explain how you can understand and reduce your risk.
What is third-party risk?
To better understand the impact third parties can have on a company, we need first to understand the meaning of third-party risk. Third-party risk is the potential financial loss resulting from one business that relies on external parties to perform services. Beyond the common services such as the manufacturing of parts or the assembly of products for a company’s customers, third-party risk can also stem from the shared data between companies and these external parties. As companies build more connections and relationships with third parties, especially those not properly vetted, the risk associated with business disruption and data breaches increases in probability. Third-party management can help reduce the risks associated with working with third-parties.
What is third-party management?
To reduce the potential risk and impact that a company might experience while working with third-party companies, businesses will often use a process called third-party management. Third-party management is the structured process that companies use to monitor their third-parties while managing the risks that arise from interacting with the external parties involved with contractual and non-contractual business relationships. Third-party management is also used to govern each third-party’s level of access to a business’s systems and information. This is done to minimize exposure to data and intellectual property theft from cyber-criminal organizations that use third-parties as attack vectors.
According to a 2020 Annualized, Risk Report by DHL Resilience360, the risks you take may cost more than you want to pay.
- 69% of firms say they do not have full visibility into their supply chains.
- 63% of organizations do not use any technology to analyze, track, and monitor their supply chain performance.
- 73% of board members surveyed identified reputational risk as to the area where they felt most vulnerable, but only 30% had a plan to address a reputational crisis.
- 99% of all companies have experienced a disruption in their supply chain over the past 5 years.
Three key benefits of risk monitoring were cited within the survey.
- Empower the team with optimized incident alerts with near real-time data on global incidents.
- Ability to gather feedback from people when the location is impacted.
- Enable your logistics teams to react sooner to prevent supply disruption.
In 2019, cybersecurity incidents also continued to pose a serious threat to supply chain operations as Resilience360 recorded a total of 290 cybersecurity incidents impacting supply
According to a 2019 survey conducted by Spiceworks, out of 600 businesses, 44 percent experienced a data breach caused by a third-party vendor. Businesses that take an active approach to third-party management can effectively reduce the risk of experiencing a data breach and protect valuable product secrets from competitors or markets where intellectual property theft is common. To better protect their company’s livelihood, the following tips can help the executive leadership with third-party management.
1. Assess and manage third-party risks
While discussing future relations and business opportunities, a third-party can ultimately lead to better opportunities. It is important to understand and identify what risks that the third-party may introduce to your business. Using a risk management plan can also help better assess whether or not the new business relationship is truly worth it.
2. Third-party screening and due diligence
During the onboarding process with third-parties, businesses should screen and maintain due diligence for any risky or suspicious interactions with the third-party. Reviewing the location, countries of operation, and the previous history are just a few steps that can help a business better understand what risks they are potentially exposed to. In addition to screening during the onboarding process, having due diligence and continuing screening after building a new third-party relationship can help businesses better protect themselves from third-party risks.
3. Fourth-party involvement
Many third-party businesses operate with unknown or undisclosed fourth-parties that can affect the business and its supply chain members. To help mitigate against fourth-party involvement, businesses should understand if the requested service is actually provided by the third-party or a subcontracted entity. Businesses should also contractually bind third-parties to inform and wait for approval of any changes that could affect the relationship between your business and the third-party.
What is a third-party risk assessment?
Like performing an internal risk assessment, businesses can conduct third-party risk assessments to evaluate and identify the risks that can impact their business. How can the leadership team make effective decisions without identifying, quantifying, and managing the risk variables across any supply chain? Effectively managing partners, vendors, suppliers, and other third parties require in-depth assessment services. Third-party risk assessment services traditionally focused on operational risk, financial viability, compliance, and ethics. Now that instabilities across supply chains have been exposed, the focus on fourth-party risk is intensifying. Fourth-party risk evaluates the effectiveness of your partners’, vendors’, and suppliers’ own third-party risk programs to identify additional risk exposure that would otherwise go undetected.
What is third-party risk management (TPRM)?
The ongoing evaluation of your partners, vendors, suppliers, and other entities to drive efficiencies to cost savings and trust is key to effective third-party risk management (TPRM). The key function of the TPRM process is to understand and manage risk exposure from the third-party relationships throughout the lifecycle. When businesses evaluate third-parties, many areas have to be examined to identify not only the risks that the third-party itself might face but how those risks may affect your business and supply chain partners.
Key areas where risk is introduced into the supply chain include cyber, privacy, digital, brand, and compliance. Third-party risk management strategies also focus on how your business anticipates future interactions within your ecosystem, such as how and what kind of data can be shared, what level of access each third-party has to your systems, and what impact can disruption from that third-party have on meeting production schedules. Third-party risk management is a continuous process, meaning that third-party members of your supply chain and the risks they pose to your company should be regularly evaluated. Regular evaluations can reduce exposure time and help mitigate risks that your business has deemed too expensive when working with third-party relationships.
What is supply chain management (SCM)?
Continuing with the focus of the third-party involvement, supply chain management is another factor that businesses, especially manufacturers, need to consider. Supply chain management is the control and management of the flow of goods and services throughout the supply chain’s entirety. This involves acquiring raw materials, gathering, and processing information and capital for supply and demand planning, production, and inventory management. Businesses normally utilize a combination of software and business strategy to create a competitive advantage against similar products or brands.
Along with managing the previously mentioned areas of the supply chain, supply chain management also covers the price, quality, and quantity of a product that is too available to potential customers. As all businesses understand, the quality and quantity of the commodity used for a product affect the product’s final price. The commodity’s popularity predetermines a commodity’s price for a given market. This price is further impacted by the quantity and quality of the commodity. As the number of commodities increase, the overall price can decrease, but the commodity’s quality may also decrease, and vice versa.
How does third-party risk impact SCM?
Supply chain management (SCM) is an expansive and complex endeavor that relies on each partner, from suppliers, manufacturers, logistics, and beyond, to perform well. Due to these interconnected ecosystems, effective supply chain management also requires change management, collaboration, and risk management to create alignment and communication between all the participants. From a technical perspective, third-party members of a supply chain can affect the security of data used by the supply chain partners or even the members themselves. With third-party members in your supply chain that are not properly vetted, these members may become a new vector for malicious organizations to steal sensitive information about your products, clients, and customers. Regularly checking the overall security of the third-party’s environments and digital assets can help evaluate the potential risks that could affect your business. However, this is just a scratch on the surface for what could lead to a potential breach. Having the ability to check if a third-party has leaked credentials, insecure web applications, or poorly managed system patches without requiring an intrusive scan can help your business make the important decision whether to establish a new business partnership with a third-party or not.
Many organizations manage third-party risk case by case or with numerous systems, policies, and frameworks. While this addresses most of what is required for effective third-party risk management, it does not provide a comprehensive and consistent framework. The manufacturers, suppliers, and vendors risk failing to capture the full lifecycle and range of third-party relationships, which may create inefficiencies, blind spots, and inconsistencies. The due diligence aspect of monitoring and reporting available data can integrate into your third-party risk management processes for accountability. Understanding how well a potential third-party handles their duties of maintaining various compliance standards while handling or storing sensitive intellectual property and customer data can better help your business understand what risks are associated with sharing data.
Attacks and data breaches related to third-party attacks affect the production capabilities and reputation of businesses and result in expensive fines and expenses related to the type of data stolen. These fines can also include the needed cost to report impact to shareholders, reporting to affected customers, and the cost to repair systems and data normally used. Many businesses wish that they could have a predetermined estimate of a data breach’s financial impact while also determining the probable risk that their business will experience a breach. Services that use the Open Fair™ risk framework can help quantify an approximate cost value range for what your business will be expected to pay during the event of a breach while also providing the risk probability that a breach could occur. This quantifiable information can help businesses justify the expenses needed to maintain and upgrade their security.
Many years ago, Warren Buffett warned his son Howard, “It takes 20 years to build a reputation and five minutes to lose it. If you think about that, you will do things differently.” Mr. Buffet wasn’t talking about supply chain management, but the concept still applies. Organizations are increasingly concerned about the reputations of the third parties that source, manufacture, transport, distribute, market, and sell their products worldwide. When assessing a third-party supplier or partner, reputation, risk, and cost are important, not necessarily in that order. The following manufacturing industries benefit from knowing which vendors pose the most risk to their organizations, streamlining the vetting and selection process.
- Paper products.
- Food, beverage & tobacco products.
- Fabricated metal products.
- Nonmetallic mineral products.
- Plastics & rubber products.
- Printing & related support activities.
- Furniture & related products.
- Transportation equipment.
- Textile mills.
- Electrical equipment.
- Appliances & components.
- Petroleum & coal products.
- Wood products.
- Miscellaneous manufacturing.
- Computer & electronic products.
- Primary metals.
- Chemical products.
Given the risk issues outlined within this article, many manufacturers and producers would benefit from establishing a common set of standards and a more systematic approach to third-party risk management for the more effective supply chain management. As proactive third-party risk monitoring and escalation processes are implemented, workflow adjustments increase efficiency to ensure consistency in knowing which vendors are causing the most risk. Certitude Security™ can provide your leadership team with clarity to manage third-party risk more effectively through better vetting, selection, and management of your third-party suppliers and partners.