There is growing interest in U.S. manufacturers seeking domestic sources of supply. Some companies have already experienced an increase in secondary supplier orders as product demand exceeds production capacity. In other cases, some suppliers have reduced manufacturing operations, which has opened the door for those seeking new customers.
As you plan to form new supply chain relationships and pursue new business opportunities, many organizations are seeking relationships that provide higher organizational value. Discrepancies with how partners and vendors are vetted, selected, and managed introduce variables into the ecosystem that create threats that can erode organizational value.
Would it be helpful to understand the financial impact of cyber risk across your ecosystem? Would it help to know how you compare to your competitors? These seem like obvious questions, yet companies are wasting resources negotiating relationships with risky suppliers. Inconsistent evaluation and oversight increase the probability of future disruption and loss. Would you like to know which vendors pose the most risk to your company? Let us explain how you can understand and reduce your risk.
What is third-party risk?
To better understand the impact third parties can have on a company, we need to first understand the meaning of third-party risk. Third-party risk is the potential financial loss that is a result of one business that relies on external parties to perform services. Beyond the common services such as the manufacturing of parts or the assembly of products for a company’s customers, third-party risk can also stem from the data that is shared between companies and these external parties. As companies build more connections and relationships with third parties, especially those that are not properly vetted, the risk associated with business disruption and data breaches increases in probability. Third-party management can help reduce the risks associated with working with third-parties.
What is third-party management?
To reduce the potential risk and impact that a company might experience while working with third-party companies, businesses will often use a process called third-party management. Third-party management is the structured process that companies use to monitor their third-parties, while managing the risks that arise from interacting with the external parties that are involved with contractual and non-contractual business relationships. Third-party management is also used to govern the level of access that each third-party has to a business’s systems and information. This is done to minimize exposure to data and intellectual property theft from cyber criminal organizations that use third-parties as attack vectors.
According to a 2020 Annualized Risk Report by DHL Resilience360, the risks you take may cost more than you want to pay.
- 69% of firms say they do not have full visibility into their supply chains.
- 63% of organizations do not use any technology to analyze, track, and monitor their supply chain performance.
- 73% of board members surveyed identified reputational risk as the area where they felt most vulnerable, but only 30% had a plan to address a reputational crisis.
- 99% of all companies have experienced a disruption in their supply chain over the past 5 years.
Three key benefits of risk monitoring were cited within the survey.
- Empower the team with optimized incident alerts with near real-time data on global incidents.
- Ability to gather feedback from people at point of location being impacted.
- Enable your logistics teams to react sooner to prevent supply disruption.
In 2019, cybersecurity incidents have also continued to pose a serious threat to supply chain operations as Resilience360 recorded a total of 290 cybersecurity incidents impacting supply
According to a 2019 survey conducted by Spiceworks, out of 600 businesses, 44 percent of them experienced a data breach that was caused by a third-party vendor. Businesses that take an active approach to third-party management cannot only effectively reduce the risk of experiencing a data breach, but also protect valuable product secrets from competitors or markets where intellectual property theft is common. To better protect the livelihood of their company, the following tips can help the executive leadership with third-party management.
1. Assess and manage third-party risks
While discussing future relations and business opportunities a third-party can ultimately lead to better opportunities, it is important to understand and identify what risks that the third-party may introduce to your business. Making use of a risk management plan can also help better assess whether or not the new business relationship is truly worth it.
2. Third-party screening and due diligence
During the onboarding process with third-parties, businesses should screen and maintain due diligence for any risky or suspicious interactions with the third-party. Reviewing the location, countries of operation, and previous history are just a few steps that can help a business better understand what risks they are potentially exposed to. In addition to screening during the onboarding process, having due diligence and continuing screening after building a relationship with a new third-party can help businesses better protect themselves from third-party risks.
3. Fourth-party involvement
Many third-party businesses operate with unknown or undisclosed fourth-parties that can affect the business and the members of their supply chain. To help mitigate against fourth-party involvement, businesses should understand if the requested service is actually provided by the third-party, or a subcontracted entity. Businesses should also contractually bind third-parties to inform and wait for approval of any changes that could affect the relationship between your business and the third-party.
What is a third-party risk assessment?
Similar to performing an internal risk assessment, businesses can conduct third-party risk assessments to evaluate and identify the risks that can impact your business. How can the leadership team make effective decisions without identifying, quantifying, and managing the risk variables across any supply chain? Effectively managing partners, vendors, suppliers, and other third parties requires in-depth assessment services. Third-party risk assessment services traditionally focused on operational risk, financial viability, compliance, and ethics. Now that instabilities across supply chains have been exposed, focus on fourth party risk is intensifying. Fourth-party risk evaluates the effectiveness of your partners’, vendors’, and suppliers’ own third-party risk programs to identify additional risk exposure that would otherwise go undetected.
What is third-party risk management (TPRM)?
The ongoing evaluation of your partners, vendors, suppliers, and other entities to drive efficiencies, cost savings, and trust is key to effective third-party risk management (TPRM). The key function of the TPRM process is to understand and manage risk exposure from the third-party relationships throughout the lifecycle. When businesses evaluate third-parties, there are many areas that have to be examined to identify not only the risks that the third-party itself might face, but how those risks may affect your business and supply chain partners.
Key areas where risk is introduced into the supply chain include cyber, privacy, digital, brand, and compliance. Third-party risk management strategies also focus on how your business anticipates future interactions within your ecosystem, such as how and what kind of data can be shared, what level of access each third-party has to your systems, and what impact can disruption from that third-party have on meeting production schedules. Third-party risk management is a continuous process, meaning that third-party members of your supply chain and the risks that they pose to your company should be regularly evaluated. Regular evaluations can reduce exposure time and help mitigate risks that your business has deemed too expense when working with third-party relationships.
What is supply chain management (SCM)?
Continuing with the focus of the third-party involvement, supply chain management is another factor that businesses, especially manufacturers, need to take into consideration. Supply chain management is the control and management of the flow of goods and services throughout the entirety of the supply chain. This involves that acquisition of raw materials, gathering and processing of information and capital for supply and demand planning, production, and inventory management. Businesses normally utilize a combination of software and business strategy in order to create a competitive advantage against similar products or brands.
Along with the management of the previously mentioned areas of the supply chain, supply chain management also covers the price, quality, and quantity of a product that is too available to potential customers. As all businesses understand, the quality and quantity of the commodity used for a product affect the final price of the product. The price of a commodity is predetermined by the popularity of the commodity for a given market. This price is further impacted both by the quantity and quality of the commodity. As the quantity of a commodity increases, the overall price can decrease but the quality of the commodity may also decrease, and vice versa.
How does third-party risk impact SCM?
Supply chain management (SCM) is an expansive and complex endeavor that relies on each partner, from suppliers, manufacturers, logistics, and beyond, to perform well. Due to these interconnected ecosystems, effective supply chain management also requires change management, collaboration, and risk management to create alignment and communication between all the participants. From a technical perspective, third-party members of a supply chain can affect the security of data used by the partners of the supply chain, or even the members themselves. With third-party members in your supply chain that are not properly vetted, these members may become a new vector for malicious organizations to steal sensitive information about your products, clients and customers. Regularly checking the overall security of the environments and digital assets of the third-party can help evaluate the potential risks that could affect your business. However, this is just a scratch on the surface for what could lead to a potential breach. Having the ability to check if a third-party has leaked credentials, insecure web applications, or poorly managed system patches without having to request an intrusive scan can help your business make the important decision whether to establish a new business partnership with a third-party or not.
Many organizations manage third-party risk case by case or with numerous systems, policies and frameworks. While this addresses most of what is required for an effective third-party risk management, it does not provide a comprehensive and consistent framework. The manufacturers, suppliers, and vendors risk failing to capture the full lifecycle and range of third-party relationships, which may create inefficiencies, blind spots and inconsistencies. The due diligence aspect of monitoring and reporting available data can integrate into your workflow of third-party risk management processes for accountability. Understanding how well a potential third-party handles their duties of maintaining various compliance standards while handling or storing sensitive intellectual property and customer data can better help your business understand what risks are associated with sharing data.
Attacks and data breaches that are related to third-party attacks not only affect the production capabilities and reputation of businesses, but can also result in expensive fines and expenses related to the type of data stolen. These fines can also include the needed cost to report impact to shareholders, reporting to affected customers, and the cost to repair systems and data normally used. Many businesses wish that they could have a predetermined estimate of the financial impact of a data breach, while also determining the probable risk that their business will experience a breach. Services that use the Open Fair™ risk framework can help quantify an approximate cost value range for what your business will be expected to pay during the event of a breach, while also providing the risk probability that a breach could occur. This quantifiable information can help businesses justify the expenses needed for maintaining and upgrading their security.
Many years ago, Warren Buffett warned his son Howard, “It takes 20 years to build a reputation and five minutes to lose it. If you think about that, you will do things differently.” Mr. Buffet wasn’t talking about supply chain management, but the concept still applies. Organizations are increasingly concerned about the reputations of the third parties that source, manufacture, transport, distribute, market, and sell their products around the world. When assessing a third-party supplier or partner, reputation, risk, and cost are important, and not necessarily in that order. The following manufacturing industries benefit from knowing which vendors pose the most risk to their organizations, which can streamline the vetting and selection process.
- Paper products.
- Food, beverage & tobacco products.
- Fabricated metal products.
- Nonmetallic mineral products.
- Plastics & rubber products.
- Printing & related support activities.
- Furniture & related products.
- Transportation equipment.
- Textile mills.
- Electrical equipment.
- Appliances & components.
- Petroleum & coal products.
- Wood products.
- Miscellaneous manufacturing.
- Computer & electronic products.
- Primary metals.
- Chemical products.
Given the risk issues outlined within this article, many manufacturers and producers would benefit from establishing a common set of standards and a more systematic approach to third-party risk management for more effective supply chain management. As proactive third-party risk monitoring and escalation processes are implemented, workflow adjustments increase efficiency to ensure consistency in the process of knowing which vendors are causing the most risk. Certitude Security™ can provide your leadership team with clarity to more effectively manage third-party risk through better vetting, selection, and management of your third-party suppliers and partners.