You’re only as strong as the weakest link in your network


A key area of concern for compliance managers right now is how far the new focus on third-party risk management and supply chain due diligence could stretch. For example, businesses are responsible for the ethical and environmental sourcing of the prawns in the sandwiches sold in their shops, but what about the feed source for those prawns – is the business also on the hook for how that is sourced? Yes, they are. So, where does it end and how do business leaders put systems in place to reliably manage this?

Key decision makers will find it invaluable to be empowered with the skills and knowledge to make smart choices when it comes to engaging with business partners. With the vast number of third parties and suppliers most companies deal with on a weekly basis, today’s marketplace is more entwined than ever before. This means that a third party or supplier’s risks inevitably become your own as well, so the business’ reputation is at stake.

What are third-party risks?

Third-party risk management is a unique, multifaceted discipline. It requires collaboration and vigilance to defeat the common enemy. Doing so can open doors to new products and markets, drive growth, and increase customer retention. This applies to all organisations, regardless of size, from a small organic grocery chain to a multinational tech conglomerate.

Third-party risks are as prevalent and varied as any internal risk, but they are even more unpredictable since the complexity of the threat is tied to another entity’s actions. There is little to no visibility into other business partners’ operations and processes either.

For example, a human rights incident noted at an overseas factory that manufactures your goods could indirectly reflect badly on the whole business. It is therefore critical to gain a clear overview of the supply chain.

The new reality is that regulators, customers, employees, and investors increasingly expect companies not just to take responsibility for their own actions, but also for those of their supply chains. Increasingly, young and innovative companies are using their credentials and rigour in this area as points of differentiation in a market that values transparency and ethics.  But it is not easy, especially for larger, established organisations to track the risks and compliance of their complex and multi-tier network of suppliers and third parties.

To meet these challenges, there are systems, processes, and principles that can help businesses to navigate this area.

Risk types

There is no one-size-fits-all approach to navigating third-party risk due to the various threats businesses are exposed to. Yet, there are a few core risk areas that help illustrate the grave importance of effective third-party risk management:

  • Cybersecurity – The threat landscape is ever-growing, which means even the best crisis management processes in the world cannot guarantee prevention of risks carried over by partners or the supply chain. Businesses should therefore regularly train their staff in cybersecurity best practices, verify partners’ software are not outdated, and implement the necessary tools and technologies to support their playbook.
  • Compliance – Regulatory pitfalls are unavoidable, so third-party partners need to comply to all local, regional, and international standards that you do to avoid collateral damage.
  • Financial – If suppliers or vendors face financial difficulties and/or become bankrupt, it can directly impact your operations. It is therefore essential to carry out regular reviews of your third parties’ financial health through credit reports, audits, and other financial assessments.

Process and prioritisation

Third-party associations without the proper screening and audits in place can become a vulnerability in less than a minute. It is essential to identify where risk areas lie, assess these on an ongoing basis, and evaluate security measures like you would your own.

This can be achieved by creating a clear-cut playbook that spells out how to identify, assess, monitor, and respond to third-party risks if they were to occur. It would outline the terrain and highlight pitfalls to ensure a smooth journey.

Here are some tips to help decision makers navigate the maze of complexities that come with dealing with third parties:

  1. Identify and classify the risk level of each third party: 
    • High-risk– These entities require extensive audits and frequent check-ins. An example of a high- risk organisation is one that supplies a key component of your overall product or a contractor that has access to business impacting systems.
    • Medium-risk– Adequate due diligence is sufficient; this would include small or medium-sized businesses that provide products or services that have insignificant effect on operations.
    • Low-risk – Minimal oversight is required for companies such as office suppliers, print companies, and landscapers.

  1. Conduct due diligence – Deploy tools like background checks, credit reports, and compliance certificates to verify credentials and screen partners for business-relevant concerns.
  2. Monitor and review – Based on Zero Trust principles – always verify and monitor all parties while you implement automated governance, risk, and compliance solutions to track performance metrics and flag risks and anomalies.
  3. React and revise– Once a risk is identified, carry out thorough investigations into the root cause, and develop preventative measures to avoid future and further damage, escalations, or losses to the organisation.

There are a host of solutions designed to make these tasks easier and empower smarter, more effective strategies. These include AI-based analytics platforms, risk management software, contract management systems, collaboration portals, and audit solutions.

Lean and clean organisations that know how to successfully mitigate their third-party risk, and capable of responding quickly, have a competitive advantage – they will be seen as more attractive to stakeholders and employees.  In our digital age, institutional investors demand all standards and certifications to prove that the business is sustainable and green.