Five Third-Party Risks and Benefits of Continuous Risk Management
Third-party risks are a part of doing business. Capturing these risks and being able to rapidly adjust the supply chain is more important than ever. The COVID-19 pandemic has made a permanent impact on global production networks, increasing many business risks and exposing vulnerabilities. But these vulnerabilities have existed for years, and they will outlast the pandemic.
Procurement leaders need a way to visualize ongoing events that affect the third-party suppliers that comprise their supply chains. This group includes those parties' affiliates, or “Nth parties,” which also present risk to your company. There are now more opportunities to capture information in a continuous manner and develop actionable insights to mitigate those risks. By using ongoing, broad-based risk monitoring, procurement teams can proactively increase third-party and supply chain resiliency with greater agility than ever before.
Download our new guide, Retrofit Your Risk Strategy, to learn how to develop a risk-aware culture from the ground up.
What is ongoing, broad-based risk monitoring?
Traditional procurement risk assessment practices are overdue for a change. Procurement teams typically perform risk assessments quarterly or yearly, but they don't actively monitor those risks, which exposes their organizations to supply chain disruptions. They may examine new suppliers but often lose track of factors associated with those suppliers that expose them to future risk. They also do not leverage community data to identify risk based on broad supplier performance.
Ongoing, broad-based risk monitoring is the continuous exercise of monitoring multiple risk domains in a dynamic and centralized way. According to McKinsey, persistent monitoring is critical to organizations' efforts to identify risks that could damage them. When done successfully, procurement teams can anticipate and avoid the negative impacts of third-party and supply-chain risk. They can shift from a "reactive" to "proactive" supply-chain risk management model, building resiliency into the procurement practice to protect against future crises.
Critical risk domains to manage with continuous risk monitoring
Procurement teams today must address a number of third-party risks. The five risks highlighted below are a few key areas that can be mitigated with continuous risk management and a proactive risk management approach:
1. Reputational risk
Reputational risk refers to negative public or customer perception of one's company driven by associations with supply chain partners or their affiliates. For example, third parties may have poor environmental, civil, or human labor practices, which may negatively impact a company's reputation if that company does business with them. This can include politically exposed companies and companies working with foreign- or state-owned entities, among other factors.
Procurement leaders need to understand how third parties and the services they provide are affected by these issues. Ongoing, broad-based risk monitoring can help procurement teams monitor these practices and relationships in real time, identifying third-party issues that can harm a business's reputation. Teams that access insights driven by a community of procurement professionals can enhance this understanding without additional effort.
2. Revenue risk
Revenue risk consists of financial risks associated with supply chain partners and their affiliates. These third-party companies may become financially unstable, and they may face fines or financial challenges that can impact the companies that share their supply chains.
Risks to revenue are always changing, and new financial risks can easily emerge undetected. Ongoing, broad-based risk monitoring provides visibility into these potential risks, helping procurement leaders decide with whom they should build and maintain relationships.
3. Information security and data privacy risk
Information security and privacy risk, also known as "data risk," refers to vulnerabilities associated with companies' interdependence on data. If third parties have data breaches, violate GDPR, or have data held hostage by bad actors, those events may damage downstream supply chain partners who share access to that data.
Procurement teams need visibility into those companies' data histories and liabilities. More importantly, procurement teams must remain proactive in their monitoring as their relationships change over time.
For example, one of your suppliers without access to your internal, confidential data may not present any risk to you now. When a supplier doesn’t present clear risk, your team may not vet or track that supplier in detail as a result. But information security and data privacy risk isn’t a point-in-time event. It must be evaluated continuously. If your team chooses to share data with the supplier later so the supplier can perform a critical function, or there is a change of relationship, you will need systems that take those new risks into account.
4. Performance risk
Procurement teams must have real-time visibility into the performance of their suppliers and partners. They must regularly ask and find answers to key questions, such as:
- Are our suppliers living up to their obligations?
- Are these entities still performing like they were when we first contracted with them?
- Are they performing based on our contracted key performance indicators (KPIs) and service-level agreements (SLAs)?
A clear picture of performance changes over time will help procurement teams take action — whether that means demanding improvements, lowering costs, or eliminating those partnerships altogether.
5. Regulatory risk
Ongoing, broad-based risk monitoring applies to partners' success in meeting regulatory requirements as well. Regulators require that procurement teams maintain effective and compliant controls for avoiding partners with vulnerabilities and poor business practices. As with revenue and reputational risk, the best controls apply when choosing new partners and monitoring existing ones.
Achieving this visibility across all partners and affiliates helps procurement teams reduce costs and increase the efficacy of their own compliance. With the right tools, they can apply these efficiencies to all outsourcing, information security, financial viability, GDPR, anti-bribery, and anti-corruption risks that might affect their organization, among others. The key to successful risk mitigation is becoming proactive in identifying risk and performance issues with third parties. In this way, organizations can better avoid fines, penalties, failed audits, and legal costs. They can also understand value impacts associated with regulatory findings, and they can systematically enforce regulatory requirements.
How procurement leaders can execute ongoing, broad-based risk monitoring successfully
Too often, internal systems and external data services (e.g., BitSight for IT risk) become siloed in one part of the company. Teams must continuously pull data from these services to benefit from timely insights. The processes required to achieve this ongoing visibility become cumbersome as a result.
Fortunately, procurement teams can overcome these challenges with some internal adjustments and the adoption of new, holistic third party management solutions. Here are four ways these solutions can help procurement teams succeed with ongoing, broad-based risk monitoring:
Eliminate silos: Procurement teams must overcome the idea that certain data is confined to specific teams when, in fact, the data from all teams is related. Organizations can connect that data and coordinate stakeholders in a centralized way so that everyone has visibility, allowing for ongoing monitoring within procurement and other teams such as legal, finance, and IT.
Supplement with community insights: Integrate shared insights from an anonymous community of procurement teams to supplement existing-supplier data, third-party data, and internal data, creating a comprehensive view of supplier health.
Make insights actionable: Leverage artificial intelligence for the power to automate supplier recommendations based on those community insights. This makes it easier to find alternate suppliers with the characteristics and security you need when an existing supplier fails.
Take action: Get team members into the habit of acting on risk factors, whether that means putting a supplier "on hold," preventing requisitions and invoices, stopping payments, or replacing the supplier altogether.
Get proactive about monitoring risk with Coupa
Risk monitoring can no longer be an annual practice. It needs to be day-to-day, but it needs to be easy and effective as well. Instead of using multiple siloed tools, achieve an aggregated centralized view using a platform with centralized data capabilities.
It's time you reshape spend and supplier management with a broader, more comprehensive view of global, third-party networks. Contact a third-party risk management expert or learn more about Coupa's ongoing, broad-based risk monitoring capabilities today.