How many third-party suppliers and inputs is too many? That line shouldn’t only be apparent when it gets crossed.
Businesses have embraced the world’s interconnectedness to more cost-effectively source products and services. Particularly, as internet connectivity has simplified communications across vast distances and businesses with production or services specialisations have entered the supply chain, third-party relationships have boomed. Today, most businesses engage with third parties around the world. Few recognise how truly dependent many businesses are on their third parties.
Where many may assume that third-party relationships are dominated by manufacturing operations in distant lands, for most organisations, third-party relationships are much more dynamic, much more local, and are much more common in the daily operations of the business. Third parties may include diverse roles, such as payroll processors, facilities contractors, food suppliers, regional resellers and partners, distributors and joint ventures in key global regions, and IT service providers.
In many cases, third-party engagements are long term and critical to the operations, growth, and success of the engaging organisation. When things go wrong, the depth and breadth of the relationship can be challenging to disengage. The relationship may have taken years to build, and barely a few months for the arrangements to unravel. How exposed businesses are affected when partnerships unravel depends a lot on how they had been set up and operationalised in the first place.
Recent research by CyberRisk Alliance (CRA) shows the complexity of operating a business today: It says: “On average, most respondents (76 per cent) contract with up to 25 different vendors, business partners, brokers, contractors, distributors, agents, and resellers, [and] virtually all organisations (95 per cent) indicated partnerships with IT software, platform, or service providers, suggesting a growing reliance on technology companies. The largest organisations have the most partners: 56 per cent of large or enterprise organisations reported that they have more than 50 partners.”
While these stats demonstrate how deeply rooted partners are into the business, I would argue the number itself is low and that most organisations have far more partners than they even realise. When you consider the impact of your partners as an extension of your business, it’s critical to know not just the vulnerability that could surface but also how they conduct themselves. Business leaders generally try to align objectives that meet their organisation’s ethical and operational standards, when dealing with suppliers.
But is that enough to ensure there are no looming risks associated with a specific partner?
It can also be difficult to really know how robust and resilient third parties are to adverse operating conditions, until those conditions hit.
Trends driving third-party risk assessment
Several trends in the past couple of years brought third-party risk into sharp focus.
First, the rise of work-from-home arrangements over the past couple of years means businesses have become a lot more decentralised. While the employees themselves aren’t “third parties”, they needed the kind of remote system access arrangements that would once have been used almost exclusively by third parties.
Second, many organisations have felt the impact of limited staffing due to the pandemic. Trends such as the "Great Resignation", a mass exodus of staff across sectors chasing better or more flexible work conditions, forced businesses to hire contractors or bring in automation software to fill labour shortages.
Australian businesses that augmented local customer support operations with third-party teams throughout Southeast Asia were particularly hit hard in this regard, with most losing entire third-party operations almost overnight - and lasting for months. Offshore teams were impacted by work-from-home orders but did not have adequate home internet or flexible work systems to transition their operations. To make matters worse, call volumes dramatically increased in the period, as customers sought hardship relief or other forms of negotiated assistance.
Many impacted businesses turned to - and have continued their use of - online chat-based support, dropping phone support entirely. Others have taken more drastic measures such as onshoring support operations, reducing reliance on third parties entirely. The approach taken has come down to a risk assessment for how long they could function without third-party operations or with ongoing uncertainty affecting those operations.
Third, the sourcing of both raw materials and componentry inputs continues to be severely constrained due to capacity issues in supply chains. That has brought into sharp focus organisations’ reliance on others in the assembly of their own products or execution of their own services.
Where consumers may have once been able to walk into a store and walk straight back out with a new laptop or smartphone, there are now multi-week or multi-month waiting period for order fulfilment. Businesses that rely on electronic equipment, such as internet providers, now carry higher volumes of stock and spares to insulate themselves against ongoing shortages.
In response, countries worldwide are lining up to sink tens of billions into chip fabrication to create ‘sovereign’ (read: homegrown) production capacity that would reduce the need for domestic companies to source these components from third parties elsewhere in the world. However, this capacity will take time to come online, and businesses have had to come up with their own alternatives much sooner.
In Australia, modern slavery reporting requirements also have third-party risk around ethical sourcing into the mainstream and require businesses to maintain a thorough understanding of every element of their supply chains and how each act.
A variation of this idea came up during a recent panel discussion, where it was noted that fourth-party risk management is an essential part of third-party risk management. That is, it isn’t just the third party that a business has a contracted relationship with is of concern, but also that third-party’s own third-party relationships with contractors, subcontractors, and other entities.
More than three out of every four leaders now rate managing third-party risk as a high or critical priority at their organisations, and this has been increasing considerably for most organisations since 2020. Budget spending is increasing for nearly half of all organisations.
Third-party risk management is ultimately just one part of the larger risk, compliance, and resilience program. The broader scope also includes third-party compliance, performance management, auditing, due diligence, issue management, and more - all of which must tie in with the overall business risk, compliance, resilience program, and objectives.
Integrating all these processes on one unified platform can simplify third-party governance, while also reducing costs.
Michel Feijen is the managing director, APAC, of MetricStream.