In the previous article, we have touched on the increasingly complex business environment where cost and risk have their intricate dance.
Today, let’s tease out a few more aspects of third party risk management.
“In Australia, subcontractors are responsible for between 80 per cent and 85 per cent of all construction work, the highest involvement of subcontracting in the world.”
This “pyramid of contractual relationships” is also prevalent among industries such as Forestry, Mining and Energy.
As mentioned in the previous article, the business environment is getting more complex. As projects get bigger, the number of parties increase, leading to an equal increase of contracts, and indeed an increase in supply chain complexity.
Imagine how complicated the above diagram would be if your organisation has 500, 1000, or 10000 vendors.
Mini question: Do you have visibility into all third parties? What about the extended supply chain? |
The common adage is “great risk great return.” There are indeed some risks worth taking as companies stand to gain from cost efficiency and external expertise. However, organisations need to understand their risk appetite – which is the “type and extent of risk that an organisation is willing to accept in its pursuit of value.”
Let’s take a step back and hone in on the basics.
There are two ways to look at risks: internally influenced (e.g. company policies, management ethos) and externally influenced. Both can be equally serious, even though you often hear about external risks more in the news (e.g. recession, natural disasters).
What are the adverse consequences of risk? They fall under three broad categories: operational, financial and reputational.
Operational examples | Financial examples | Reputational examples |
|
|
|
Types of risk consequences and examples. Adapted from the CIPS Resilience Model.
These consequences are often interlinked.
For instance, since COVID-19 officially became a pandemic, more than half (51%) of organisations faced one or more third-party risk incident. These tend to have more operational and financial impacts.
Risk domains most likely to be affected during the pandemic. Source: Deloitte
Linking financial and reputational consequences, earlier academic research has confirmed that regulatory punishment “causes shareholder losses that are, on average, 10 times the size of the penalty itself and negatively impacts share prices, on an average by around 2.55% in the three days after the announcement, where direct harm to customers and investors is involved.”
Mini questions:
|
Vendor risk assessment has traditionally been performed at the beginning of a new relationship. Once a new contract is signed, there is little, if any, ongoing risk assessment as long as no serious incident occurs. Because this vendor prequalification process is typically a single event triggered by the onboarding of a new vendor, it is viewed as a procurement process.
However, who “works in procurement” is different to “who does procurement.” Given the changing operating models of procurement, the blurring of lines can cause a diffusion of accountability.
So what are some other characteristics of an immature third-party risk management program?
In contrast, what does good look like?
Source: KPMG
Without needing a full-blown assessment framework, just ask yourself a few questions:
|
If you are interested in understanding where your organisation is, how the industry is doing, and how to improve your third-party risk management play, check out our upcoming research paper "Building in the Dark - High-risk Supply Chains: Attitudes, Responses & Opportunities."
It’s specifically relevant for those who rely heavily on services focused supply chains, often with a high concentration of high-risk subcontractors.
Vendor risk management in subcontractor-dependent industries such as construction has re-entered the scene as a hot topic. The increasing burden of compliance requirements, cost pressure and project magnitude have pushed some to be “building in the dark”.
We are living in an era where supply chains are becoming more complex. The ecosystem of a modern organisation has expanded to multiple tiers and layers.
As organisations become critically dependent on third parties to be profitable and deliver successful business outcomes, these third parties have become the Extended Enterprise.
Previously, we have touched on the broad landscape of third-party risk management in the context of subcontractor-dependent industries. Now let’s zoom in on the specific “risk buckets” to see where the potential leaks are.
Get the monthly dose of supply chain, procurement and technology insights with the Felix newsletter.