Risks? What risks?

First things first. Having specified that we are discussing third party risks only, we should further delineate the types of risks that confront companies, organisations and business units. Third party risks are many and varied but for the purposes of this article we’ve identified 5 broad types and some of their potential consequences:
1. Brand – This is an important one because damaging ones brand naturally means damaging perception, relationships and amongst other things, the bottom line.
2. Stakeholder returns – This point may not be as public as “risk to the brand”, but things inevitably take a turn for the worse when stakeholder returns are put at risk.
3. Corporate and regulatory risks – This is the iceberg that lays just beneath the surface. Falling foul of legal liabilities and regulatory compliance will, without doubt, have a damaging knock-on effect that again, may reflect poorly on the balance sheet.
4. Financial – sub-optimal management of these third-party risk factors can affect cost of goods, labour, logistics, trust(!) and more, all of which directly impact the delicate balance that dictates profit and business continuity.
5. Supply chain disruptions – These risks are never too far from the front page when things go awry, particularly if third part scenarios have not been properly managed. Be it trouble in or around the Suez, political factors, local flooding or fuel supplies, supply chain issues can heavily influence commercial and service outcomes.

Within those five points, there are a number several issues which in our industry are managed on a daily basis. However, the third point is critical as it draws the attention of both regulators and operators within the industry. In terms of regulatory risks, we find ourselves building businesses and organisations on the shifting sands of legislation around environmental, human rights, cyber security, sustainability and digital resilience issues. Procurement because of proximity to suppliers, goods and clients, needs to be instrumental in managing this.

These risks can all be managed but none of them can be completely eradicated. The best-case scenario is to have robust plans, procedures and protocols in place, managed by the function best placed to proactively engage with these risk scenarios. Again, in most cases, this is Procurement.

Critical risk management components

Over recent times, we’ve observed 5 approaches to the management of third-party risks by Procurement. While not quite “set in stone” trends, they illuminate options that can be applied to the circumstances and requirements of your organisation and therefore determine the role (and even the size and significance of the role) that your procurement department should have in managing third party risks.
1. Risk assessment (only) – this involves assessing and flagging potential risks around financial issues, cyber security, human rights.
2. Compliance oversight (regulatory) – This means providing a framework for adherence to relevant laws and regulations by suppliers.
3. Risk management hub – An active and central role in consolidating and managing data security, compliance, sustainability, and involves real time monitoring, and due diligence assessments through advanced and predictive analytics.
4. Advisory (strategic) – Preceding and therefore guiding any remediation/mitigation activities, the emphasis here is on insights delivery and supply chain design.
5. Digital optimisation – focuses on streamlining processes, risks assessment and monitoring.

To be clear, the idea is not to pick one of these elements and run with it as a solitary third-party risk management strategy. It is necessary to address all 5, but where should the emphasis be placed? An interesting and useful exercise would be to assign a percentage of procurement’s resources to each of these five roles based on need/priority.

Procurement should helm the “third party risk management” ship

“The only constant is change.” That’s a phrase that has come up again and again throughout our series of Industry Trends articles – and with good reason. It is increasingly obvious that reputation, regulatory compliance, operational, and info/data security concerns continue to escalate and morph as supply chain expectations and demands, and therefore the risk landscape, constantly shift.
Surveying the procurement landscapes both nationally and abroad would suggest there is considerable merit in adopting the approach that places Procurement at the helm of your company’s third-party risk management ship.
Having taken inventory of your organisation’s risk profile and priorities, the “hub” approach (centralise everything for a ‘single source of truth’ scenario) may then prove to be the most practical in terms of balancing mission and risk management. Internal challenges to be overcome may include:
1. Interdepartmental communication
2. Data integrity
3. Access to decision-makers/autonomy
4. Cultural buy-in to the role and value of Procurement to the achievement of Company goals
Based on recent trends, this central hub approach may be the best way to weather the fickle but ever-strengthening winds of change across the commercial and regulatory environments.