The third-party paradox: How to manage extended enterprise risk effectively

By Tim Scott

No organization is an island. Across industries, organizations rely on third parties for their day-to-day operational needs. More than ever, your business comprises not only your own employees but also your business partners, vendors, and contractors. Welcome to the world of the extended enterprise. What was once done as a matter of cost reduction is increasingly being driven by a need for scalability, agility, and innovation.

The proof is in the numbers. In a recent Deloitte global survey¹ on third-party risk, 74 percent of respondents said third parties will play a critical role in their business in the year ahead, up from 60 percent the year before. This not only indicates the integral role third parties have today, but the importance of fostering and maintaining strong third-party relationships in the future.

What’s at issue is that while third parties allow organizations to be more agile and efficient, they also leave businesses exposed to increased risk. Our survey showed 87 percent of businesses experienced a third-party disruption, 28 percent a major disruption, and 11 percent a complete third-party failure.

What’s even more challenging—and critical to recognize—is that the extended enterprise continues to grow, making third-party risk even harder to manage. In fact, it now includes fourth and even fifth parties, because your vendors have vendors too.

The risks can be as quite diverse, including:

• Contractual
• Financial
• Credit
• Regulatory and legal compliance
• Cyber
• Intellectual property
• Business continuity
• Operational
• Reputational
• Geopolitical
• Strategic
• Quality/Customer experience

From security leaks due to subcontractors to vendors unwittingly using child labour, your extended enterprise can expose you to unforeseen risks.

Managing the challenges

These days, the extended enterprise is about driving performance, not just controlling cost. Your organization must ask itself, “What is the value we expect to derive from each vendor, contractor, or business partner relationship?” Most organizations believe the heavy lifting is done once the contract is signed; in reality, several challenges stand in the way of ensuring that business objectives are truly achieved.

These challenges include:

Creating a flexible and agile governance model. Governance should not be burdensome and should not add bureaucratic layers. A good governance model should define ownership, set clear guidelines and expectations, and should, ultimately, drive transparency of both risks and value.

Making decisions informed by data and analytics. Your decisions are only as good as the data that’s available. Too often, organizations don’t think about what information is relevant to assessing risk and validating performance related to key business relationships. It’s imperative to build data-sharing expectations and requirements into contracts such that key risk and performance indicators can be effectively measured in real-time.

Navigating events that shape the extended enterprise. Organizations are often surprised and reactive when a significant event occurs within their extended enterprise. Understanding key risk areas and monitoring these in real-time will not only help minimize reputational damage, regulatory fines, and a decline in share value, but will also help to enhance relationships and coordination with your key business partners should a crisis occur.

Managing relationships, compliance, and regulation. Just because you outsource to a third party does not mean that you aren’t responsible for legal and regulatory compliance. Societal expectations of “good corporate citizenship” are at an all-time high and social media will ensure that any breach is shared around the world in an instant. Strong relationships and collaboration within your extended enterprise will allow you to effectively navigate events that could be very costly and damaging to your organization’s reputation and bottom line.

Searching for talent. Half of our survey respondents indicated they don’t have adequate skillsets to effectively manage third-party risk. As board and regulatory expectations related to management of third-party risk continue to increase, it will be imperative to find people who truly understand third-party risk holistically—from assessing vendor risks, onboarding third parties, and monitoring through to performance improvement and contract renegotiation.

Making the change

If you have not taken concrete action yet, you are not alone. Start by developing your risk profile. Ask questions to determine what your extended enterprise entails. A large organization may have thousands of third-party relationships. To get a handle on your third-party risk, you must have a clear picture of your extended enterprise. Key questions to ask:

• Who are your key third parties?
• What risks are they exposing you to?
• What tools and skillsets will you need to manage them?

One of the biggest risks an organization can face is a lack of knowledge about its extended enterprise. Engage your board on strategies to manage third-party risk, develop a complete inventory of third parties, and oversee the controls and processes to proactively manage third parties—not only to reduce risk but also to improve relationships.

It’s also imperative to have organizational alignment on the objectives of your third-party risk management program. Some organizations focus purely on cost recovery while others take a holistic approach to understanding and managing risk. Through our experience we’ve seen the cost-recovery and savings opportunities range from three to five percent of an organization’s contracted spend, while savings related to the prevention of non-compliance or a brand-damaging event can be much higher.

Don’t hesitate to approach your key vendors, contractors, and business partners for contract assessments or monitoring. While that may be daunting, keep in mind that most contracts have right-to-audit clauses and that your third-party partners are growing more accustomed to these types of assessments. (Contract ambiguity is usually to the benefit of the vendor.) Assessing your vendors doesn’t have to be confrontational: tell them you value your relationship and stress the importance of ensuring that the anticipated benefits of that relationship are being achieved—therefore, looking into the program is to everyone’s advantage.

Next steps

What is your next step? Begin with a comprehensive third-party risk assessment. Before you can plan how to mitigate risk, you have to know what the risks facing your organization are. Engage stakeholders at all levels—managing risk is a firm-wide process. Collaborate with your business partners—remember this is a joint effort. And remember to focus on value creation, not just cost reduction. Third-party risk management is a proactive process, don’t wait until you have experienced a complete failure. Steps you take now towards mitigating vendor risk will pay future dividends.

Read more here: Effective third party risk management: Exploring strategies to improve contract management.

¹ “Third-party governance and risk management: The threats are real”, Deloitte, 2016