Third-party risk is becoming a first priority challenge | Deloitte Canada has been added to your bookmarks.
Third-party risk is becoming a first priority challenge
Reduce your extended enterprise risk
From suppliers to software and resourcing needs, businesses increasingly don’t go it alone. Indeed, we have seen the rise of the extended enterprise – companies relying on a network of third-party vendors to provide them with organizational value and competitive advantage.
Over the past five years, the use of third-party vendors has increased exponentially. And many companies even outsource core functions to derive efficiencies and savings. In doing so, organizations are exposing themselves to high-profile risks like never before. The biggest challenge going forward will be for organizations to provide the appropriate oversight to these third parties – before it’s too late.
Historically third-party risk has been a procurement issue. The process went something like this: Procurement would identify potential savings from outsourcing; legal would draft a contract; and that would be it – few would bother following up on the relationship. That simply doesn’t cut it anymore. The actions your suppliers take have consequences – not just legally but reputationally – even if a security breach or risk incident occurs on the other side of the world.
We see three emerging trends that drive increased third-party risk:
- Increased incidents related to vendors: Suppliers are causing more disruption and risks are not being managed. Information security, privacy and anti-fraud management are some examples.
- Regulators focusing on supplier risk: Regulators are increasing the pressure on organizations to better manage their supply chain risk.
- Pressures from economic volatility: Economic conditions means tighter margins for suppliers and increased risk of supplier disruption.
While the threat landscape is constantly evolving and new threats are on the rise, risks typically fall into one of three categories based on how they threaten to impact your business:
- Financial/reputational: Risk that a third party could damage your revenue or reputation. For instance, your reputation is on the line after a supplier provides you with a faulty component for your goods.
- Legal and regulatory: Risk that a third party will impact your compliance with legislation or regulation. For example, if your supplier violates labour or environmental laws, your organization can still be found liable. Outsourcing doesn’t mean the end of responsibility.
- Operational: Risk that a third party could disrupt your operations. For instance, your software vendor is hacked leaving you with a downed system.
Although those are the more common types of third-party risks, in some cases, risks may overlap. A data breach, for example, is a regulatory threat, but can also be operational.
The governance solution
Of the 170 firms surveyed by Deloitte in our 2016 Global Survey on Third Party Governance and Risk Management, 87% have experienced an incident with a third party that disrupted their operations, and 11% have experienced a complete failure in their vendor relationship. Clearly, these figures show there is a growing need to mitigate risk exposure before it’s too late.
How should companies proceed? With better governance. Strong governance has clear benefits in reducing risk with increased transparency, better alignment to strategy, and consistent regulatory compliance.
Companies can reduce their overall third-party risk profile by embedding third-party risk management practices in all levels of the organization, including:
- Moving from having no formal governance over third parties and taking risk for short-term benefits, to a more intelligent risk-based approach that is better aligned with your enterprise strategy.
- Evolving from having employees with little training to trained professionals and executive champions that align service delivery to strategic objectives.
- Developing standardized processes and proactive decision making using analytics, instead of being in a “firefighting” mode and only tackling issues when they arise.
- Creating fully customized, value add tools that support decision making.
Managing third-party risk is an ongoing process. It’s about prevention rather than reaction. There are tremendous benefits to be gained from embracing the extended enterprise, and indeed today’s competitive business environment demands it. Strong governance must go hand-in-hand, mitigating risk while enhancing rewards, and positively impacting your reputation and bottom line.