Most firms' key considerations when selecting a new vendor are performance expectations, cost/benefit analysis, references, and business liabilities. Thinking through risk has been a recent addition and may have focused more on reputational, financial, or legal risk. While those are great starting points in a supply chain risk management strategy, they don’t scope the entire risk. The 2023 BCI Supply Chain Resilience Report stated that in the past 12 months, 35.7% of the causes of supply chain disruptions were cyber-attacks and data breaches. Understanding your business’s exposure and developing a benchmark against which you can evaluate a potential counterparty is the first step in a solid platform to assess your third-party risk.
Building a Counterparty Evaluation Platform
Identify your most critical vendor relationships by reviewing which vendors you pay the most money to, which vendors hold the most sensitive/regulated data on behalf of your organization, or which vendors are the most exposed and risky. If necessary, create a matrix to correlate these factors, and you will have identified the counterparties who need the most attention quickly.
Then, determine what areas of risk these vendors all have in common. This will likely involve reputational, legal, data, and financial risk. Devise a method by which you can gain insight into the vendor’s posture in these areas. For instance, a social media search might give insight into a counterparty's reputational posture. You might request a firm’s SIG or devise a questionnaire to gather information about their cybersecurity posture to understand the risk to data. Gathering insight into these areas will help you identify areas of weakness. Still, the first step is identifying the data you want to collect and making it as uniform among vendors as possible to make your job easier and allow comparison.
Onboarding New Relationships
When looking at a new relationship, it will benefit you and the business to begin diligence as early as possible so that any vulnerabilities can be identified and potentially mitigated. As with most governance, the business will likely see this additional oversight as slowing things down. The risk management team can do a few things to mitigate the sense that guard rails are being installed. First, evaluate existing relationships in a staged manner. You don’t have to do every vendor at one time. Consider evaluating your most critical relationships or the ones you consider the highest risk. That puts less pressure on the organization and your team. Second, when performing an intake analysis, determine which benchmark KPIs are absolute requirements for onboarding and evaluate against those before allowing the engagement to proceed. The remaining KPIs can come later, post-engagement. This allows the relationship to begin, buffering the feeling that governance is slowing things down.
Establishing a Cadence
Your vendors do not all have the same risk profile, so you do not need to query them on the same cadence. High-risk vendors might be surveyed and refreshed annually or more frequently, but less risky vendors could be surveyed less regularly. Once established, this cadence should be automated as much as possible to ease the administrative burden on your team and make the process of submitting refreshed data a uniform and expected one for the counterparty.
One-Off Situations
Sometimes, you have to survey your counterparties to understand exposure to a particular incident. For instance, during the SolarWinds exposure, many firms reached out to their vendors to find out what exposures were and how they might be impacted. This data was then incorporated into vendor files, and future surveys were updated. These one-off situations can be learning moments that drive the development of what should be an evolving and always-growing oversight schema. It should be reviewed if a questionnaire hasn’t been updated in a year. Chances are something has changed in the marketplace, which could justify a refresh.
Mitigating Risk
During the summer of 2022, BCG and APQC surveyed 150 companies and found that a surprising 90% of them were reacting to crises as they unfolded because they were not adequately prepared.
The goal of the vendor diligence process is not merely to collect data, although data collection can help the business evaluate its risks quickly and make decisions easily. The goal is to identify and mitigate risks early in the counterparty relationship.
Consider this example. A heavily regulated US bank submits its questions to you, and they seem fine. However, the SOC report accompanying the survey shows some serious exceptions in data management and security. You have identified a security exception that puts your firm at risk. You now have to decide if you will accept and mitigate that risk or if it is too much for your organization to bear. If you have other potential counterparties in play, it may be easier to move on to one of those relationships instead. Suppose this is the only option on the table for compelling business reasons. In that case, you can engage your security team early to determine mitigation strategies to protect your constituents from data breaches. When you select a vendor, having reviewed their documentation, you want to evaluate it clearly. You may elect to use a low/medium/high scoring system. If there are mitigation strategies you have chosen to employ, be sure to note what steps you have put into place, who is responsible for enforcing them, and how they will be audited.
In Conclusion
Understanding your exposure to your third parties is the first step in overseeing your third parties. Once you know who they are and where you are exposed, you can develop mitigation strategies for vulnerable areas.
Ready to strengthen your supply chain resilience? Take the first step towards safeguarding your business by leveraging Sage's powerful tools and expertise. Assess your vendor relationships, implement robust risk assessment measures, and ensure proactive mitigation strategies are in place. With Sage, you can confidently navigate supply chain complexities and protect your business from disruptions. Get started today and empower your supply chain with Sage.
Related Posts
