Third party risk

In the past two decades, there has been a marked increase in the number of third parties and length of the supply chain which organisations rely on. Third parties can provide significant benefits and value, with the outsourcing of ‘non-core’ activities allowing the third party provider to provide goods and services using their expertise, while the outsourcer can focus directly on its core activities.

The benefits of third parties are regularly broadcast, however associated risks of such arrangements may not be fully appreciated. Risks often start to crystallise during so called ‘black swan’ events like the current COVID-19 pandemic and the resulting socioeconomic turbulence.

The impact of reliance on (and exposure to) third parties during the pandemic has been increasingly felt by organisations and consumers. Third parties are going bust or into administration, and lockdowns, work/travel restrictions and absence of staff (through illness, self-isolation and/or furlough) are leading to a delay or cancellation of provision of goods and services. Conversely, in some instances, delays, shortages and cancellations have also been felt as a result of an increased demand for some goods and services at third parties, such as PPE and groceries.

Similarly, we have seen a number of other high-profile news stories in respect of third parties throughout the pandemic, including:

• allegations of illegal working practices and modern slavery at a ‘fast-fashion’ company’s sub-contractors
• supermarkets pressurising suppliers to provide price cuts
• cybersecurity and data protection concerns with third party video conferencing facilities.

The impact of interruption to goods and services can be a clear detriment to an organisation, especially where it is having to adjust to new ways of working. More broadly however, there can be a wider impact, including extensive reputational damage as the examples above and more historical cases (such as the horse meat scandal) demonstrate.

Outsourcing and use of third parties has often been seen as a way of ‘outsourcing’ risk. However, while some risk can potentially be transferred to a third party, there will always be a certain degree of risk associated with use of third parties. Oversight of the risks posed, especially during times of uncertainty should be regularly reviewed and mitigated to an acceptable level in line with risk appetite. Crucially, these risks should not be considered in isolation, with thought given to the potential impact of risk contagion which might occur in the event of a third party risk crystallising (for example, reputational damage and associated financial losses).

Strong, tailored procurement, due diligence and contract processes will play a significant role in mitigating these risks in the first instance, though third parties (and where necessary, their supply chain) should also continue to be proactively monitored and managed, with financial strength, reputation, and compliance with contractual terms regularly assessed.

Regular communication with the third party should also be consistent throughout the third party lifecycle; however this becomes even more important in uncertain and unpredictable times. Not only does this enable strong working relationships to be formed and enhanced to ensure that value is being obtained, it also enables the organisation to better understand any stresses or strains at the third party. This can also help with more timely implementation of escalation steps and/ or exit strategies.

Questions organisations should be asking

• Do you have a complete schedule of contracts and do these contain a right to audit?
• Do you fully understand all of your supply chain? Is there an understanding of the second, third up to ‘nth’ tier organisations?
• What are the contract management processes in place? Are suppliers regularly reviewed?
• Have you audited the supply chain to check for contract compliance?
• Do the key responsible staff have an understanding of the contract terms?