Risk management isn’t solely about managing threats and opportunities within your company.
Just like it would be impossible for us to grow food, provide clothing, shelter, and other necessities all on our own, the same fact is true for a company. It would be impossible to provide every raw material or handle every service in-house. All organizations rely on a third-party to provide materials, products, and/or services the organization is unable or unwilling to do on its own.
Whether from a supply chain breakdown or some type of scandal, it seems companies everywhere are struggling with third-party risks these days.
Developing a holistic approach to managing these ever-increasing risks is the subject of a session I had the pleasure co-presenting at the 2021 Navex Next Risk & Compliance Conference.
You don’t have to watch the entire session to understand the following…
Third-party risks consist of way more than just supply chain issues.
It’s easy to think that third-party risks are another way of saying supply chain issues, especially in this current period where it seems just about everyone has been reeling from shortages ranging from simple ketchup packets to advanced semiconductors for autos, medical devices, and consumer electronics.
Appropriately titled Holistic Third-Party Risk Management, our session discussed three facets or avenues by which issues around suppliers and other vendors can impact an organization. These include:
Enterprise Risks and Third Parties
In the first section, I outline what exactly is a third-party and how they consist of both upstream (e.g., suppliers) and downstream (e.g., distributors) activities. These activities can create a host of risks ranging from operational and resilience to reputation impacts, cybersecurity issues, and more.
These potential threats to not just an organization’s goals but its very survival in some cases is why robust oversight of third-party risks is so important. Doing so helps protect the organization from reputational harm and legal scrutiny but also helps ensure third parties are a good fit to the organization.
To properly understand third-party risks, their impact, and what should be done about them, there must both be active collaboration with relevant business units and a solid grasp of any suppliers and vendors (4th and 5th parties) of your direct supplier. Adjusting procurement policies, setting clear expectations with the third party regarding performance and conduct, and independently verifying information are a few steps companies can take as part of their due diligence.
ESG Issues and Third Parties
This part of the conference session delivered by Susanna Cagle of NAVEX Global dives into the nuances of Environmental, Social, and Governance (ESG) criteria and how third parties can both positively and negatively impact those criteria.
ESG-related risks can include legal, technology, and reputation, while opportunities for companies who embrace ESG standards include increased resilience, improved efficiencies, and new markets.
In the U.S., the Securities and Exchange Commission currently requires ESG disclosures around human capital, while climate disclosures are expected to be another requirement by the end of 2021. Susanna explains that directives announced by the EU earlier in 2021 are just as, if not more significant, than the GDPR data and privacy rules.
To get ahead of third-party risks and reporting requirements of ESG, there needs to be a clear differentiation between external ESG issues and a company’s financial results. Develop priorities based on regulatory and compliance requirements, unique issues to your brand, and actions competitors are taking.
Third Parties and Anti-Corruption Risks
In this section, Michael Volkov, CEO of Volkov Law Group, outlines different anti-corruption third-party risks. Examples can include bribery, fraud, money laundering, sanctions, and cyber/data. Four minimal steps for minimizing risks consist of information collection, analysis and investigation, red flags and resolutions, and residual risk mitigation.
When evaluating third parties, your organization should determine if they have effective risk assessment processes and clear risk criteria they periodically update.
Due diligence requirements related to anti-corruption will vary between industry, country, and the amount of business your company is conducting with the firm. Michael also stresses the importance of carefully examining any third parties that may fall under the scrutiny of the Office of Foreign Assets and Control, which is an agency of the U.S. Government that develops and enforces international sanctions against individuals and governments around the world.
In the final section of the session, Michael, Susanna, and I dive into steps for developing a holistic approach to managing third-party risks. These steps can include clearly understanding and prioritizing what risks your company should be considering, integrating ESG into your procurement processes, integrating and breaking down silos, increasing transparency, and more.
To learn more, I highly recommend watching the entire 45-minute session when the recording becomes available. You can register for free by visiting the NAVEX Next Virtual Conference page.
I want to extend a big thank you to NAVEX Global for inviting me to participate in this event and that I look forward to presenting in another conference session soon!
Is your company evaluating and managing third-party risks based on these 3 criteria or standards?
Supply chain and third-party risks impact everyone and every organization around the globe and will continue to have more uncertainty in the years ahead. To share your experience or insights, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And if your company is struggling to get a handle on its third-party risks and feel like things are slowly spinning out of control, please don’t hesitate schedule a meeting to discuss your specific situation today!
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More