Teasing out the questions around construction third-party risk management

Linh Dao   |   August 20, 2021
third party risk management construction

In the previous article, we have touched on the increasingly complex business environment where cost and risk have their intricate dance.

Today, let’s tease out a few more aspects of third party risk management.

The supply chain uniqueness of asset builders, owners, and managers

“In Australia, subcontractors are responsible for between 80 per cent and 85 per cent of all construction work, the highest involvement of subcontracting in the world.”

This “pyramid of contractual relationships” is also prevalent among industries such as Forestry, Mining and Energy.

extended supply chain

As mentioned in the previous article, the business environment is getting more complex. As projects get bigger, the number of parties increase, leading to an equal increase of contracts, and indeed an increase in supply chain complexity.

Imagine how complicated the above diagram would be if your organisation has 500, 1000, or 10000 vendors.

Mini question: Do you have visibility into all third parties? What about the extended supply chain?

Back to basics with risk and consequences

The common adage is “great risk great return.” There are indeed some risks worth taking as companies stand to gain from cost efficiency and external expertise. However, organisations need to understand their risk appetite – which is the “type and extent of risk that an organisation is willing to accept in its pursuit of value.” 

Let’s take a step back and hone in on the basics.

There are two ways to look at risks: internally influenced (e.g. company policies, management ethos) and externally influenced. Both can be equally serious, even though you often hear about external risks more in the news (e.g. recession, natural disasters).  

What are the adverse consequences of risk? They fall under three broad categories: operational, financial and reputational.  

Operational examples Financial examples Reputational examples
  • Production/project delays 
  • Excess/shortage of materials 
  • Under-utilised staff/contractors  
  • Penalty payments 
  • Revenue loss  
  • Low margin/profitability 
  • Share price decrease 
  • Negative publicity 
  • Director’s liability 
  • Loss of investor confidence 
  • Poor talent attraction   

Types of risk consequences and examples. Adapted from the CIPS Resilience Model

These consequences are often interlinked.

For instance, since COVID-19 officially became a pandemic, more than half (51%) of organisations faced one or more third-party risk incident. These tend to have more operational and financial impacts.

risk domain covid 19Risk domains most likely to be affected during the pandemic. Source: Deloitte

Linking financial and reputational consequences, earlier academic research has confirmed that regulatory punishment “causes shareholder losses that are, on average, 10 times the size of the penalty itself and negatively impacts share prices, on an average by around 2.55% in the three days after the announcement, where direct harm to customers and investors is involved.”

Mini questions:
  • Is there a hierarchy of significance for the type of risk your organisation is willing to take?
  • What risk topics/domains that are mostly on the minds of industry peers?

“It’s your problem not mine” is no more

Vendor risk assessment has traditionally been performed at the beginning of a new relationship. Once a new contract is signed, there is little, if any, ongoing risk assessment as long as no serious incident occurs. Because this vendor prequalification process is typically a single event triggered by the onboarding of a new vendor, it is viewed as a procurement process.

However, who “works in procurement” is different to “who does procurement.” Given the changing operating models of procurement, the blurring of lines can cause a diffusion of accountability.

Good vs bad

So what are some other characteristics of an immature third-party risk management program?

  • Siloed or domain-specific approach
  • Lacking or confusing measurements of success
  • Reactive to legislation with no long-term integrated plan
  • Investment not being put to good use or underinvestment

In contrast, what does good look like?

  • “Most leaders have a formal and structured Supplier Relationship Management (SRM) program in place, compared to more than 50% of other companies, which have only an ad hoc approach to SRM. Furthermore, 70% of leaders have differentiated programs for strategic and mainstream suppliers, compared to less than 5% of others.”
  • Clear owners of ultimate responsibility and budget, even though the two can be different groups
  • Integrated infrastructure to support processes that are aligned with best practices
  • And elements like in the diagram below:

third party risk management success factorsSource: KPMG

Ask and you shall find the answer

Without needing a full-blown assessment framework, just ask yourself a few questions:

  • What’s the level of urgency for third-party risk management in your organisation?
  • Are you over-investing in one risk domain and under-investing in others?
  • Who do you go to for risk-related updates and insights into your supplier base? Do they have all the answers?

If you are interested in understanding where your organisation is, how the industry is doing, and how to improve your third-party risk management play, check out our upcoming research paper "Building in the Dark - High-risk Supply Chains: Attitudes, Responses & Opportunities."

It’s specifically relevant for those who rely heavily on services focused supply chains, often with a high concentration of high-risk subcontractors.

Register your interest


Linh Dao
As Felix's Marketing Manager, Linh is always immersing herself in the world of procurement and technology. With the aim of telling a meaningful story around the value Felix can bring, Linh draws inspiration and insights from the multi-disciplinary team making procurement better, one process at a time.
Follow me:

Related Articles

Risk mitigation
Are you building in the dark? A precursor of our upcoming report (part 1)

We are living in an era where supply chains are becoming more complex. The ecosystem of a modern organisation has expanded to multiple tiers and layers.

As organisations become critically dependent on third parties to be profitable and deliver successful business outcomes, these third parties have become the Extended Enterprise.

Risk mitigation
The 3rd-party risk management hazards that are costing your business (part 3)

Previously, we have touched on the broad landscape of third-party risk management in the context of subcontractor-dependent industries. Now let’s zoom in on the specific “risk buckets” to see where the potential leaks are.

Risk mitigation
Strategies for third-party vendor risk mitigation in your supply chain (part 5)

Vendor risk management in subcontractor-dependent industries such as construction has re-entered the scene as a hot topic. The increasing burden of compliance requirements, cost pressure and project magnitude have pushed some to be “building in the dark”.

Let's stay in touch

Get the monthly dose of supply chain, procurement and technology insights with the Felix newsletter.