In the previous article, we have touched on the increasingly complex business environment where cost and risk have their intricate dance.
Today, let’s tease out a few more aspects of third party risk management.
“In Australia, subcontractors are responsible for between 80 per cent and 85 per cent of all construction work, the highest involvement of subcontracting in the world.”
This “pyramid of contractual relationships” is also prevalent among industries such as Forestry, Mining and Energy.
As mentioned in the previous article, the business environment is getting more complex. As projects get bigger, the number of parties increase, leading to an equal increase of contracts, and indeed an increase in supply chain complexity.
Imagine how complicated the above diagram would be if your organisation has 500, 1000, or 10000 vendors.
|Mini question: Do you have visibility into all third parties? What about the extended supply chain?|
The common adage is “great risk great return.” There are indeed some risks worth taking as companies stand to gain from cost efficiency and external expertise. However, organisations need to understand their risk appetite – which is the “type and extent of risk that an organisation is willing to accept in its pursuit of value.”
Let’s take a step back and hone in on the basics.
There are two ways to look at risks: internally influenced (e.g. company policies, management ethos) and externally influenced. Both can be equally serious, even though you often hear about external risks more in the news (e.g. recession, natural disasters).
What are the adverse consequences of risk? They fall under three broad categories: operational, financial and reputational.
|Operational examples||Financial examples||Reputational examples|
Types of risk consequences and examples. Adapted from the CIPS Resilience Model.
These consequences are often interlinked.
For instance, since COVID-19 officially became a pandemic, more than half (51%) of organisations faced one or more third-party risk incident. These tend to have more operational and financial impacts.
Risk domains most likely to be affected during the pandemic. Source: Deloitte
Linking financial and reputational consequences, earlier academic research has confirmed that regulatory punishment “causes shareholder losses that are, on average, 10 times the size of the penalty itself and negatively impacts share prices, on an average by around 2.55% in the three days after the announcement, where direct harm to customers and investors is involved.”
Vendor risk assessment has traditionally been performed at the beginning of a new relationship. Once a new contract is signed, there is little, if any, ongoing risk assessment as long as no serious incident occurs. Because this vendor prequalification process is typically a single event triggered by the onboarding of a new vendor, it is viewed as a procurement process.
However, who “works in procurement” is different to “who does procurement.” Given the changing operating models of procurement, the blurring of lines can cause a diffusion of accountability.
So what are some other characteristics of an immature third-party risk management program?
In contrast, what does good look like?
Without needing a full-blown assessment framework, just ask yourself a few questions:
If you are interested in understanding where your organisation is, how the industry is doing, and how to improve your third-party risk management play, check out our upcoming research paper "Building in the Dark - High-risk Supply Chains: Attitudes, Responses & Opportunities."
It’s specifically relevant for those who rely heavily on services focused supply chains, often with a high concentration of high-risk subcontractors.
Previously, we have touched on the broad landscape of third-party risk management in the context of subcontractor-dependent industries. Now let’s zoom in on the specific “risk buckets” to see where the potential leaks are.
Enterprise risk management is inherently about preparing for and mitigating both known and unknown risks. COVID-19 used to be an unknown risk – or a black swan event. Now, it’s morphed into a semi-business-as-usual situation where some risks can actually be predicted, whilst some are still lurking quietly.
In this article, we want to look at the process of managing vendors from two angles. See if it screams “risky business” as you read.
Vendor risk management in subcontractor-dependent industries such as construction has re-entered the scene as a hot topic. The increasing burden of compliance requirements, cost pressure and project magnitude have pushed some to be “building in the dark”.
Be the first to know when we publish new insights.