Navigate the complexities to manage third party risks

Section A: Context: What are third-party risks?? ? ?? ? ? ? ? ? ?

The list below appears to be a line-up for the ‘who’s who of debacles and mishaps’. All are unrelated, with a common theme:

1. An end point software vendor outage during July, 2024 is fresh in mind, as a botched software upgrade affected millions of Windows systems around the world, resulting in several hours operations downtime for airlines, railways, hospitals, banks.
2. Fluctuating rainfall, long dry spells, soaring temperatures impacted cocoa crops yield, reduced cocoa production, resulting in a supply shortage for confectionary makers, with cocoa prices rising by 400% over the past year.
3. Between 2020 to 2023, a worldwide computer chip shortage impacted industries like automobiles, consumer electronics, PC makers, caused by events prior to Covid like drought in Taiwan, plant fires in Japan, trade wars between US and China.
4. Red Sea, a passage for 30% of the world's container traffic, is undergoing a shipping crisis, due to geo-political tensions. Maritime traffic re-routed to avoid the Red Sea, taking more time, distance. 80% of India’s trade with Europe passes through Red Sea, affecting industries like auto, auto ancillaries, chemicals, marine food exports.
5. 2023 was a record year for cybersecurity breaches originated through a third-party or the third-party vendor had a security breach. Organisations facing increasing risks related to third-party driven cybersecurity threats.
6. COVID-19 pandemic dramatically exposed the vulnerabilities in global supply chains, high third-party dependencies. Companies had to rapidly adapt to disruptions, with an emphasis on resilience and contingency planning.

In this line-up, most of the organisations are not related. What stood out as a common thread is that the operations, business impact were caused by their high reliance on third-party suppliers to deliver services, raw materials, goods.

In essence, third-parties are suppliers of services, raw materials, components to other organisations. Third-party risks are potential disruptions, challenges faced by organisations caused by the failure or performance issues of the third-party vendors. These range from significant impact to an organisation’s operations, business continuity, and profitability.

In addition, relying on limited sources for raw materials, components has proved to be a huge vulnerability during disruptions. This situation exposed the need for organisations to re-evaluate their supplier networks, diversify to reduce this dependency.

Section B: Where do third-party risks fit within an organisation’s ERM (Enterprise Risk Management) framework?

For corporates, this VUCA world is highly inter-connected, complex, digitised with business impacts caused by triggers from geo-political crisis, trade wars, climate change. The enterprise risk landscape is evolving rapidly with risks across below categories:

(a) Strategic (b) Operational? ? (c) Financial? ? (d) Compliance and Regulatory

(e) Supply chain ? (f) Environment, Social and Governance (ESG) ? (g) Reputational

(h) Health and Safety and (i) Cybersecurity and Information Security.

In addition to above risk categories, there are risks reflecting the dependence on third-party suppliers for delivery of services, goods, raw materials. These are third-party risks, which are woven throughout the enterprise risks categories. As part of the ERM process, these risks are identified through sensitivity analysis, assessing critical vendors, based on their likelihood, criticality, and potential impact.

Periodic monitoring of third-party vendors ability to meet their commitments, performance, and exposure to internal, external factors are crucial to manage, mitigate risks over time. Organisations need to monitor, assess, track changes in the third party financial health, operational capabilities, market reputation, regulatory, and compliance status. In essence, these third-party risks impact multiple risk categories for an organisation who engage with the third-party vendors, and require robust management strategies to mitigate potential disruptions.

Section C: What has been the trend of third-party risks for Indian corporates? What has changed in the recent times?

Third-party risks exposure for Indian corporates is neither new nor a recent phenomenon. Overall, third-party risks for Indian companies have scaled from being a relatively minor exposure in 1950s to a significant, critical component of ERM in the 2020s. The scale, complexity, spread, potential impact of these risks have increased multi-fold.

When materialised, these risks have caused disruption of significant proportion. This range from business operations downtime, inability to deliver desired volume components, and inability to deliver the agreed services to customers. In many cases third-party disruptions have substantially increased the cost of operations, impacting profitability, and causing a revenue impact for the recipient organisation.

1. Let us take a peek at how the third-party risks have evolved over the past decades for Indian corporates:

1950’s to beginning of 1980’s: Minimal to low third-party risks exposure, limited globalisation, government-led economy, environment favouring in-house operations, with minimal role of third-party vendors, particularly international ones.

1980’s to end of 1990’s: Third-party risks began to increase as India started to open up its economy, engage with global markets, with higher foreign participation, third-party partnerships.? 1990’s witnessed a high rise in third-party risks as a result of liberalisation of economy, IT, BPM boom, and complex supply chains. By the end of 1990’s, organisations had higher integration into global supply chain networks.

2000’s to end of 2010’s: Dependencies on third parties increased dramatically driven by the expansion of global markets, tech advancement, outsourcing boom. These led to more complex third-party relationships. These risks became a major concern during the decade of 2010. Intricacies of digital transformation, integrated supply chains with wide supplier network, logistics providers resulted in dramatically increasing these dependencies. In addition, advent of cybersecurity risks, complexity of regulatory compliance, ESG asks played a key role in elevating the complexity of third-party risks.

During 2020’s - Pandemic and beyond: The pandemic, a black swan event, dramatically exposed the fragility of global supply chains, third-party dependencies, and their impact on business operations, health and safety across the world. The pandemic exposed the over reliance on limited suppliers, regions for many companies, even countries for few industries. This brought the third-party risks focus on the radar of every corporate, large and small, MSMEs, public, private, social sectors.

2. What did these third-party driven disruptions result in the recent times?

Companies had to quickly adapt to disruptions, leading to an increased emphasis on operations resilience,? and contingency planning. The pandemic accelerated the digital transformation, leading to further higher reliance on third-party technology providers, which in turn heightened cybersecurity, data privacy risks.

With an increasing focus on regulatory compliance, ESG in TPRM, Indian companies have higher accountability for ESG practices of their third-party partners. Last but not least are the increasing geopolitical tensions, escalating into war zones in few countries across the world have increased the risks associated with global third-party relationships.

All these factors have necessitated that third-party relationships become an integral part of Indian companies' operational and strategic frameworks, along with formalized Third-Party Risk Management (TPRM) practices.

Section D: What is the potential impact of the third-party risks exposure?

As outlined in the line-up in section A, business disruptions for the organisations were triggered by their high reliance on third-party suppliers to deliver services, raw materials. The net effect were a combination of operations downtime, delays in production of finished goods to customers.

Outlined are additional third-party risks materialisation scenarios:

1. Service Provider Outages: An outage of a third-party cloud, SaaS, telecom provider, or a third-party vendor’s Tech systems downtime caused by faulty or not fully tested patches. In few cases, a third-party vendor not having an adequate BCP, DR may take more time to recover from an outage causing an extended downtime.

2. Cybersecurity breach, attacks: A third-party vendor system is compromised, resulting in sensitive data they handle on behalf of an organisation being exposed, leading to data breach. Alternately, malware, ransomware attack on third-party vendors spread to connected systems of their clients, causing widespread outages.

3. Supply chain disruptions: If a third-party supplier of raw materials, components experiences production issues, it results in halting manufacturing, delaying deliveries. These production issues could be caused by internal supply chain challenges or by core utilities like electricity, water supplies being impacted.

4. Regulatory and Compliance Failures: If a third-party fails to comply with relevant regulations (DPDPA, GDPR, BRSR), it can result in legal, financial repercussions for the organisation that utilises their services.

5. Financial Instability of Third-Parties: If a third-party vendor faces financial challenges, legal claims, class-action suits, these may result in impacting their ability to run operations, pay employees, creditors or face an existential crisis. This may force the organisation to explore alternate suppliers rapidly, and remove dependence on the affected third-party.

6. Reputation of Third-parties: Inability to meet contractual commitment by third-party disruptions impact the customers business, results in losing credibility built with customers. In addition, exposing customers data to threat actors results in losing trust built over years.

Hence, understanding, assessing, managing third-party risks is crucial for the organisations, who engage third-party vendors to ensure business continuity, and minimise the impact of the third-party outages on their operations.

Section E: How can the Executive Leadership, Board of Directors, CRO, Business Heads prepare to assess third party risks?

As alluded to, third-party relationships have become an integral part of Indian companies' operational and strategic frameworks, along with formalized TPRM practices. SEBI has mandated that top 1000 listed companies must have a Risk Management Committee (RMC) to oversee the risk management process, including third-party risks (as per SEBI’s LODR Regulations).

In summary, RMC is the primary committee within Board of Directors, responsible to oversee TPRM, with significant inputs, oversight from the Audit Committee. The Board of Directors, ensures that these risks are managed effectively as part of the company's overall governance and risk management framework. RMC identifies, assesses, mitigates risks that could impact the company’s strategic, operational objectives. RMC ensures that appropriate policies, processes are in place to manage third-party risks, including vendor management, supply chain risks, cybersecurity risks, compliance with legal, regulatory requirements.

RMC needs to regularly review the TPRM framework, monitor key risk indicators,? evaluate effectiveness of the controls, strategies in place through below key risk assessment (RA) questions covering third-party risks:

1. Strategic Alignment: Are the third-party relationships aligned with the organisation’s strategic goals? Which third-parties are critical to organisation’s operations, market-reach, to what extent is the reliance on select few third-party vendors? Do these relationships introduce dependencies that could constrain growth, expansion?

2. Operational Impact: What is the operational reliability of the third party, including their ability to deliver consistent, uninterrupted services, goods? What is the resilience, flexibility of the third party vendors in the supply chain? Are the third-party vendors able to adapt around potential disruptions, like geopolitical issues, trade wars, natural disasters? When have these been demonstrated before, what are the learnings?

3. Technology and Cybersecurity Risks: What is the cybersecurity posture of the third-party vendors, including those with access to the company’s data, IT systems? Do the third-party technology providers have robust IT infrastructure, ITIL practices, BCP, DR to ensure highly resilient services? Do they have adequate cybersecurity measures to protect against data breach, cyberattacks, with robust incident response in the eventuality of a cyber attack.

4. Regulatory and Compliance Risks: Are the third-party vendors adhering to the industry standards, regulations (DPDPA, GDPR, SOC2 …)? How many non-compliance been reported by the third-party vendors in the past quarter, what is the trend over the past year? How do the third-party vendors engage with regulators on the third-party non-compliances?

Note that a company in itself could be complying with required regulations. In this mix, if you add the third party vendors, then the compliance stance may change, if the third-party vendors are not complying to the regulations. Third-party vendor non-compliance could expose the company utilising their services to huge monetary penalties.

5. Contractual and Exit Strategy Risks: Does the company have an adequate contractual protection against the third-party vendors to ensure their performance vs SLAs? Does the company have a clear exit strategy supported by contractual protection to exit incase the relationship with the third-party needs to be terminated? Are they able to identify the alternative service providers with ease?

6. Financial Stability Risks: What is the financial stability of key third-party vendors currently, and over the past years? What are the measures to protect the organisation in case of financial distress or bankruptcy of third-party vendors? What is the mechanism to assess the competitiveness of the third-party vendors for the services, goods they provide?

7. Cultural Alignment and Reputational Risk: What is the approach to gauge public perception,? ethical practices of third-party vendors? Have any of the third-party vendors come under scrutiny for the wrong reasons? If yes, what actions have been taken to reduce the reliance on that third-party? What is the mechanism to assess whether the third-party vendor’s culture, core values align with the company’s?

8. Risk Management, Controls and Governance Risk: Is there an established ERM framework to identify, assess, mitigate third-party risks during on-boarding and ongoing engagement with the third-party vendor? Which emerging risks are being tracked? Who is accountable to assess, manage third-party risks (CRO, CPO, CISO)? What is the periodicity to monitor third-party performance, risk exposure? What are the contingency plans to recover, mitigate from third-party vendor failures?

How is the Board of Directors, RMC kept updated about third-party risks, evolution of risk landscape, mitigation actions? Are they adequately trained in ERM practices, emerging risks within third-party vendors?

Sensitivity Analysis and Stress Testing: Board of Directors, RMC should evaluate the likelihood, criticality of varied third-party risks, their impact on the organisation. Evaluate the sensitivity of the risks from economic downturns, geopolitical crisis, trade wars, health and safety situations, environmental or technological disruptions. Implement stress testing mechanism to assess the resilience of third-party relationships under these conditions.

In summary, Executive Leadership, Board of Directors, RMC should take a holistic approach to assess third-party risks, factor strategic alignment, operational impact, financial stability, compliance, reputational risk, governance, and culture fit. Regular monitoring, clear accountability, robust risk management processes are essential to effectively manage these risks. In addition, evaluate risk sensitivity index to ensure that the company can withstand significant disruptions caused by third-party failures.

Section F: What are the SEBI, other regulators disclosure norms to manage third-party risks?

SEBI has outlined disclosure norms for listed companies related to the management of third-party risks by the Board of Directors. These norms are aimed to enhance transparency to ensure that shareholders are well-informed about the company's exposure to risks, including those arising from third-party relationships.

Refer SEBI LODR Regulations, 2015 - Amendment to disclosure norms, material events (https://www.sebi.gov.in/sebi_data/meetingfiles/apr-2023/1681703089597_1.pdf)

Summary of key SEBI Disclosure Norms to manage Third-Party Risks:

1. Risk Management (RM) Policy: SEBI mandates that listed companies disclose their RM policies, including how they identify, assess, and manage risks, including those related to third-party vendors. This will be part of the corporate governance report that accompanies the annual report.
2. Related Party Transactions: Disclose all related party transactions, which can include significant dealings with third-party. This is to ensure that all such transactions are conducted at arm's length and are in the best interest of the company, its shareholders.
3. Material Contracts and Agreements: Material contracts, agreements with third-party vendors be disclosed, particularly if they have a significant impact on the company's financial performance or risk profile. This includes disclosures in the annual report or when significant contracts are signed.
4. Board’s Responsibility Statement: The Board of Directors must provide a statement confirming that they have devised proper systems to ensure compliance with all applicable laws and that such systems are adequate and operating effectively. This includes risks arising from third-party relationships.
5. Corporate Governance Reporting: As part of the corporate governance report, companies must disclose the composition, functioning of RMC (if applicable), which oversees the management of all risks, including third-party risks, how these risks are monitored, mitigated.
6. Event-Based Disclosures: Companies must disclose significant event that may impact their operations, financials, including issues arising from third-party risks. For example, if a major supplier defaults or a significant contract is terminated, this must be disclosed promptly.
7. Compliance with the SEBI (Prohibition of Insider Trading) Regulations: The Board must ensure that appropriate systems are in place to prevent insider trading, including how they manage third-party information that might be sensitive or non-public.

Importance of Disclosures:

Board of Directors is responsible to ensure that the disclosures are accurate, complete, timely, provide investors with a clear understanding of how third-party risks are managed. Failure to comply with these norms can lead to penalties from SEBI and a loss of investor confidence. These norms are designed to provide transparency, protect shareholders, ensure that they are fully aware of the risks the company faces, including third-party risks.

Section G: What is the Path ahead, unknown risks, and areas to look out for?

It is a highly inter-connected, intertwined world today, and the inter-connections transcend from local, regional, across countries, continents for several facets of a company’s business. Recent events have brought to light the fragility of these inter-connections, high reliance on handful of suppliers, regions. What has unravelled is a company may track their third-party vendors, but may not be aware of the suppliers to their third-party vendors. Tracking this maze will be an ongoing endeavour.

Listed below are the key take-aways for corporates related to third-party risks:

• There is an ever-increasing exposure to third-party risks, it is there to stay, and will amplify.
• Increasing impact of climate change, geo-political crisis, trade wars.
• Cybersecurity breach, attacks from threat actors remain high.
• Evolving, and intense regulatory focus on third-party risks.
• Tech, tools are not optimally used to manage TPRM.
• All of above has resulted in the emergence of Third-Party risk as a Strategic Issue with Board-level oversight, as opposed to being only an operational concern.
• Most corporates are on both the ends of the third-party risks chain. They are a supplier to some company, and they have suppliers providing services, goods to them.

Call to Action for corporates to manage third-party risks:

• Board of Directors, RMC, Executive Leadership need to have increased oversight of TPRM.
• Simplify the complex ownership to manage TPRM (Security, Procurement, Business owners).
• Adopt the right TPRM tools to provide the analytics.
• Periodically conduct third-party sensitivity analysis to manage, remediate these risks.
• Use the RA questionnaire before on-boarding, assessing changes on third-party vendors.

What are the unknown risks? Corporates need to keep a hawk eye on the emerging risks. Few examples listed below:

• Dependence on AI, Gen.AI, LLM as these Tech have levels of opacity in their algorithm.
• Exposure to IOT, with the volume of devices, will require higher visibility to identify, profile than what exists today.
• Health and safety risks. We experienced a black swan event like the pandemic. Keep an eye on health and safety situation. While this post is being written, there is an advisory from WHO on mpox.
• Technology advancement may introduce new product, materials which may make existing products obsolete sooner or later.
• Operating model advancement may make existing working obsolete (D2C, Q-Commerce).
• Evolving regulatory changes (within, outside India). Between 2023 and 2024, Indian companies faced new regulations to comply; DPDPA (Data Protection), BRSR (Sustainability Reporting), SEBI regulation on ESG, Corporate Governance. Another example is Germany regulation in 2023 (LkSG, German Supply Chain Due Diligence Act) enforcing corporate responsibility in supply chains.

To sum-up, monitoring, and managing third-party risks landscape has become as intense, rigorous as a commercial aircraft pilot monitoring dozens of dials, gauges, displays, indicators, while piloting an airplane. While Technology enablers will evolve, organisations need the right Risk management personnel to make sense of the third-party risks insights, be situationally aware and have the ability to make informed decisions, prioritise actions, similar to a seasoned pilot.

Third-party risks landscape will bring in some levels of uncertainties with Tech advancement, geopolitical crisis, evolving regulatory changes. This is an interesting space to keep watch and follow.

References: SEBI LODR 2015, Artwork by Anita D’Souza, IOD Insights.