Third Party Risk

More than ever, most companies’ fortunes are dependent on third parties. A myriad of suppliers make the wheels turn and often provide many of the inputs. Organisations typically have little influence over the way these suppliers behave, other than as a buyer who can make some noise. Moving your business elsewhere is in theory an option, but one that is usually costly to exercise and may even not be feasible. A lot depends on trust, experience, goodwill, legal obligations and possible recourse. How many boards have a clear view of third-party risk and how it is being managed in its many different forms?

Despite the omnipresence of third party risk, we rarely see these risks raised in our board review discussions, meeting observations and paper reviews. Maybe there is a general reference to suppliers as stakeholders but typically little more. So is there a sound basis for confidence in the way the risks are managed? Or is this misplaced? Here are a few thoughts on what a board should be doing, and what might be missed.

Good practices to consider...

• Discuss your “third party universe”.? That is, bring together a picture of the dependencies and categorise them in a way that helps the Board digest a complex picture.? There will be multiple dependencies: supply chain, infrastructure provision, outsourced functions, data provision, critical IT infrastructure…? And having identified them, get management to insert an indication of scale and importance.
• Apply a risk overlay to the universe.? Some dependencies will be more critical than others. Or subject to more uncertainty.??
• Assess the dependencies.? A small, apparently insignificant dependency can be the weakest link which breaks the whole chain.
• Think through the association risks.? Try to look at the risks from others’ perspectives: opinion formers will have different priorities from yours.? And their incentives to make issues of things are likely to be very different from how you see things.
• Ask the simple questions; if Company A stopped trading today what would go wrong for us?? If Company B had a significant business interruption, ditto?? If Company C found itself with a reputation hit, what fallout would we have to manage??
• Make sure management are keeping a close eye on the other parties’ cyber risk management.? Check what they are doing to manage the risk and the assurance they are getting around it.? And what your own management is doing to minimise the exposure to others’ weaknesses.
• Understand your framework of controls and assurance around third party provision and risk management.? Larger entities usually make their suppliers jump through various hoops, such as a detailed self-declaration.? But how confident can you be in this control?? Does it really enable? a sound risk assessment or is it a box-ticking exercise?? What assurance is there to ensure its validity?
• Try to understand the third party’s governance and control frameworks, at least for key suppliers.? The detail won’t be needed by the Board but the basis for the assurance provided by management will be.?
• Look to understand a supplier’s governance as deeply as the relationship permits.? As directors you may have a duty to do so: for example, where you are providing financing, have a legal co-operation agreement or a shareholding.? But in any case it makes sense to help in managing the risks.?

Things to avoid...

• Thinking too narrowly or too much in terms of size.? There will be a myriad of providers of different types that need capturing.? You might decide to start out with a big picture then whittle it down and that’s fine That process and discussion will be valuable.? But starting out with a limited picture, perhaps based on assumptions that have not been critically examined, might mean that some corners or risks are overlooked.
• Being overly focused on the big, more obvious risks. Much of the focus does need to be on the material relationships or sources where the business model will be severely disrupted.? But small suppliers might matter too.? There may not be ready alternative sources of what they provide.? And, as with the business itself, the knotty risks might actually be sitting in the smaller elements of the universe.
• Paying insufficient attention to the apparently smaller risks.? A complex picture will encourage a focus on the material and critical (and the ones which reach the “red zone” on the risk map.)? But that assessment needs to include the possible knock-on effect.? That requires management doing a lot of tangential thinking? and then bringing quite a complex picture to the Board in understandable analysis and suggestions.?
• Failing to think through the full nature of the risks which come from being linked to a supplier.? Even if in your eyes they are minimal – activist NGOs or journalists may not see your relationships in the same light.? It’s not the obvious ones that are difficult as you won’t be dealing with them in any case (sanctioned countries, pariah states, heavy polluters, child labour users etc).? It’s the more ambiguous ones where you have to apply judgement that is tricky.
• Getting swallowed up in so much detail that it all becomes “too difficult”.? Once you’ve got the overall picture, just ask management the simple questions and see what emerges.? (“Don’t worry we have it under control” probably isn’t a good enough response.)
• Looking internally and leaving it at that.? Boards are now accustomed to probing about internal cyber risk management.? But the risk is often from outside – as is often highlighted by the well-publicised failures.? Looking externally isn’t straightforward, but you can’t just rely on hope and trust.????
• Putting a lot of reliance on internal processes that are quite invisible.? Rightly, boards will not want to get down to a detailed level on third party controls and risk management – but we suspect not enough really take a good look from a high level either.? The Board should be getting an annual briefing on the effectiveness of the processes for assessing third party risks (including association risk) and the risk management response.? And making sure that there is time for questioning and discussion too and not just getting briefed.??
• Adopting a stance of “we can’t see it and can’t influence it”.? That is probably not doing enough as a board.? Management will (or should be) doing risk assessment and getting assurance – some of which will be based on an impression of how the supplier is running itself.? Even if it’s necessarily only a partial picture.? So the Board should be asking management for their assessment.?
• Accepting that you can’t look into the way others run themselves.? Where there is a more formal link, the risk may merit, and allow for, more direct probing of how the third party manages its risks and governs itself.? And if it’s a JV, or there is some form of investment or financial support, you’ve got more leverage.? Use it to ask questions and if necessary exert pressure for change.?

If you’d like to discuss any aspect of board effectiveness with our advisors, or to find out more about our board review services, please contact Remneek Sangar or go to www.independentaudit.com

Subscribe to this eBulletin.? Find more issues of The Effective Board here.