Jake Holloway from Crossword Cybersecurity PLC highlights the third-party assurance (3PA) challenges facing the industrial sector and its complex supply chains, outlining why technology has a big role to play in simplifying processes and managing risk.
Businesses need to manage many risks, with their impact and complexity growing all the time, placing a greater burden on staff. Some risks are simply a factor of doing business: if a company wants to grow or enter new markets then it takes calculated risks on what the outcomes might be. If it wants to change its products or services, it will undertake extensive research to inform those decisions, thus minimising risk and assessing the investment levels required.
The third-party problem
But for the industrial sector, there are other risk areas, with its complex use of third-parties to extend supply chains, bring in outside expertise, supply operational technology, outsource business processes, or support functions such as Operation Technology (OT) and Information Technology (IT). When taking on any third-party in this way, organisations often require the service provider to provide assurance that it has sufficient controls to manage financial, operational and regulatory risk that relate to their specialism, and the service they will provide. In its broadest terms an organisation wants to be sure a future supplier:
- Is who it claims to be
- Is experienced at delivering the services it claims to offer
- Will not embarrass or place at risk the reputation of the company
- Is financial stable
- Is qualified and accredited as required
- Is fully compliant with the relevant regulations in all countries of operation
Companies will, or at least should, look at all of these areas as part of the supplier selection and onboarding process, in what we would call pre-contractual risk assessments and evidence gathering. Making sure that all the paperwork and checks with regulators point to them meeting all criteria. Once fully onboarded, that supplier will be regarded to have provided Third-Party Assurance (3PA) and be ready to supply its services. That assurance lowers risks for the company.
3PA and supplier management
Supplier management processes are something that every company should have in place to monitor the performance of all third parties recruited to perform functions on behalf of companies. This should be a cyclical process that strives for continuous improvements and minimised risks. 3PA issues should be part of this process but aren’t always.
Each of the four main categories of 3PA risk should all be represented as part of the supplier management process and therefore regularly assessed: Financial & Regulatory; Compliance; Corporate Social Responsibility (CSR) and finally Technology & Data.
The reality is that we know this does not happen and there are always gaps in how companies assess their 3PA. Take for example the Modern Slavery Act which requires companies with revenue of over £36 million to produce a Slavery and Human Trafficking statement, indicating the steps they are taking to prevent modern slavery abuses in supply chains and operations. All companies should have published their first statement by 30th September 2017, and although an estimated 8,000 of the 9,000-11,000 required to comply have published statements, only 2% meet the minimum statutory requirements laid out in the Act.
It’s a complex area, and there are over 15 general areas of 3PA risk that fit under each of the categories outlined above, and that is before you dig down into individual pieces of legislation, or special requirements for specific vertical markets. Another aspect that makes 3PA so complicated is that each area of risk may need to be measured at different frequencies and falls under the responsibility and expertise of different departments within the company. How do you manage that efficiently, securely, and gain a single view of an individual supplier’s risk assurance, as well as a company-wide view?
The fallout from a company not keeping a constant grip on its regulatory and other risks is just too great: lost contracts, legal battles, loss of reputation, or even the loss of the right to trade in a heavily regulated sector.
Out of the silo and onto the radar
Technology can play a key role in giving risk and compliance professionals the control and visibility they need across the organisation, moving risk compliance from a siloed and reactive activity, to a connected, proactive continuous process that delivers a complete view of a company’s third-party risks. A radar view, that can highlight underperforming suppliers, regulatory risks and drive business improvements, whilst lowering the costs of risk assurance, and storing confidential information securely.
There are four key areas where technology can help address the challenges of 3PA risks:
Consistency – Technology doesn’t just manage the process of gathering data in a consistent way but provides consistent scoring of the responses from each supplier.
Scaling up – Using technology allows teams to focus on the high-value task of managing assessments and risk, rather than the expensive task of collecting data, by automating processes across thousands of suppliers.
Improved security – A good technology platform will be secure and encrypted, giving only approved users access to data and assessments, as well as ensuring any interaction with data is controlled and auditable. This is particularly important, given the rise in the importance of good data security under the General Data Protection Regulation (GDPR), where failings can lead to significant fines.
Reporting – By using a technology platform to manage compliance and risk assessment, data is brought together in a consistent and secure format that can then give an instant 360-degree view of a business’s compliance status. Thus, enabling effective supply-chain assurance KPI reporting and metrics in a few mouse clicks, that represent the real world and can be used to make informed risk-management decisions.
Technology needs to be at the centre of managing third-party risk, creating a 360-degree visualisation of risk across the organisation. But to get there, risk and compliance professionals must first acknowledge the risks departments and outdated processes pose to businesses, as they struggle to cope with greater regulation and more complicated business structures. Accepting this reality, and placing technology at the heart of third-party risk assurance means you can focus on the bigger picture – using that risk radar – to manage risk across your business.