Daily Archives: November 21, 2023

Source-to-Pay+ Part 4A: Third Party Risk, Part 1

In Part 1 we noted that Risk Management went much beyond Supplier Risk, and the primitive Supplier “Risk” Management application (that we prefer to call Supplier “Uncertainty” Management) that is bundled in many S2P suites. Then, in Part 2, we noted that there are risks in every supply chain entity; with the people and materials used; and with the locales they operate in. Then, in Part 3, we discussed inwardly focussed Corporate Risk Management, which some companies offer partial solutions to in the form of GRC (Governance, Risk, and Compliance) solutions.

Today we are going to talk about some of the third party risks and outline the function specific baseline capabilities that such a solution should possess. Before we get started on the risks, we should note that a third party risk management (TPRM) can also be used for Supplier Management as a supplier, in addition to being a second party, could also be one of the many “third parties” an organization has to worry about if it is a sub-tier provider contracted by another primary, first-tier, supplier of the organization and a good TPRM solution will contain all of the functionality in an average Supplier Risk/Uncertainty Management module in a Source-to-Pay solution and much, much more.

We’ll continue in yesterday’s format, outlining some of the key capabilities and what that may mean solution-wise. There are quite a few key capabilities. So many, in fact, that, as you may we’re actually breaking this article up into 2 parts.

Capability Description
Customizable Assessments No matter how many capabilities come out of the box, every organization is going to need to do a customized assessment of a third party at some point. Thus, any TPRM system must support the creation of customized assessments with arbitrary questions, multiple forms of answers (multi-select, numeric, free-form, etc.), customizable weighting systems (that also support group-based weightings using averages, medium, or weightings based on role) and customizable reporting on the results.

In addition, the system should come with a slew of starting, customizable assessments out-of-the-box on every area covered in the application, whether or not there are third party data feeds and assessments that can be sucked into the application for use by the client. (This is because most third party feeds and assessments come with a cost, which may not be worth it to the organization if that aspect is only relevant to a few suppliers or doesn’t cover all of the aspects an organization needs.)

Reputation/Brand As we noted in our last article, a significant risk to the company is its reputation/brand, and that includes reputation/brand risks that come from being associated with third parties with reputation/brand risks. As a result, an organization needs to keep on top of the reputation/brand of its suppliers and partners.

Thus, it needs a platform that can monitor news sources and social media and look for stories about all of its suppliers and partners that could blow up, sentiment that could propagate, and events that could cause repercussions through the supply chain.

Regulatory Compliance Organizations need to be compliant with regulations in every geography in which the organization does business, which means that it needs its core suppliers and key partners to also be compliant with those regulations. As a result, it needs to monitor all of its suppliers and their suppliers/partners for compliance with the regulations that are relevant to those suppliers/partners.

This may mean tracking certifications, tracking raw material inputs, tracking human resources assigned to projects, tracking carbon/GHG reports from the third party, and other key pieces of information. It may mean asking suppliers for additional (self) assessments, getting (temporary) access to third party data feeds, and having third party do compliance audits for you.

Ownership/Financials Just like your company cannot be associated with sanctioned entities, you need to be careful not to do business with suppliers who are (partially) owned or controlled by sanctioned entities as well or who are doing business with sanctioned entities to support your organization. In addition, you don’t want to be doing business with suppliers or third parties who are financially unstable, as their bankruptcy could negatively impact your business.

Thus, this system must tie into all sanctioned and denied party lists of every country it operates in, cross-reference the ownership and partners of all suppliers/third parties the company does business with against the sanction list, and monitor ownership changes as they occur. In addition, it should tie into systems that monitor financials of public companies as well as systems that judge the financial stability of private companies.

Human/Labour Rights Legislation has been introduced and/or is being considered in many jurisdictions around the world that make your organization responsible for any abuses of human or labour rights in the supply chain. It’s important to have systems that can monitor for human/labour rights in the supply chain, even if this is only through integrations with third parties that do (independent) on-site assessments.

This should also make use of the brand/reputation monitoring module that monitors news sources, events, and related data feeds to scan for anything that could indicate a human/labour rights violation.

Come back tomorrow for Part 4B as we continue our discussion of Third Party Risk.