Third-Party Risk Management – Who’s on First?
Are you familiar with the "Who's on First?" comedy routine made famous by Abbott and Costello? The premise: Abbott is identifying the players on a baseball team for Costello, but the players’ names create confusion. For example, Costello asks Abbott the question "Who's on first?". The first baseman’s name is Who so Abbott simply replies “yes,” confusing Costello who thought Abbott wasn’t answering his question. This goes on and on with the unlikely and confusing names of all the players on the team.
While this is a funny scenario for comedy, similar scenarios for organizations that rely on or are part of a complex and extensive supply chain or third-party ecosystem are problematic. Third-party ecosystems can often feel like “Who’s on First” due to a multitude of players with changing roles, not to mention constantly evolving supply chains.
Supply chains are critical in the successful creation and flow of products, services, and related information. There are different types of supply chains depending on the industry -- retail, building products, healthcare, oil and gas, the seed industry, grocery stores and timber production – each with different objectives and risks. Supply chain management has evolved significantly, from simply keeping track of things and trying to manage the flow, to extremely complex systems that are subject to rapid adjustment across participant networks. Managing supply chains today requires understanding the diverse roles of supply chain members, their interactions, and the transaction models they use. Optimizing these flows for timeliness, yield, cost, and a host of other objectives is complex. Add a variety of supply chain risks into the mix and you’ve got potential chaos if it is not managed effectively.
Third-party or supply chain risks typically include inaccurate forecasting, manufacturing shortfalls or surpluses, competition, single points of failure across the supply chain and more. The past two years have introduced even more risks into supply chains due to drastically changing supply and demand, workforce disruption, logistical logjams, and geopolitical impacts. All of this has turned traditional supply chain risk modelling on its head. In addition, the increased impact of environmental, social and governance (ESG) risks is causing organizations and their suppliers to reconsider their impacts on the world and shift from a do-no-harm to a do-net-good approach. Supply chain resilience is also a quickly emerging topic brought to light during the pandemic that everyone should seriously consider.
So how do organizations deal with the complexity their supply chains represent and effectively manage the risks and ensure resilience? If we go back to Abbott and Costello’s skit, it’s all about knowing who is on first, second and third bases. One way that is done is with more effective and agile third-party risk and resilience management. Here are a few steps to consider:
Understand your third parties. Break down the myriad of suppliers you have by performing business impact analyses and determining which of your third parties are most important by virtue of your products and services they support. This allows you to prioritize your suppliers by criticality. Your third parties must also identify their third parties (your fourth parties), and their third parties do the same, and so on. The dependencies can be complex but are critical to identify and understand.
Set common objectives. Risk and resilience management cannot be done effectively in organizational siloes with different goals and approaches. It is very difficult to manage inter-related risks or build resilience inside your organization and across your supply chain if you do not set a foundation between your company and your third parties of common goals, approaches, and so on. This foundation gets your internal teams on the same page and also sets the direction for your suppliers to do likewise.
Identify potentially disruptive scenarios. Managing supply chain risk and building resilient third-party ecosystems requires knowing what could disrupt your business and your third parties. These could be individual risks or threats but also those ‘perfect storms’ or disruptive scenarios – a pandemic being the perfect example. It is critical to identify these risks, understand their potential impact on your organization, and if that impact is acceptable.
Take corrective action. All this analysis will drive you toward gaps that need to be addressed -- controls that should be implemented, recovery plans that should be drawn up and tested, and risks to be mitigated. These corrective actions represent the necessary improvement between your current state and required state, and these should be assigned ownership, tracked, brought to conclusion, and measured.
Monitor and measure. You cannot improve what you don’t measure, so it is important to translate your goals, risk tolerances, and business objectives into key risk, resilience, and performance metrics you can track, measure, and monitor. Executive and program dashboards are powerful tools to paint a picture of your supply chain at each level of risk and resilience.
Putting effective third-party risk and resilience measures in place like these helps clarify “Who’s on First,” second, and third, and helps you hit a homerun in harnessing the power of your supply chain to achieve your business objectives.