Third Party Risk Management - Consultancy, Assessment & Advisory

Nth Party Suppliers – Gaining a Toehold on Down Chain Providers

Supply chain sovereignty depends on a high degree of visibility in order to identify critical dependencies and then apply a consistent set of principles for monitoring of parallel (redundant) processes and other elements required for resilience across both inbound and outbound supply chains. How to accomplish this remains a nagging question at the practitioner level. As third party and supply chain risks converge, increased demands are falling on outsourcers as well as providers.

Due diligence information gathering must include processes for Nth parties. Typically, practitioners report that they cannot reach far enough into the chain beyond the primary vendor (and their hosted provider) to gain insight into the down chain providers. Yet, outsourcers have to gain a clear understanding of the interdependencies posed by down chain parties so that related risks can be assessed and managed.

Not only is this level of understanding mandated by robust risk management, regulations have begun to emerge globally that dictate outsourcers know, manage, and report on their fourth and Nth parties. Most organisations do not have this big picture view in focus. They are not aware of the risks posed by their Nth parties, nor are they in a position to understand the changes in Nth parties as they occur. As the pandemic has laid bare, this stance is not sustainable.

Identifying critical dependencies

To identify critical dependencies, the complete supply chain needs to be mapped. To conduct a complete risk analysis across your supply chain requires a targeted information management effort that covers both inbound (supplying the outsourcer’s product) and outbound (to the customer) supply chains. Completing this process allows your organisation to adopt a proactive stance in which resilience planning can be taken before disruption occurs.

This is not a one-size-fits-all process. TPRM resources are often focused primarily on documenting controls for individual vendors and analysing the risks posed by those relationships. It is important to qualify what is “material” for the outsourcing organisation, so that focus and resources are placed on those risks that are truly material. When supported by strong leadership and robust resources, the TPRM function can collaborate enterprise-wide and across the planning and vendor relationship lifecycle to achieve a more robust information gathering, analysis, and collaboration process.

Key challenges that need to be considered are:

The combined impact of these challenges can result in being out of sync with the outsourcing organisation’s own risk tolerance. Issues include privacy, to unapproved access to systems, and to availability issues. Flow needs to be examined across each aspect of the chain (components, transportation, assembly, III/robots floor manufacturing). Where possible, vendors that manage proprietary information transfer (schematics, other IP) and their downstream providers must be identified as  material.

Proactively improving your supply chain risk management

As practitioners grapple with the reactive stance that pervades the risk management community, they can consider the following as means of building a more proactive posture.

A daisy chain of vulnerabilities and opportunities for strengthening the ecosystem exists in every supply chain ecosystem. Lurking among these networks of suppliers are undefined risks (e.g., the unknowns of the Nth parties). Gaining a holistic view and a tangible grasp of the viability, measurable scope, and practical impacts of the use of Nth parties has to be a goal of robust TPRM. Without it, material fourth/Nth parties can wreak havoc. The presence of this type of undefined risk is simply untenable and does not support a proactive risk management stance.

Regulations are emerging that support the right to audit/access as a right of outsourcers, even when that type of leverage would otherwise would have not existed within the outsourcer/vendor relationship. By conducting assessments that are based on a holistic view of your entire supply chain ecosystem, all the potential uses, transfer points, and other key links can be monitored more effectively. Risk can be normalised earlier in the relationship, and managed with an eye for toward greater resilience.

Since the circular nature of supply chains impacts delivery and availability, all the way down the line, taking a proactive stance now will provide many opportunities, including being ready to respond to regulatory changes that are beginning to reverberate across industries. While this is a significant culture shift for many organisations, its impact on risk management can be profound and entirely worthwhile as your organisation begins to improve its visibility to identify critical dependencies and apply a consistent set of principles for monitoring and mitigating risk.

Shared Assessments Building Best Practices Briefing Paper

To aid Third Party Risk practitioners in developing programs and processes that improve their visibility and understanding of the risks within their downstream suppliers and extended enterprise Shared Assessments has released a supporting Building Best Practices Briefing Paper – Complex Supply Chains – Gaining Visibility into Nth Party Governance

This briefing paper provides insight into gaining greater supply chain sovereignty by identifying critical dependencies across both inbound and outbound supply chains. Adopting this proactive stance provides many opportunities for organisations, including being ready to respond to the regulatory changes reverberating across industries.

Get your copy of the Best Practices Briefing Paper here.

This article was originally published by the Shared Assessments Program and is shared with their kind permission.