Third-party risk roulette
In the past year, I’ve led projects for development finance and impact investors across 25+ countries. The format is usually proximate: risk identification, gap analysis, and action plan. Over the past week, with the help of a patient assistant, we’ve gone through ALL those reports to look for trends (the reason is explained in the next segment below).
It may not be a surprise, but third-parties are the number one risk (by some distance). No matter the sector or size, we all contend with it. Three constant gaps also emerge:
🚦 Risk-ranking
🚦 Proportionate/effective monitoring
🚦 Supply chain visibility/inputs
I’ll deal with the first area in this newsletter, as it’s the most commonly identified pain point.
Risk-ranking
If I got £1 every time I read “risk-based due diligence,” I’d not be rich, but it would make for a nice meal. This line is typically followed by a scale (low, medium, high), usually determined by location and/or value. Long-time readers will have read rants about misleading “country risk” indicators. A startup in the tech hub behind Marseille versus a public works contractor at the port of Marseille Fos present markedly different risk exposures despite geographic proximity.
So what can we do? The image below is designed for social media to get the discussion rolling. It’s not a tool. But even this simplistic visual suggests we need some criticality metrics. Is what they do for you essentially to your (or their) business continuity? Are they a state-mandated partner (affirmative action to state-owned enterprises)? Do you lack the knowledge to critically appraise what they do (creating dependency and exposure to acts unwittingly conducted on your behalf)?
The next circle allows for delineation across locations and activities—what they (and you) do. A supplier of office equipment in a so-called high-corruption market is not the same proposition as a tax advisor. Similarly, as fashion houses routinely find to their cost, opacity in how they do what they do (complex supply chains) presents challenges.
Let’s talk about value. It’s not just about money. For instance, I was quoted <$1000 to build an AI chatbot for the website. This amount may seem insignificant in business terms, but the intellectual property, training time, trust in the provider, and potential value/cost of getting it right/wrong are substantial.
The image above is from a tool I used at a business integrity forum. Recognising third-party risk as a two-way street (supply and demand of wrongdoing) is crucial, and that risk sits on a continuum (scales/axis, not Y/N). Two years later, the axes are clumsy, but the concept remains useful.
Now, I use indicators like reliance (availability of alternatives), criticality (value chain, core inputs, etc.), exposure (regulated activities, high profile), visibility (inputs, supply chain, understanding of exactly what they do for us), and interactions with (defined) high-risk stakeholders. It takes three or four 1hr workshops (with stakeholders across the business). But the benefits are manifold. Those involved better understand third-party risk, we identify previously obscured issues, and we get agreement on why we’re asking these questions of third-parties.