Go Beyond Periodic Point-in-Time Risk Assessments: Elevate Your Third-Party Risk Management Program
Written by Patrick Gleeson, Ph.D.
The Proliferation of Third-Party Participants
Before the spread and eventual dominance of digital communication, even large-scale enterprises used a limited number of third-party suppliers. The difficulty of communicating business status, stability or process health by phone, wire or mail meant that it was often faster and more economical to ramp up capabilities within the parent company. The internet changed all that. A McKinsey position paper on the subject emphasizes that the ease and fluidity of communication between suppliers and buyers increases interactions between them at an accelerated pace. As a result, outsourcing, once too cumbersome, has now become routine.
When, for example, Boeing faced an accelerated schedule for developing the 737 MAX, it created or enhanced relationships with over 600 supply-chain partners. While this made faster development possible, each of these third-party suppliers also represented an increased risk. Multiplied hundreds of times over, that risk became substantial and daunting. Unfortunately, Boeing didn’t understand the extent of its exposure, and the resulting crashes cost hundreds of lives.
After the second crash prompted a careful look at how their various supply components interacted, what became clear was that the Maneuvering Characteristics Augmentation System — an apparently minor software component from a third-party supplier that was added to increase the plane’s operational safety — contributed significantly to both crashes. But as the Seattle Times reported, Boeing’s inspectors (who were authorized to act on behalf of the FAA) were pressured to speed-up inspections of this first-of-its kind system and re-evaluate places where they had previously flagged problems with MCAS in order to keep production of the aircraft moving forward.
Why Risk Assessments Have Limited Utility
Boeing’s misjudgments are not uncommon. Most companies rely on their own employees to make third-party supply risk assessments. But descriptions of defects and other problems that proceed upward from employees to managers frequently go unheard by the senior decision makers who need to hear them. Human beings generally have a built-in aversion to conveying bad news to authorities who may not want to hear it — a problem represented in the admonishment against “shooting the messenger.” This is why, for example, although all large financial institutions have internal watchdogs, they’re also monitored by the Securities and Exchange Commission and other outside regulators. It’s a fundamental truth that objective, effective risk assessments need to come from an independent source outside the institutions at risk.
Why Focused Monitoring on Cyber and Financial Risks Isn’t Enough
As companies become more aware of the need to assess the risks inherent in relationships with third parties, they may employ an outside firm with specific expertise in the same enterprise area to do the monitoring. Hi-tech firms, for example, may only focus and hire a third party with particular expertise in cyber threats.
The problem with this approach is that it’s in the nature of threats to have chaotic rather than rational roots. A monitoring firm with cyber expertise, for example, may concentrate on technological network deficiencies, while the risk that eventually emerges has nothing to do with technology or networks. A third-party supplier, for instance, may have financial problems that rapidly worsen to become a collapse and create a severe supply shortage. Similarly, an agricultural supplier may have an excellent product reputation but still fail suddenly as a climate event reduces product output below the break-even point. Failure can have a nearly infinite number of causes and can arise at any time and anywhere in the world, which makes it a necessity to pursue the widest possible kind of business disruption threat monitoring.
Why Periodic Monitoring Is Inherently Inadequate
Perhaps the biggest obstacle to effective threat reduction is, ironically, a practice that was once considered standard: point-in-time/periodic risk management. Companies traditionally assessed third-party risks through reviews that might be quarterly or, more commonly, annually or even biennially. There have always been inadequacies with this approach, but the shortcomings have become more apparent with the increased use of third parties and the maturation of digital technologies, where seemingly insignificant threats can grow rapidly and morph unpredictably.
Technological advances, for instance, have made it more and more difficult to accurately assess the real source of a digital communication, so that periodic reviews, no matter how frequent, can’t spot a destructive threat that can become fully active within hours and without warning. A 2019 University of California study, for example, notes that very recent developments in artificial intelligence threaten the reliability of online medical data—methods of communication that were adequately protected a month or even a week ago may no longer be safe.
How serious can these threats become? In reality, they’re already significant. Over 2,000 interviews conducted worldwide with major corporations in 2018 by the Ponemon Institute determined that a quarter of them had suffered significant data breaches and lost business because of them. Most of these originated with a third-party supplier. Moreover, these incidents have increased year after year, both in number and in the amount of financial damage caused. Frequent triggers are failure among third-party suppliers, destructive events (many of them climatological) and threats occasioned by technology itself.
Elevate Your Risk Program to Continuous and Real-time Monitoring
Enterprises today need an ongoing and in-depth understanding of worldwide risks. As supply-chain risks have risen dramatically, a commitment to ongoing monitoring of all third parties, by fully committed risk-assessment professionals using the best available wide-ranging means, is now a necessity. A third-party risk management solution like Supply Wisdom makes this possible, thanks to our continuous and real-time ability to monitor, verify and analyze third-party and location risks globally across fourteen different risk categories with more than 300 different risk parameters. This approach allows companies not only to react swiftly when a risk event occurs, but it also allows them to predict when and where risk events will happen — allowing them to take proactive steps to safeguard their supply chain before disruptions occur.
About the Author
Patrick Gleeson holds a doctorate in 18th-century English literature, has more than 15 years of investment-management experience, and is a FINRA registered investment advisor. He has contributed hundreds of financial articles to U.S. print and online publications. In his spare time he performs his own compositions at electronic music festivals, most recently Moogfest.