An important lesson organizations are learning from the ongoing disruption of the Covid-19 pandemic is that responding well depends on having already put a robust, centralized third party risk management (TPRM) program in place. Speakers in a recent webinar, Supply Chain Resilience in the Crosshairs: Predictive Strategies for Proactive Solutions discussed which elements of their existing programs delivered the most benefit as their organizations continue to grapple with a rapidly changing supplier and vendor landscape.
The webinar panel included Kris King, head of third-party risk management at Synovus; Jean-Francois Valette, head of global third party compliance and risk management at eBay; Nitin Walia, chief client officer at Rapid Ratings, an Aravo partner; and Jackie Risley, senior director of product marketing at Aravo.
The damage done to organizations as a result of the spread of coronavirus is significant. According to one study, 75% of businesses reported supply chain disruption related to the Covid-19 pandemic. The cost of a single supply chain disruption for many organizations is $100 million or more, according to the Business Continuity Institute, which also found that 37% of disruptions happen at tier 2 suppliers and beyond.
Apart from the cost of the disruption itself, there are other, implicit costs for organizations such as the reduction in customer lifetime value. This occurs if a customer loses faith in the company’s ability to deliver, or if a customer tries an alternative product and doesn’t return after a disruption. Some companies may incur regulatory sanctions as a result of Covid-19 supply chain issues. And many organizations will have lost competitive standing, as their rivals were able to identify alternative vendors for their supply chain more quickly.
The damage might have been significantly lower if companies had had more robust TPRM programs in place. However, many organizations have yet to put in place a strong TPRM program. For example, a recent Aravo survey showed that 51% of respondents are not assessing the business continuity risk of their vendors, 62% are not assessing the financial viability of their third parties, and 52% of organizations are not assessing the operational risks of their third parties.
At the other end of the preparation spectrum is Synovus, a financial services company based in the south-eastern US. King said his team had spent the previous year changing their TPRM program so that it had a more integrated approach. This included putting in place the Aravo third party risk platform so that the team could centralize the firm’s TPRM controls, and ensure that the program’s data was accurate and had integrity, he said. “When the Covid-19 pandemic hit, it really paid dividends for us because we were able to utilize Aravo to send a Covid-19 impact questionnaire to all of our critical suppliers. Having all of that information in one system – who our critical suppliers were, who the contacts at those companies were – and being able to quickly deploy that using Aravo proved instrumental. That was a big help for us.”
RapidRating’s Walia said that many of the companies his organization works with have used their more advanced approach to TPRM, including a software platform, “effectively as a way to collaborate better and more closely and more efficiently with suppliers and third parties. In this moment, in 2020 in particular, with all of the uncertainty that Covid-19 has brought, we’ve seen two principle ways that folks are doing that. The first is how do we efficiently get awareness of what the picture is…and automation has been essential here because there is more to understand than ever before, and the pressure to so quickly is stronger than ever before.” For example, he noted, RapidRatings has seen a 90% increase in Q2 2020 over previous year in clients accessing financial profiles of their suppliers. This financial data can be automatically updated within third party assessments, due diligence, and ongoing monitoring.
Walia said he has also seen an increased adoption of stress tests, and the use of technology to conduct them. For a long time now, many types of financial services firms have had regulatory requirements to perform market, credit and operational risk stress tests. Now, the interest in this form of analysis is extending far beyond just that industry and into large supply chains and third-party communities, he said. Companies want to know “how bad could things get. If the macroeconomic indicators and the virus progress exhibited a certain set of characteristics, what would that mean for the resilience and the strength of my supply chain going forward?”
Walia’s observations are supported by others within the TPRM discipline. For example, as a result of the significant Covid-19 supply chain disruption that many companies are experiencing, their boards and senior management are demanding more information about third parties. One recent survey shows 54% of respondents are planning changes to their supply chain strategy that would enable them to better understand the financial and operational health of their suppliers.
Companies who already had put in place sources of information about third parties, and the ability to share that information internally, have found themselves on a more competitive footing during the crisis. “It’s making sure that we have the information needed, and that we can easily and proactively extract that information from the intelligence we’ve been able to gather, either internally or with our third parties, or from external sources as well,” said eBay’s Valette. “That’s been the ask from regulators as well, but definitely from boards and leadership from within the company.” Added, Walia, “I think there is clear agreement across the [webinar panel] that consolidating and centralizing the data from these different control areas better empowers folks to understand the relationships.”
Although at the beginning of the Covid-19 pandemic there was hope that this would be a short, sharp shock that the economy could bounce back from, it’s now clear that recovery is going to be more of a marathon than a sprint. So, King and Valette are starting to prepare now for the year ahead. For example, the TPRM team at Synovus are beginning to take a much closer look at the data they are gathering on their fourth parties, to identify potential risks. Said King, “What we are starting to see are some patterns” that indicate potential areas of concentration risk. Concentration risk is a particular area of focus for financial services regulators, and a part of the overall operational resilience agenda for the industry.
Operational resilience is a theme that other industries are picking up on too. For example, Valette says eBay is looking closely at new cybersecurity risks and controls within its supply chain, as remote working shifts from a temporary business continuity response to a more permanent way of doing business. Companies need to ensure that remote workers have the same information security and data privacy compliance measures in place as office-based ones, and that business continuity arrangements remain robust.
Overall, Valette says that he is expecting companies’ leadership to place more attention on TPRM in the coming year. “The outsourcing chain overall is definitely going to be a major focus in 2021, as it has been through 2020, with the current situation. We don’t know what 2021 is going to look like. Is it going to be a repetition of 2020? Hopefully not.”
You can watch the full webinar, on demand, here.
Share with Your Friends:
