The Covid-19 pandemic is changing – and will continue to change – the nature of third-party risk around the globe. With an astonishing 94% of the Fortune 1000 experiencing coronavirus supply chain disruptions, the pandemic exposed just how brittle supply chains can be. It also provided a striking example of how emerging risks can rapidly hit and how the conditions and controls in place for ‘business as usual’ with third parties could become outdated almost overnight. It brought several risks into sharper focus – including these top five that should be on every third-party risk manager’s radar:
The Covid-19 pandemic transformed information security risk for companies overnight. As lockdowns were implemented around the globe, employees have had to work from home using laptops, tablets, mobile phones and home Wi-Fi networks. However, these conditions not only exist for your own employees, but for your vendors’ employees as well. This means that the controls they had in place when you conducted your Information Security and Data Privacy risk assessments could well be void in the new remote working conditions.
It’s important to understand the impact of this, and any additional risks you need to be mitigating. For instance, are a data processing vendor’s employees in a less-than-ideal environment when it comes to data privacy? Are they in a country with poor home-based infrastructure? Do they have roommates who could potentially gain access to your data? Are they going to be a target of increased phishing attempts – and have they been trained to recognize such attempts?
How we work at home and behave at home can be different – with different psychological factors at play as well as the technological ones. Also, it is likely that an increased reliance on remote working is here to stay. For example, more than 40% of European employers have plans to make it easier for staff to continue working remotely once offices reopen, according to a recent survey. Going forward, organizations need to make sure that the risk assessments and due diligence they apply to the third parties they work with are revised to take this into account. Organizations should ask what extra steps third parties are taking to managing cyber risk in remote working conditions. Companies should also ask their third parties how cyber risk and information security training is being conducted for their employees.
“Companies came into this crisis already vulnerable, and that really heightens the importance and the necessity of collaborating effectively so that you can understand what these third parties and these vendors are going through, and how you can work better together,” says Nitin Walia, chief client officer at Rapid Ratings, an Aravo partner, in a recent webinar, Supply Chain Resilience in the Crosshairs: Predictive Strategies for Proactive Solutions.
According to Rapid Ratings research, corporate financial health was declining even before the pandemic hit, and the expectation is that Covid-19 is going to have a significant negative impact on the financial health of many organizations. Now, more than ever before, it important to understand the financial health of your third parties – especially your critical providers. A danger is that those organizations that are struggling financially may start to cut back on compliance and security related costs – putting your business at increased risk. Further, suppliers ceasing to trade could mean your business no longer has access to critical products or services – a small supplier can only stay solvent for an average of 27 days through a shutdown.
Yet many organizations fail to take their third parties’ business continuity or financial health risks into account in their programs. A recent survey by Aravo found that 51% of organizations were not assessing the business continuity risk of their vendors, and 62% of organizations were not assessing the financial viability of their third parties. Organizations should not only be assessing the financial health of their critical vendors during the onboarding process, but be ensuring these checks form part of an ongoing monitoring process. Also, contracts should provide for what happens in the case of a sudden end to the relationship – for example, to your company’s commercially sensitive information or customer personal data.
Supply chain risk is not new, but the Covid-19 pandemic saw organizations’ logistics being tested in sometimes extreme conditions, and found wanting. Governments saw contracts with distributors for crucial personal protective equipment (PPE) go unfilled as the manufacturers faced unprecedented global demand. Covid-19 outbreaks in meat processing facilities created shortages in restaurants and supermarkets in several countries. The initial period of lockdown in China in the first quarter saw factories there close, and as a result significant supply chain disruption for many companies around the globe. In fact, more than 200 of the Fortune Global 500 firms have a direct presence in Wuhan.
Dun & Bradstreet estimates that 163 of the Fortune 1000 have Tier 1 suppliers (those they do direct business with) in the impacted area, and 938 have one or more Tier 2 suppliers (or fourth parties) in the area. In a world that is more fragile and uncertain post-Covid, organizations need to enhance their resiliency by ensuring supply chain risks are properly assessed and sufficient controls are in place.
Because so many of your third parties most likely rely on third parties/subcontractors as well (your fourth parties), this increases your fourth party and associated concentration risks. This holds true for both digital supply chains (e.g. having a number of third-parties relying a common cloud infrastructure provider) as well as physical (e.g. relying on a number of critical third parties who all source products from a common geographical region).
According to the Aravo survey, just 32% of respondents said they have full requirements for their third parties to identify their subcontractors/providers, with another 36% indicating they do this only on a partial basis. A further 45% do no due diligence on their critical fourth parties. Without some line-of-sight into fourth parties, it’s almost impossible to truly manage concentration risk. Indeed, 83% of TPRM programs are not managing concentration risk, according to the survey.
Given the many risks that Covid-19 is exacerbating, failure to manage fourth party risk and concentration risk leaves an organization exposed to significant loss events. Unsurprisingly, this has attracted the interest of regulators. For example, within the financial services industry, the UK Financial Conduct Authority published a consultation paper recently, and a significant theme within the paper is concentration risk among third parties. Within the heightened risks environment of the post-pandemic world, expect companies who do not have visibility into critical are fourth parties, or their supplier concen trations, to suffer potential challenges.
The social impact of Covid-19 will be with the world long after the virus ceases to be a threat, and the social changes that the pandemic has wrought are already beginning to translate into increased political risk. For example, civil unrest – already on the rise over the past decade – appears to have been accelerated by Covid-19 according to the Institute for Economics and Peace (IEP), which publishes the annual Global Peace Index. The substantial economic damage caused by the pandemic – lost jobs, enormous government deficits, shuttered businesses – is likely to translate into more civil unrest in the next few years.
Companies need to be aware of how civil unrest could impact both themselves and the third parties they work with, from production facilities being impacted to disruption to distribution networks. Companies should understand the risks of doing business with third parties who could potentially become the focus of civil unrest by thoroughly vetting third parties against ESG criteria, reputation risk indicators, and the nature of their fourth party relationships.
It’s more important than ever before for third party risk managers to be agile in the face of developing circumstances, including regulatory change and disruption to the organization’s third-party ecosystem.
Share with Your Friends:
