Third-party risk management: multi-dimensional approach | by Ozias Ncube

OziasncubeThird-party service providers play an important role in supply chain. In particular, they provide an opportunity for either managing or sharing of risk in the facilitation of acquisition of goods or delivery of services. However, this opportunity is also potentially fraught with vulnerabilities, especially if the risks are not identified and managed well. Here are some of the latest developments in third-party risk management (TPRM).

Third-party price polices
Based on the understanding of market dynamics, and with a special emphasis on facilitating optimal integration of third parties in coordinated and centralised multi-product supply chains (SCs), academic Kefah Hjaila and his research team has developed a generic tactical model in 2016.

The full article for this is available online in the link above, but the abstract thereof provides a clear outline of its usefulness and applicability: “This model allows for a more realistic assessment of the proposed policies in each marketing situation by using different price approximation models to estimate these policies. The pricing methods are based on the demand elasticity theory and results in different model implementations. The consequences of using the proposed models on the SCs coordination was on the practical impact of the tactical decisions.”

This approach was verified through a case study in which the coordination of a production–distribution supply chain. The results showed how the selection of the price approximation model affects the tactical decisions.

In their case, the average price approximation lead to the worst decisions with a significant difference in the real total cost in comparison with the best piecewise approximation further emphasising the need for supply market intelligence.

Sustainability considerations
Sustainability is a critical issue in management and marketing, and consumer responses to sustainable products. These are defined as products that have a positive environmental and/or social impact because they are produced with concern for human and natural resources, such as air, water, and land. However, on the ground there appears to be concerns around the transition to sustainable behavior, especially by third-party service providers. This may potentially be due to barriers such as price, performance/quality, availability, convenience, or time needed to source sustainable alternatives.

To alleviate these risks, Friedrich Schiller and his team from University of Jena in Germany, have proposed that companies attach additional attributes to their products. Specifically, they adopt third-party certification labels (TPCL), submitting their products for certification by independent organisations. As a result of this adoption they observed that certified production across sustainable commodity sectors has increased by 41%. However, there is a note of caution. There is a clear lack of a single, well-defined, sustainable label. Instead there is a presence of many differing labelling approaches, with multiple and assorted criteria. This may create challenges for consumers, in that the hundreds of TPCL may overwhelm consumers\clients abilities to assess various sustainable product certifications. Despite this challenge, it is worthwhile establishing such criteria for your own third parties to adhere to mitigate against any sustainability oriented risks.

Cyber security
Writing in the Sage Data Security Report, Beckie Metivier recognises that it has become the norm for businesses today to rely on a multitude of third-party service providers and other vendors to support core business functions. It is also common for these third-party entities to have access to the organisations’ data and their internal systems. This interconnectivity presents an inherent risk that must be managed. After all, you can outsource the function, but never the responsibility. Therefore, in appointing third-party service providers, organisations should take a risk-based approach. Managing risk is critical, and that process starts with a risk assessment.

With respect to the process, it is worthwhile to identify the five different types of risks that vendors can pose to an organisation, and may include:
  1. Compliance risk - related to violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or business standards.
  2. Strategic risk - related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
  3. Operational risk - related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
  4. Transactional - is related to problems with service or product delivery.
  5. Reputational - is related to negative public opinion.
To ensure that the third-party service providers take cybersecurity as seriously as the organisation does, it is important that in addition to implementing security controls that will help prevent breaches, they should also be focused on cyber resiliency if an attack should occur.

In particular, the USA National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a great guideline for all businesses to follow:
  • Identify: The first step is to identify what the potential threats are.
  • Protect: Then everything that can be done to protect and prevent should be done.
  • Detect: Need to be able detect when an event is occurring to determine if it rises to the level of incident.
  • Respond: Need to develop what the response to various incident scenarios will be.
  • Recover: Finally, how do we recover? Depending on the extent of the incident and the amount of damage done, this one could be difficult to ascertain.
I believe with a concerted approach in identity and managing the above risks, organisations create an environment that is sufficient to maximises the capability of the third-party service providers without being too-much exposed.

Ozias Ncube is a senior lecturer in supply chain management at the Graduate School of Business Leadership (SBL), University of South Africa (UNISA)


TPRMS2019 Strip Banner Image 051118
Posted on May 16, 2019