8 steps to managing third-party risk in your supply chain

7/9/2020
8 steps to managing third-party risk in your supply chain

Your supply chain keeps your business running – but if you’re not managing your third-party risk, things quickly can grind to a halt.

Outsourcing is a critical part of every business – but do you really know all the links that make up your supply chain? The more third parties you use, the more complex your relationships, and the more risks you invite into your company. It’s important to consider risk areas such as privacy, reputational impacts, regulatory concerns, and financial viability when you’re vetting third parties – but where do you start?

1. Know the background and scope of your current relationships

As your business grows, it can be easy to duplicate efforts and maintain more relationships than necessary. Which third parties are you currently working with, and why did you originally contract with them? Is the cost still competitive? Do they still have a focus on your core business? Defining the scope of each relationship will help you spot and eliminate any crossover. This makes you more resilient and efficient.

2. Identify the key risks to your organization

Take the time to interview each department head and ask how they handle risk. How do they protect their customers? If something happened, like a data breach or a significant disruption to their operations, how significant would it be for their organization? Knowing how a third party responds to crisis gives you insight into its risk management policies.

3. Build your business needs into the contract

Include defined contract requirements around risk, workflows, and approvals. Make sure you have a system to identify any new provisions, who approved them, and who approves any other changes or redlines along the way.

4. Create an upfront assessment and triage process for new third parties (and use it to evaluate current ones)

Based on the inherent risk in each relationship, decide the right questions to ask, identify any gaps, and lay out the potential risks if something goes wrong. But remember that this can be nearly impossible without a single repository for information. The right technology can save you time and help you triage hundreds – or thousands – of relationships in your company.

5. Maintain ongoing monitoring of the relationships and risks

Business practices change all the time, so ongoing monitoring is vital to stay on top of current risk. This is another area where the right technology can make a huge difference. Technology providers can help you monitor your third party's risk profile and indicators, and follow up as needed – including their web presence, leadership changes, or even upcoming events in the region of the third party.

6. Don’t forget to reassess along the way

Based on your own resources, determine how often you’re planning to reassess relationships and which third parties take priority. Ongoing monitoring alerts you to any major issues, but a consistent and defined reassessment plan will help you follow up on any issues and confirm the scope of work. Again, technology can help you automate this process.

7. Begin with the end in mind

All relationships come to an end, and planning for that end in the beginning can make for a smoother separation. Consider how you will get back your data and turn off connections. Document the termination – and your experience with the third party – in a central repository so that other decision-makers in your business have the background if they are considering a relationship with a terminated third party.

8. Find the right technology

Technology is key to streamlining the third-party risk management process and keeping your organization safe. Automating alerts, triggering reviews, and keeping a central information repository are essential to maximize time and resource efficiency.

Contact us

Managing risk is an ongoing process in any organization – but a wide variety of technologies are available to help you simplify and streamline. If you’re starting to assess which technologies are right for your business, our team is here to help. Crowe GRC (governance, risk, and compliance) technology services and solutions use our extensive knowledge and long-term relationships to help you create a custom plan for managing third-party risk in your supply chain.
Brad Gilliat
Brad Gilliat
Principal, Consulting
Josh Reid
Josh Reid
Principal, Consulting