Posted 2nd Apr
Have you noticed a steady increase in the use of external suppliers and other third parties in your organisation? If you have, it might have made you think about how well these suppliers and supply chains are understood and managed. If not, then it’s highly likely the Covid-19 outbreak has brought the importance of this sharply into focus.
Third Party Management (or TPM) is the overall management of the risk, service, contract and relationship with a third party. Even in pre-Covid-19 times, some or all aspects of TPM were already highly important for many sectors. Those in regulated business areas, such as financial services or medical devices for example, will be all too familiar with the steady increase in regulatory scrutiny and requirement for supply chain transparency that’s developed alongside the growth in the dependence on third parties for ever more critical operations and functions.
However, in many organisations there has been a feeling that the importance of TPM has not been fully recognised. TPM practitioners often use real-life examples of ‘things that can go wrong’ to help explain to business stakeholders the importance of robust, professional and proportional TPM. These have typically involved unforeseen supply disruption, cyber-attacks, data breaches/loss, natural disasters, financial crime failures and regulatory fines; all negatively impacting end-customer service and reputation. However, a global pandemic, whose real reach and impact has still not fully played out, will almost certainly make firms and regulators adjust their approach to risk management and require controls to better protect supply chains in the future.
The reality is that many firms are really just waking up to the importance of effective and proportional TPM. Bain & Co estimate that around 60% of executives have no knowledge of their supply chain beyond the tier one group. With the pandemic already impacting all supply chains in some form or other, many organisations could be in for a shock in the coming weeks and months when the global ramifications of supply disruption hit home.
So, what would you ideally need in place to stand the best chance of being more resilient?
At a foundation level, we already know the importance of:
· Robust policy, governance, systems and controls: including clear roles and responsibilities so everyone understands their end-to-end role in TPM.
· Risk assessment: identifying and assessing all relevant risks pre-contract
· Due diligence and contracting: making sure appropriate pre-contract due diligence is performed and that contracts reflect relevant risks, controls, and protections.
· Segmentation: classifying your supply base to understand which engagements carry the highest risks and criticality and subsequently require the highest levels of ongoing management and oversight.
· Service, risk and performance management: the ongoing post-contract management of risk, controls and day-to-day management of the service itself.
But what else is this pandemic showing us might be important?
1) Understanding your supply chains beyond tier one: working with your tier one suppliers to map the supply chain and understand how the services are provided. When applied across all critical engagements this process can identify unforeseen concentration risks, lower tier critical dependencies and potential weaknesses in the event of disruption that can then be mitigated in advance of issues occurring. This would preferably be done pre-contract, but it should be done now for all critical engagements with such an unprecedented amount of change happening.
2) Stress-test business continuity management and scenario plans: for each supply chain, rigorously plan and periodically practice what would happen under different scenarios - from full disaster recovery to minor supply disruption (including planned or unplanned exits from different suppliers). This should be approached using both an internal perspective, with relevant colleagues, as well as externally with key suppliers to understand the wider supply chain impacts. Findings can be reflected in operating procedures, contracts, key controls and service management dialogue.
3) Investigate tier 1 suppliers’ sourcing and supplier management practices: for critical engagements, ongoing service and performance management conversations can be improved to include an understanding of how tier 1’s source and manage their suppliers in tiers 2 and 3, and in turn how well these management practices flow down the supply chain. This deeper appreciation of the wider supply chain dynamics, driven top-down by the ultimate customer organisation, improves risk identification, mitigation strategies and ultimately resilience.
There is no way to fully mitigate against all the risks associated with an event as extreme as the Covid-19 pandemic. However it does highlight to us that (a) these unimaginable scenarios can actually happen; that (b) there are many things we can do to better to improve our understanding of the supply chains we depend on the most; and (c) this information can better enable us to anticipate and mitigate the worst impacts of future disruption.
Ultimately, there will be two types of organisation to emerge from this pandemic; 1) those that hope it doesn't happen again and do nothing different in the future and 2) those that realise how much more resilient and agile they could (or should) have been and take steps to improve their capability.
For those in the latter category, that have not yet done it, mapping your key supply chains with your tier one suppliers and understanding how the services are provided is a great first step to take. There is a simple guide and template to help with this available here.
For those that have already mapped supply chains, the next step is to undertake a diagnostic to baseline your current TPM capability and identify a prioritised roadmap of improvement.
Our Guest Author of this Blog is Dan Crease, A Consultant and ex Global Head of Third Party Risk Management with HSBC.
Dan and Mark Webb will be running a webinar with Q and A on the 8th of April at 14.00 to discuss the points raised here.
Sign up for the webinar here.
by Mark Webb