Highlighting resilience risks in supplier contractual arrangements

Our review work with clients highlights common causes of third-party risk management operational ineffectiveness.

Commonly cited areas are:

1. Failure to differentiate between critical suppliers and important suppliers leads to the management of every supplier in the same manner, which places a significant burden on the business.
2. A lack of 1LOD risk management maturity which impedes proper risk oversight of suppliers
3. An operating model that doesn’t foster accountability in supplier relationship owners

As we have delved further into contractual elements of third-party risk management programmes through the lens of Operational Resilience or DORA, we’ve found further challenges, specifically with long standing supplier relationships.  We believe these challenges are widespread, supported by conversations with financial services firms across the spectrum.

• Risk Management

As firms and suppliers become comfortable in the relationship, the tension for risk management oversight subsides.  One fundamental issue is a lack of full comprehension of new or emerging supplier risks that appear after due diligence and onboarding. Often, firms fail to recognise potential risks associated with their suppliers, as supplier relationships evolve. Continuously assessing these risks is essential. 

However, as the focus of supplier conversations often moves from supplier risk management to supplier management, these risks are not spotted early enough to treat or mitigate. 

To illustrate this point, a 2019 paper by Gartner identified that 73% of effort is invested in supplier due diligence and onboarding with “27% of effort allocated to identifying risks over the course of the relationship”.  Over 80% of leaders stated that third-party risks had been identified later in the relationship and that 31% of those risks were material, the majority of which could not have been identified in supplier due diligence processes.

• Fluid contractual terms

Contractual terms are a key control for financial services firms looking to mitigate supplier risk and effectively manage the arrangement.  We have seen three distinct issues with contractual terms with embedded, long-standing suppliers, who may have been working with a firm for 15+ years. 

• Firstly, no contractual end date or review date in the agreement which creates significant risk when it’s time to consider exiting the agreement and provides no performance incentive for the supplier. 
• Secondly, these older contracts often completely lack Service Level Agreements (SLAs) on supplier performance, or the SLAs fail to meet a change in firm expectations, circumstance, regulatory stance, or technology estate.  
• Thirdly, in a similar vein to the SLAs, legacy supplier contracts contain legacy supplier Recovery Time Objectives (RTOs).  Many firms don’t experience a major disruption due to supplier technology outage and so don’t consider how the length of a supplier RTO aligns to their products and services. 
  
  With the introduction of Important Business Services and Impact Tolerances through Operational Resilience regulation, supplier RTOs are now an intrinsic link in the resilience of a firm’s services.  If the legacy RTO does not fall inside a firm’s Impact Tolerance, and that is not articulated contractually, then a firm’s resilience is at significant risk.

• Business Continuity and Exit strategies

Even in the most up to date supplier arrangements, we very often find that neither a Business Continuity Plan nor an Exit Plan is in place.  Documenting how a firm will respond to a supplier outage or how a firm will exit an arrangement in stressed circumstances play an important role in ensuring the end-to-end resilience of your supply chain.  Notwithstanding the fact that these are both FCA and PRA regulatory requirements without these plans, firms are not considering the worst-case scenarios and risks that lead to robust resilience. 

Where firms have taken the time to document plans, they are often out of date and have never been tested to ensure their operational validity.  Again, both are regulatory requirements.