According to the BCI's 2023 report on supply chain resilience, 87% of firms surveyed experienced a supply chain resilience incident which caused a significant disruption. Recent events in the UK involving cyber hackers targeting third-party technology vulnerabilities in a third-party payroll provider bring further evidence that gaining resilience assurance over your third-party and outsourcing supply chain is more important than ever.
Supplier due diligence and onboarding is robust in most firms and will usually identify inherent risks in advance. However, firms often struggle to maintain a view of supplier risk through the remainder of the supplier lifecycle. With the introduction of Operational Resilience, firms must also gain additional assurance over the resilience capability of their suppliers and ask, “if the supplier is supporting an Important Business Service, can the supplier evidence recovery capability of their service inside of our impact tolerance?”
Following due diligence and onboarding is where most resilience incidents occur. Here we outline three strategies to support supplier resilience assurance:
1. Governance and accountability
A key challenge for firms is developing 1LOD supplier risk management accountability. The risk assessment in supplier onboarding often doesn’t carry through day to day to 1LOD relationship owners, creating tension as 2LOD looks for assurance. With assurance not forthcoming, this renders the framework, controls, and governance as operationally ineffective.
Our review work highlights common causes of operational ineffectiveness as a lack of standards and controls, a poorly defined Target Operating Model, and a shortage of meaningful MI.
By driving accountability for risk in supplier relationship owners and developing behaviours in 1LOD through robust governance and a Target Operating Model with clear roles and responsibilities, "supplier management" conversations become "supplier risk management" conversations.
2. Ongoing monitoring and assurance
In a global KPMG risk management survey, 80% of risk and compliance teams reporting resilience risks long after the initial supplier assessment and due diligence process. However a study by technology firm Blue Voyant, identified that ongoing supplier monitoring was decreasing year on year with only 5% of firms practicing continuous monitoring.
Ensuring you develop enterprise-wide standards for assurance, and have a robust supplier monitoring and testing strategy is essential for securing the resilience of your third-party approach.
As a minimum, firms should employ three simple approaches to ongoing monitoring and assurance:
Material and critical suppliers should be able to evidence their internal operational resilience approach and combining that document with collaborative scenario testing is essential. Combined testing is important to help understand the recovery and response capabilities of both you and your supplier against scenarios in which you may be the impacted entity and in which the supplier is the impacted entity.
There is greater benefit in identifying the breaking point of your and your supplier’s resilience capability than simply confirming existing recovery capabilities and SLAs. Test scenarios should mirror / factor the probability of scenarios based on near miss and live incidents, both internally and from across the sector.
This testing approach will prove if you can remain inside your documented Impact Tolerance and Recovery SLAs and will provide you and your supplier with key lessons to support the development of Crisis and Incident Management plans and stressed Exit Plans.
- Using data and publicly available information
Ensure there is a healthy data flow between you and your supplier, which supports you in understanding the current risk and resilience profile of your supplier. Make use of internet monitoring tools to understand if any adverse news or incidents have happened which involve your key suppliers and may present an underlying resilience risk.
- Reviews
Use contractual clauses to ensure that you can conduct regular supplier reviews. This could be as simple as a quarterly review meeting to assess risk MI and supplier performance or could be as in-depth as an on-site supplier audit. You can also use third-party documentation to attest to supplier resilience, for example ISO audits or regulatory assessments.
3. Risk and Regulation
Writing, applying, and testing third-party risk management controls which align with your firm's third-party risk strategy is vital. When assessing your controls, you need to understand how effective they are at reducing risk and how they have potentially mitigated risk events. Controls will need to be more robust and tested more regularly for material suppliers and in general, testing and controls assurance should be proportionate to the materiality or criticality of suppliers.
The most simple way to strengthen your capability is to ensure your firm complies with the relevant regulations. Both FCA and PRA regulations provide clear principles and guidelines for firms across the supplier lifecycle.
By reviewing your compliance to regulatory requirements and uplifting where required, your firm will be better equipped to identify and manage risk in assessing, onboarding, managing, monitoring, terminating and offboarding suppliers.
Conclusion
The key concept that we look to address in our clients is that of the extended enterprise. Firms should look to achieve an “extended enterprise” approach, where suppliers are viewed as an extension of firm risk profile.
Third party risk strategy is integrated with the risk management framework and approach as though such risks are inherent within internal operations. This ensures that firms apply internal risk management standards and RCSAs to third parties.
If you require assistance with reviewing and operationalising your Outsourcing and Third-Party Risk Management approach, please click here to download our service deck.
