In today’s global economy, companies rely on complex supply chains to bring their products to market. With so many suppliers involved, it can be challenging for businesses to keep track of potential risks in their supply chain. Third-party supply chain risk is a significant concern for many organizations, and they are constantly looking for ways to manage it effectively. Here, we explore what third-party supply chain risk is, how companies measure it, and why it is challenging. We will also discuss ways companies can improve the process of managing third-party supply chain risk.
What is third-party supply chain risk?
Third-party supply chain risk refers to the risk that arises when a company relies on third-party suppliers for goods or services. This risk can manifest in several ways, including financial risk, legal risk, reputational risk, and operational risk. For example, a supplier may experience financial difficulties that impact their ability to deliver goods or services, or a supplier may violate laws or regulations, leading to legal repercussions for the company that hired them.
How do companies measure third-party supply chain risk?
Measuring third-party supply chain risk can be a challenging task for many organizations. However, some common methods used by companies include supplier surveys, site visits, and data analytics. Supplier surveys involve sending questionnaires to suppliers to gather information about their financial health, compliance with laws and regulations, and other relevant data. Site visits involve physically inspecting a supplier’s facilities to assess their operations and identify potential risks. Data analytics involves analyzing data from various sources to identify potential risks, such as financial data, news articles, and social media.
Why is managing third-party supply chain risk challenging?
Managing third-party supply chain risk is challenging for several reasons. First, companies may have hundreds or thousands of suppliers, making it difficult to monitor them all effectively. Second, suppliers may have complex supply chains as well, making it challenging to identify all the risks in the supply chain. Third, suppliers may be located in different countries with different laws and regulations, making it difficult to ensure compliance. Finally, the landscape of third-party supply chain risk is constantly evolving, with new risks emerging all the time.
How can companies improve the process of managing third-party supply chain risk?
To improve the process of managing third-party supply chain risk, companies can take several steps. First, they can establish clear policies and procedures for selecting and monitoring suppliers. This includes conducting thorough due diligence before engaging a supplier and regularly reviewing and assessing their performance. Second, companies can use technology to automate the process of collecting and analyzing data about suppliers. This can include using data analytics tools to identify potential risks and using software to manage supplier relationships. Third, companies can work with their suppliers to improve their risk management practices. This can include providing training and resources to help suppliers identify and mitigate risks. Finally, companies can develop contingency plans to address potential disruptions in their supply chain, such as identifying alternative suppliers or building up inventory.
Improve risk management practices with automation
Third-party supply chain risk is a significant concern for many organizations, and managing it effectively can be a challenging task. However, by establishing clear policies and procedures, using technology to automate data collection and analysis, working with suppliers to improve their risk management practices, and developing contingency plans, companies can better manage third-party supply chain risk and reduce the impact of potential disruptions. By taking these steps, businesses can protect their reputation, reduce financial risk, and ensure a more resilient supply chain.
Speakers
Transcription
Scott: I’m really excited to talk about third-party supply chain risk with Sam today on the Union Podcast. So, Sam, you’re already ramped up on third parties, right? We’ve previously talked about third-party IT risk.
Sam: Yes, I’ve done a lot of work on third-party risk in the past, and IT is one of the core factors.
Scott: Yeah, I mean, that’s kind of where we live, right? I’m most familiar with third-party IT risk, but I’m excited to revisit supply chain risk. My first job was in supply chain planning, so I’m really looking forward to revisiting extended supply chains and reliving some of the theory of constraints.
So, we’ll talk about some of the constraints, but first, to level set everybody, let’s talk a little bit about what third-party supply chain risk is and why it’s important that companies measure this.
Sam: Sure. If you go back to our last conversation about IT risk, we were really talking about data and other things that are important for building and adding value to your customers.
This is the actual supply chain, so it’s parts, materials, and other things like that. There is an IT aspect to it, but this is actually getting the physical part that you might need to build your system or service. Without it, you can’t move forward. So, third-party supply chain risk is just as critical as IT risk.
Scott: I totally agree because you can’t ship an incomplete product. You don’t have happy customers when you do.And there are simple examples, like opening an IKEA box or a Lego set and finding a piece missing. But there are more critical examples, like not being able to buy a vehicle because it’s missing a component.
Sam: I guess it depends on who you ask. If you buy a Lego set for your six-year-old and it’s missing a piece that you can’t replace, that may be the end of the story for them. But let’s put things into perspective.
During the Covid crisis, there were Ford trucks sitting there without critical chips, and they couldn’t ship them. People who needed to work were affected. Ambulances and garbage trucks rely on these trucks. Even plumbers need these trucks to carry parts and fix things. The trucks are crucial, so they couldn’t ship without them.
So just as that little Lego piece is critical to the six-year-old’s happiness, missing components from trucks are also very critical to a larger part of the economy.
Scott: Right, especially here in the States where we tend to move around a lot. But during that time, we weren’t moving around as much, yet we still felt the impact.
Sam: Oh, a lot of us weren’t moving around during Covid. Just last week, I had a guy come to my house because a part of my oven had broken. I asked him if he was busy during Covid and what he did. He said he was busier than ever, driving around in his truck every day to bring parts and fix things.
With people at home cooking more, appliances were getting more use and breaking down more often. You probably saw everyone baking bread, but those components and systems in the house kept breaking, and there were many people like him who were out there driving around and fixing them.
Scott: Yeah, there was a big increase in home improvement during Covid because people were stuck at home and started taking on home improvement projects. The home improvement stores like Lowe’s and Home Depot got really, really busy.
And their supply chain was affected because of the increase in demand. They had to be able to react to it, and that requires some planning and risk mitigation. So, what do companies do day-to-day to monitor third-party supply chain risks? What kind of tools are they using?
Sam: Managing supply chain risk is a complex question due to its multiple facets and aspects. One of the factors to consider is the origin of the products. Many goods come from overseas, but some don’t. For example, in the case of Home Depot, lumber was in short supply, and most of it came from North America, but the machinery used to cut it down was sourced from overseas, or at least parts of it were. This highlights the supply chain aspect, but the risks associated with third-party supply chains are even greater.
Think about your industry and how you likely have competitors who buy from the same suppliers as you. Some companies view vertical integration as a strategic advantage and may even buy out your supplier, which can be a risk to your business.
What if they raise prices or decide to stop supplying you altogether? There are many potential scenarios to consider. For instance, one of my favorite beers was acquired by a larger company and then promptly shut down because it was causing issues for the acquiring company.
So, you know, there’s that one aspect. There are other aspects too. There are a lot of laws around it. The Department of Justice is really keen on making sure that you run your business in an up-and-up way, and that’s a good thing for everybody. We don’t like it when we hear about bribes or corruption, political influence, or anything like that because, as consumers, we know that that’s not fair. And we also know that we’re not going to get the best value or the newest innovations and things like that.
So, there are actually a lot of laws out there that prevent you from buying from what’s called PEPs, which are politically exposed people. There are a lot of laws out there that make sure that you’re not buying things from companies that are on sanctions lists from other countries, and things like that.
So, there are a lot of things that you have to look at in your supply chain, and you would ask Scott who does this, and kind of, it’s all over the board. Sadly, in many companies, the answer is nobody’s doing it. A lot of people find out about a lot of this stuff in a reactionary way.
In order to do this effectively, you still have to do all those IT assessments that we talked about the last time we chatted here on The Union. But you also have to do all of these other assessments. You have to bring in the news feeds. You have to do all of this, and a lot of people are like, ‘Oh yeah, that’s easy. That’s easy.’ And then when things go wrong, you find that there’s an awful lot of noise in there, so it takes a lot of thought of what you want to do and how you want to go about it. There are a lot of challenges. It’s still all very important.
Scott: So, you said no one’s doing it. But maybe they’re reading the news, and I would imagine this is like giant geo-political things, like the war in Ukraine or something like that. I don’t know. But what type of timeframe were you thinking about? So when you said, ‘Hey, I’m watching the news,’ is this daily, weekly, monthly, quarterly? How reactionary would you assume that companies need to be to monitor that effectively?
Sam: Well, I don’t think many people are doing it well. Some people are probably doing it well, but it really depends on what it is that you’re doing. And if you’re a baker and you know that all of your grain is coming from a portion of Eastern Europe or a significant portion of the world’s grain is coming from Eastern Europe, and that source gets cut off, what is it that you do? I actually think there are a whole bunch of companies today that aren’t looking at where lithium is supplied from.
Lithium has two major sources in the world, right? There’s some in China and there’s some in South America. And the stuff that’s in South America is at the top of a bunch of mountains, and you actually need a lot of water to mine lithium. So effectively, most of the lithium in the world is coming from China.
That’s a huge concentration risk of the supply of lithium. Some people are probably looking at that, but I think there are a lot of people who are not looking at that. So, do you have to look at the news? It really depends on what the risk is that your supplier brings to you, and you have to sit there and evaluate that internally so you can figure out what it is that you have to look at and how often you have to look at that.
Scott: Okay, that makes sense, especially lithium. I think that’s probably a good example. Everybody listening to this podcast probably has lithium, because you’re listening to it on your laptop or your iPhone, right?
So, how are they going to mitigate that risk? The grain example makes sense to me. As a baker, I would assume that there aren’t many bakers listening to the Union podcast since we talk about a variety of topics. But, who knows?
Sam: When it comes to mitigation, it doesn’t matter who you are or how frequently you have to manage and track the news or run assessments. It comes down to a few steps. First, figure out your process. Second, automate your process as much as possible, but be careful not to create a title wave of noise.
Scott: Giving yourself a title wave of noise sounds like a self-imposed problem. Can you explain what you mean by that
Sam: I once worked with a third-party threat assessment company, and they provided me with threat assessments for my entire IT landscape. However, I kept receiving email alerts one by one for each threat. It was a lot of noise, as most of the threats weren’t important to me. I needed something smarter, an AI, to go through and identify which threats matched up to my environment and technology.
This would have eliminated at least eighty percent of the noise. If the AI could understand where the technology was located in my environment, it could have brought me only the six important things daily. That would have helped me focus on what really mattered.
Scott: I mean, yeah, that makes sense, especially when it comes to the threat landscape.
Sam: The same thing applies to the supply chain. If I’m just receiving news from my major supplier, I’ll be bombarded with every stock update, every PR announcement, and everything else.
Instead, I need to take a broader look and funnel in sources of information that specifically focus on geopolitical news or sanction news related to my supplier. This will help me identify the things that are truly important and allow me to make a plan, react, or be proactive with my next steps.
Scott: It seems like this issue will only become more prevalent as time goes on because people don’t retire systems or feeds like the threat feeds you mentioned. Instead, they keep adding systems, making the situation more complex, and there are fewer people to manage it all.
Additionally, third-party suppliers face the same issue, with their supply chain constantly changing, customer base evolving, and frequent mergers and acquisitions.
Sam: You’re right, they just complicate things further. But think about the news – when something bad happens, there are always armchair quarterbacks who claim that the data was there and you should have known.
The truth is, there’s a lot of data and information out there, and it’s often difficult and costly to sift through and identify what’s truly important.
Scott: So, is it expensive for organizations to monitor and manage the supply chain risk in a cost-effective manner?
Sam: Manually, you’ll get overwhelmed, and every time you add a person, you increase the opportunity for error. So, the cost around third party risk management can easily explode. I remember when I first heard about third party risk management, I thought it was simple: send out a spreadsheet, ask for the information, and get it back.
But what happens when you have a hundred suppliers? What happens when your chief risk officer, board of directors, or investors want to know it by spend, tier, or risk level? As soon as you spend hours, days, or weeks putting that information together across the one hundred and fifty vendors that you’ve chosen (not the five hundred or more that you actually have), you’ve massaged all of those spreadsheets multiple times, creating an opportunity for errors. Then they ask for it to be trended over a three-year period or they ask for a different slice, and you basically have to start over. It becomes very complex.
Doing things manually leaves room for error and can explode your cost. Having automated, simple, data-driven ways to bring this information in a meaningful way to your risk program is super important. Adding AI to it is frankly super important too if you can get over the hurdle of developing a model and then implementing the model correctly. The development of the model can become very costly and then, nine out of ten times, it becomes shelfware because nobody knows how to implement the model after you’ve actually put it in to make sense.
Scott: Yeah, it makes sense. Orchestration of the process and having good, clean data can simplify the process of managing third party supply chain risks.
Sam: It really is. I mean, if you can have all the tools to only present you with the things that are important and all the things that could be important, now you get to spend your time managing risk instead of sifting through data. You’ve made your job happier and more productive. You’ve brought value to yourself.