A “take-charge” risk management approach needs to factor in a risk horizon for planning and prioritizing. Risks identified should be prioritised based on Business impact and likelihood of their occurrence.

Short Term Risks

A short-term risk horizon includes risks that are expected to have an immediate impact on the organisational business and should be addressed immediately. These short-term risks might include an unplanned supplier shutdown or a hurricane near the supplier’s facilities resulting in inadequate inventory stock to meet a client’s production plan requirements. They could also be bribery or corruption allegations against a third-party supplier which will have an immediate impact on market reputation. All these short-terms risks require contingency plans to ensure continuity of supply.

Medium Term Risks

Medium-term risks are the ones that need to be addressed within a budgetary or financial period to ensure continuity within the budgeted timeframe and to mitigate potential financial overruns (for example, a supplier failing certain audit norms). The sponsoring organisation will need to identify and develop an alternative supplier within a short time frame. If the organisation decides to continue with the same supplier, it will likely need to reinstate a new process and ensure that the problem is addressed in future audits.

Long Term Risks

Long-term risks have a strategic impact on the business with an effect timeline between one to five years. Example can be an estimated vs. actual supply gap due to increased demand from competition or capacity limitations. They can also emerge due to poor forecasting of internal demand. New technology advances such as 3D printing technology and their effects on the injection and thermo- forming industry can impact capacity build-up and pricing in the market. Suppliers typically use new technology and take advantage of it through the use of extended controlled supply and demand pricing levels.

Once an organisation applies risk calculations and likelihood scenarios to these identified areas of risk, an executive dashboard should be created and shared with key management stakeholders. The reporting “dashboard” presents the different risks involved after considering the value at risk and likelihood of occurrence. A mitigation and contingency plan for each identified ‘high’ risk can then be developed. Plans can include elements such as risk description, type of risk, length, associated financial value of loss, likelihood or probability, mitigation plans, responsibilities and timelines for correction. It is important that an organisation meets with its high-risk third-party suppliers to agree on future audit procedures and governance measures that require suppliers to demonstrate confidentiality, privacy, integrity of processes (internal controls), and delivery of performance.

A Project Management Office (PMO) group should be involved in monitoring each mitigation strategy that is linked to various risk areas. The PMO group should have a central role in coordination with third-party supplier risk initiatives and interact with legal, internal audit, finance, compliance, business operations, and public relations. Finally, third-party compliance procedures should be enacted to help monitor the Program’s progress and adherence to compliance areas such as legal, security, quality, trade, international transactions and supply movement.

Following are some recommended action items to ensure that the implementation and ongoing oversight phase is controlled correctly:

  • Collect data on daily, weekly, monthly, quarterly and half-yearly basis for each third-party supplier type
  • Run risk management models and validation checks to ensure consistency
  • Ensure proper communications externally (surveys, site visits)
  • Communicate with stakeholders on the dimensions of risk
  • Liaise with other functions (legal, audit, finance, compliance and BUs) as needed
  • Agree on corrective or preventive actions and assist as needed — especially with high-risk suppliers — and implement recommendations
  • Ensure that the decisions are carried out and the risk is mitigated
  • Repeat the process and convert into longer term effective risk management operations (Third-Party Compliance Program)
  • Conduct monthly steering committee meetings to ensure third-party risk goals are met

Aval Sethi