Managing third party risk: Where is your weakest link?

At the recent FSQS Live event, I had the opportunity to hear a range of senior procurement professionals and leading suppliers in financial services speak about emerging trends for 2024. One of the main areas of focus was around third-party risk management. I wanted to share my observations around the upcoming challenges for both buyers and suppliers, and what potential solutions could look like.

Cyber security

Cyber security has been prominent in corporate strategy for a number of years now, but we are now seeing the spotlight shift towards third parties. Two high profile cyber incidents last year have put a spotlight on this issue. After attacking a fencing manufacturer, hackers were able to steal and leak documents from the Ministry of Defence containing sensitive information about a nuclear base and several high-security prisons. 

The Metropolitan Police were victims of a similar incident where information on officers’ names, ranks, pay and photos were obtained by hacking the manufacturer responsible for producing their badges. 

These examples really demonstrate the severe potential consequences of cyber weaknesses not just within an organisation itself, but throughout the supply chain. Organisations must take care to ensure that all partners and suppliers being engaged are equally cyber resilient since the supply chain can only be as strong as its weakest link.

Technology

The rise of new technologies makes it difficult for risk and compliance officers to keep up with the current rate of technological advancement. The current boom in the application of GenAI is a particular case in point. From an operational resilience point of view, how can we measure the tolerance for failure in technologies where the true extent of potential consequences is not yet fully understood?

For example, at Stellarmann, we are currently discussing the implications of the rollout of Microsoft Copilot and what that means for how we label, store and control access to classified information.

Fortunately, technology can also be leveraged as a solution to better manage third-party risk. By integrating new compliance technology, firms can automate more processes and enhance the accuracy and availability of data to better understand the technological estate. In turn, this makes regulatory compliance both easier and more effective. 

From a supplier side, those taking a more proactive approach to compliance, and taking advantage of new technology, will be a more attractive option for buyers. Better risk assessment is key, but being able to evidence this to prospective buyers with clear and reliable reporting is just as important.

Incoherent strategy

Another contributing factor to this problem is having siloed risk domains, especially in larger companies. Having inconsistent approaches between different functions can cause missed risk indicators, which is often exacerbated by the sheer size and number of suppliers some organisations are engaging with. This makes the task of tracking and understanding the potential liabilities and extent of third-party risk significantly more difficult.

Adopting a more holistic and aggregated approach to risk is crucial, both internally and with third parties throughout the supply chain. Everything should be done with risk and compliance in mind, from developing new technologies to onboarding new hires.

Fortunately, the attitude towards compliance and assessment is starting to shift, with firms and suppliers seeing the value-add and competitive advantage of risk and compliance exercises, rather than viewing them as generic ‘box-ticking’. Acknowledging areas of potential risk might feel counter-productive for suppliers. However, with more emphasis being placed on third-party risk, I believe those suppliers who can demonstrate a more transparent and proactive approach to managing supply chain risk will actually be much more attractive propositions.

One key point that every organisation (buyer or supplier) should take away is to promote honest and open dialogue to develop better strategies to tackle third-party risk. This is a multi-faceted and constantly evolving topic, but better collaboration and co-operation will help us all navigate this landscape for the benefit of everyone.