By Bill Bandon, Joe Venturato, and Marie Fitzpatrick
“A chain is only as strong as its weakest link.” The old saying – which asserts that a process or a team is only as effective as the least effective amongst them – is an apt analogy addressing third-party risk, particularly supplier risk. This is to say that an integrated process or system, strong in all but one of its components, may nevertheless easily fail because of that weak component.
Ironically, naval vessels employ “weak links” as a safety measure, to mitigate risk from any misjudgements in measuring the depth of the ocean floor at the place where the ship drops anchor. A weak link is built into the ship’s anchor chain as the last link so that if the anchor’s fall surpasses its chain length, the chain breaks at that final weak link and the ship suffers minimal damage.
Consider how the analogy changes if the chain’s weakest link is no longer its last link, but its first, or a link in the middle of the chain. Now the weak link is itself the risk, not the mitigation tool. With suppliers we need each link in our supplier arrangement to hold strong so that any weakness does not cause the entire process or system to fail. This “link strengthening” is best accomplished during the Contract and Onboard stage of the Third-Party Lifecycle.
In this blog, the second of a three-part series (click here if you missed the first part), we discuss implementing strategies and approaches to managing risk when negotiating supplier contracts and onboarding suppliers into a company’s applicable third-party management systems.
For purposes of our discussion, while there are some synergies in the adoption of risk management practices across third-party types which address risk exposures common to the various different types of third parties, in this blog, we will focus specifically on the risk management of supplier and service provider arrangements and risks that are most material or of highest impact.
Developing a supplier arrangement
Fundamental to achieving a robust and thorough Contract stage is the completion of a comprehensive Plan, Evaluate, and Select stage in the Third-Party Lifecycle model. Both stages require an investment of time and resources that will ensure the ultimate contract reflects the appropriate liability clauses, service level agreements, monitoring, reporting and governance structures covering all risks associated with the services being provided by the supplier and the supplier’s own risk landscape.
When developing the specific provisions of a contract, you should have a good understanding at all times during the contract’s term of when and where it may be necessary to work with the supplier to improve the supplier’s risk management posture. This will help you pre-emptively mitigate the impact of the supplier’s risks to your company’s strategy, operations, finances, and customer satisfaction.
You should understand both the tangible and intangible risk impacts in order to construct the relevant requirement for the supplier to cover damages in the case of materialised risk identified during the Evaluate stage. Limits of liability and indemnifications clauses within the contract need to be sufficient to guard against the significance of these consequences.
In fact, a strong supplier risk program may also assist your company’s negotiators in obtaining strong liability protections of the company from the supplier. However, if the supplier is adequately protected via its own processes and systems, agreeing to greater limits on liability or greater indemnification is akin to the supplier “giving the company the sleeves from its vest.”
On a cautionary note, if it is clear that the supplier’s contractual liability limits in its customer agreements are its principal avenue to liability management (as versus process or system protections), that should serve as a signal to your company that the supplier may be unsuitably risky to engage.
Risks in the supplier arrangement
Since sourcing services from suppliers does not release the contracting company of ultimate responsibility for those outsourced functions – i.e., one cannot fully shift the risk to the supplier, particularly with regard to oversight of the supplier during the term – risk of harm from supplier arrangements is a leading concern for companies.
Consequently, the standards of supplier risk management should be set by the incorporation into the supplier arrangement of your company’s own policy and control standards, which, in turn, should be based on the inherent risk assessment that was documented during the Plan, Evaluate, and Select stage. However, residual risk, such as a high level of inherent risk for cyber security, fraud, or money-laundering, should not set the standards of risk management in the contract.
Care must be taken by your company, though, to weigh the balances posed by the contract between risk to the company and reward to the supplier, recognising that the supplier remains a strong and safe supplier to your company only to the extent it is generating sufficient revenue from the contracted-for service. Economic realities of how the supplier generates that revenue may hinder or prevent your company from obtaining indemnification from, or risk allocation to, the supplier which fully insulates your company from harm.
The importance of due diligence
Requiring the supplier to customise risk mitigation strategies specifically for your company may result in an expense to your company. Company due diligence during the Plan, Evaluate and Select stage on the supplier’s method of providing the outsourced services and how the supplier constructs its own risk mitigation in configuring the service or building the underlying system may be sufficient for your company to factor into its risk tolerance.
Because your company remains accountable for the risk assumed through the supplier arrangement, your company must establish within the contract appropriate governance measures to exercise supplier management and oversight in a way that gives timely visibility to changes in supplier performance and health that affect the supplier’s risk profile. This empowers your company to keep the profile of supplier risk in balance with your company’s stated risk appetite.
The more effective your company and your supplier are at mitigating risk, the more sustainable the supplier’s performance will be in the arrangement. Because risk drives performance, the supplier contract should stipulate the requirement for suppliers to provide risk reporting utilising a mix of lagging and leading metrics, particularly if those metrics are, or should be, already utilised by the supplier internally.
These risk metrics will come from understanding the outcomes from controls due diligence that was performed during the Evaluate stage. Suppliers which routinely sell into the customer’s industry segment should be expected to have these reporting systems already in place, while suppliers only breaking into the customer’s segment should expect to invest in monitoring and reporting infrastructure commensurate with industry standards and regulatory requirements in order for the supplier to sustain a market-viable offering.
Establishing a control system
It is common for companies to obligate the supplier to meet the company’s established control standards. Given the potential impact should the supplier fail – financially or materially in its performance – embedding the supplier’s agreement to your company’s control standards within the contract will obligate the supplier to apply the then-current standard of controls itself.
This establishes a two-tier risk and control system that includes direct supplier monitoring and reporting as well as governance for company oversight against consistent benchmarks to be achieved across your company’s supplier arrangements. The supplier arrangement contract should also maintain enough flexibility to allow for your company to update the control standards periodically to reflect the evolution in services that naturally occurs over time.
Moreover, to the extent that a risk is materialising and could translate into harm to your company’s customer, or harm the safety and soundness of your company, the contract should incorporate clauses regarding information flows, which need to provide for the governance of risks within your company corporate governance framework, and establish the timebound requirement for the supplier to notify and respond. Additionally, governance should establish thresholds for the escalation of risks into your company. These thresholds should be linked to measures of risk appetite and impact tolerances. This, in turn, implies that escalations should be real time and subject to documented notification requirements.
Lastly, in those cases where the starting point for your company’s negotiation was its own contract template, any deviations from the original template which may be agreed to will need to be documented and submitted with the contract. In regulated industries, in order to meet regulatory requirements, the contract should also be reviewed and assessed by appropriate persons in the company to confirm that the final agreement does, in fact, mitigate your company’s risk exposure, such as liabilities and indemnification, resilience, compliance, and contingency and exit plans.
The contract for your supplier arrangement needs to address every stage of the Third-Party Lifecycle. Failing to complete a robust and thorough contracting exercise could result in contracts not being fit for purpose, which in turn could lead to regulatory censorship, poor customer service, breach of contract, and the breakdown of the relationship with the supplier.
Key activities in the Onboard stage
Whether you are engaging a new supplier to deliver goods or services not previously acquired or you are moving existing goods or services from one supplier to another, you need to focus on ensuring your new or existing supplier arrangement is successful. Through use of your Know Your Supplier (KYS) and inherent risk assessment tools you need to identify any areas of residual risk which require the supplier to improve their risk management profile and strategize for these improvements to be made. Many companies utilize onboarding checklists to address the output of the inherent risk assessment within the transitional handover by operationalising applicable risk mitigation controls.
By implementing processes for a smooth transition of the supplier into your company, or an extension of an existing relationship, you need to ensure key contractual requirements are met to allow effective contract management throughout the Manage and Monitor stages of the supplier lifecycle. Your company should create comprehensive service inventories, identifying supplier and/or subcontractors’ responsibility for the ongoing management of risk and performance obligations pursuant to the contract.
Additionally, if you are transitioning goods or services from one supplier to another, work with both suppliers to create a positive pathway that moves smoothly for both the incumbent supplier (or in-house provider, if applicable) to the new supplier. Below are a few key items for consideration when transitioning services:
- Set out a governance structure for and oversight and reporting of the transition
- Ensure critical supplier staff are identified and trained to perform all aspects of service, with a special emphasis on critical elements
- Agree on a monitoring and review plan that covers the transition and post-transition period ensuring that it upholds the spirit of the arrangement and delivery of the intended benefits
Onboarding is an essential step in any supplier arrangement as it sets the platform and tone of the arrangement. It is often difficult recovering from a badly planned onboarding process as relationships can become strained and poor practices become habit. It is therefore important to set the standards and work towards a common set of values that underpin how the parties will work together.
Ensuring contracts are handed over to the supplier correctly, and ensuring the supplier understands your business requirements and expectations, sets the scene for a long-lasting and effective partnership, providing positive customer outcomes in a compliant manner. Through the Contract and Onboard stage of the Third-Party Lifecycle, your company has its most significant opportunity to create a strong link in the chain of its extended enterprise by mitigating risk and providing stability and soundness. With our third blog in the Weakest Link series, we will expand on the final stages of the Third-Party Lifecycle: Manage, Monitor, Terminate and Offboard.
Periculum Associates Limited provides an end-to-end service across the Third-Party Lifecycle in the identification, assessment, monitoring, and mitigation of extended enterprise risks to your business. For more information on risk management of third parties, start a conversation with us.
Invitation to “Your Weakest Link: Managing Extended Enterprise Risk”
For more information on managing your extended enterprise, join us for Your Weakest Link: Managing Extended Enterprise Risk on July 23, 2020 at 4 PM GMT/11 AM ET where we will discuss practical concepts to improve your management of extended enterprise and risk identification, management monitoring, and governance of your company’s network of third parties.
RSVP by July 20.