The COVID-19 pandemic has exposed the fragility of global supply chains and demonstrated the critical importance of organizations in our interconnected business world to identify and manage risks throughout the supply chain. In particular, many companies are performing inadequate due diligence to manage third-party risks, whether it be country risk, jurisdiction risk, or the concentration risk of over-exposure to vendors or geographies.
A report published by Refinitiv “The Real Risks: Hidden Threats Within Third-Party Relationships” explores the critical area of third-party relationships, revealing the hidden risks in supplier, distributor and partner relationships. This report is based on research commissioned by Refinitiv and conducted in February 2020 by an independent consulting company. Nearly 1,800 global third-party relationship, risk management and compliance professionals in corporate organizations across 16 countries completed the survey. The survey respondents worked for organizations totaling more than 17 million third-party relationships.
The full report covers:
- How the current global environment has impacted the risks that organizations face
- How COVID-19 is having a significant impact on supply chain risk and third-party risk, in particular
- Why green crimes and environmental risks are rising—and require more accurate analysis.
Third-party is “any person or organization that is connected to a supply chain or is executing business on an organization’s behalf such as a supplier, distributor, agent and/or partner.”
Third-party risk is “anything that could expose a company to threats and risks through engagement with third parties including bribery and corruption, modern slavery, environmental crime, wildlife trafficking or conflict minerals.”
Third-party due diligence refers to “assessment of the third-party at the onboarding and ongoing monitoring stage to determine the risk profile.”
Green risks involve crimes that “not only directly harm the environment but threaten our wildlife, impact business supply chains, and pose a threat to security and stability around the world.”
Key Insights on Assessing Third-Party Risk
Due diligence is inadequate.
Third-party risk exposure is increasing, but due diligence is not keeping pace. The average organization surveyed maintains nearly 10,000 third-party relationships—and that’s a good thing. The consensus is that these relationships are an operational imperative; 74 percent of respondents said third-parties increase their company’s flexibility and competitiveness.
Due diligence standards are lower than they were in 2016.
- 43 percent of third parties are not subject to due diligence; a full six percentage points higher than the results of a 2016 Refinitiv survey, while the number of third-party relationships increased.
- US-based firms (66 percent) and large corporations (61 percent) are the strongest performers. Regionally, Sub-Saharan Africa has the highest level of third-party risk; 45 percent of respondents classified the region as “high risk.”
Onboarding due diligence isn’t adequate. Ongoing monitoring is vital.
- To mitigate third-party risk, companies should regularly revisit and review risk levels. Surprisingly, only 60 percent of survey respondents said they are not fully monitoring third parties for ongoing risks.
Find a regulatory breach? Report it.
- Risks can only be fully understood by organizations, industries and their regulators if breaches are reported. Only 53% of survey respondents would report a third-party breach internally and only 16% would report it externally.
Third-party crimes are rising despite greater regulation and enforcement.
Regulators worldwide recognize the need for greater regulation and stricter enforcement actions. In 2019, companies received penalties totaling $2.9 billion under the US Foreign Corrupt Practices Act (FCPA). And, in 2020 the European Commissioner for Justice announced the EU’s commitment to introduce rules for mandatory corporate environmental and human rights due diligence.
Regulation is not always a deterrent.
- While the majority of survey respondents say that they use global regulations like the US FCPA (77 percent), that still leaves significant minorities who do not.
- 53 percent of respondents say they would report a third-party breach internally, and only 16 percent would report it externally—even when the average estimated loss to their organization was 25 percent in total value, should a third-party breach occur.
COVID-19 reveals the connection between supply chain risk management and third-party due diligence.
- When surveyed in early 2020, respondents indicated reputational risk (45 percent) and financial risk (43 percent) as their top reasons for carrying out third-party due diligence. Regulatory compliance comes in third at 41 percent.
- Since the COVID-19 pandemic, however, the benefits of third-party due diligence on supply chain risk management have become more apparent.
Awareness of green risks and regulations is growing.
- The use of green regulations to inform decisions on third party risk management has increased compared to 2016, when Refinitiv last conducted this survey.
- Survey data also supports the need for robust third-party due diligence, as 65 percent of respondents know or suspect their third party business partners may be involved in illegal and/or environmentally damaging activities, and nearly six in 10 suspect companies of “greenwashing,” or providing misleading environmental credentials.
- A majority of institutional investors surveyed (89 percent) say the government should regulate and set targets for non-financial reporting, in part to better analyze environmental risk.
Better data and collaboration can manage third-party risk and increase supply chain transparency and resiliency.
The survey results indicated only about 51 percent of companies have full procedures in place for third-party compliance, and even fewer have procedures in place to screen related organizations (e.g. parent company, ultimate beneficial owner, subsidiaries, directors). Survey respondents also report significant knowledge gaps in major risk management areas. They have the most knowledge about data/IT security risks (39 percent), but less knowledge of major elements of risk like customer dependency (28 percent), environmental crime (26 percent), and notably epidemics/pandemics (15 percent).
Supply chain management drives third-party risk assessment.
- The key to managing supply chain risk is having a clear view of all levels of the supply chain. COVID-19 has shed light on the particular importance of due diligence to identify and manage supply chain risks and stability.
- The leading driver for carrying out third-party due diligence is the high value of the supplier to the organization (44 percent).
- When asked why their organizations were not fully identifying third-party risk within their supply chain, “lack of data” (37 percent) and “resource constraints including budget and time” (32 percent) topped the list.
The good news: technology innovation, global collaboration and good quality data are on the rise and can support companies in their third-party risk assessment and compliance. Companies like Refinitiv and others are emerging to provide guidance and support.
Read and download the full report to access comprehensive data and graphics.
Read ERM articles as soon as we post them
Keep up-to-date with current developments in ERM. Subscribe to the ERM Newsletter.