WrightStudio - stock.adobe.com
The world is more interconnected than ever before, and global business operations are increasingly using third-party suppliers.
At the same time, regulatory bodies around the world and consumers themselves are pushing companies to become more inquisitive and more stringent about ensuring that the third parties they work with are conducting business legally and ethically and do not represent a security or privacy threat. This is a good thing: it signals a palpable shift toward proactively fighting foul play.
With the enforcement of anti-bribery and corruption legislation on the rise, having effective third-party risk management programmes in place is becoming a necessity for any company with a global footprint. But, as highlighted at a recent roundtable event hosted in London, there can be unintended consequences.
Discussing the results of research into the third-party risk management practices of UK companies, Markus Schulz, global head of financial crime compliance controls at Standard Chartered Bank, warned that the trend towards more thorough vetting supplier vetting can sometimes prevent smaller organisations and startups from bidding for business.
We’ve seen evidence of this. In an effort to standardise policies and procedures related to supplier onboarding, and ensure their consistent application, some companies fall into the trap of implementing a rigid one-size-fits-all approach.
Third-party risk management processes typically involve assessing suppliers against criteria from regulators using a questionnaire. These criteria aren’t problematic when applied to larger, more established suppliers, who should have no issue answering the following kinds of questions:
- What was the date of your last external audit and details of auditors?
- Has your company carried out an anti-bribery risk assessment?
- Does your company have a modern slavery / human trafficking policy?
But if you’re a startup or SME, your answers to some of these questions may very well be “no” or “we don’t know”. And if those answers are fed back into a rigid vetting policy, it’s not uncommon for that company to be declined for onboarding.
“Smaller firms may have a lot of value, but sometimes it is easier to get Oracle in because the vetting process is too stringent. If we are we too formulaic, we could end up cutting out really important suppliers,” said Schulz.
We completely agree. Bigger is not always better, and nowhere is this more apparent than in the technology sector, where SMEs and startups play a vital role in outsourced supply chains. Supplier vetting in the IT sector needs to reflect that – while still providing accurate risk assessments of suppliers of all shapes and sizes.
The solution lies in a flexible approach to risk scoring and assessment – using a customisable platform – that ensures the differences between suppliers are sufficiently accounted for and that risk, rather than simply size, is the qualifier.
Flexible risk scoring not only ensures that anyone you do business with is conducting themselves with integrity – the priority from both a regulatory and reputational perspective – but that you are not “de-risking” to the extent that you overlook smaller partners and suppliers who could benefit your business. All of this, of course, has to be done in a way that doesn’t add time or additional resource requirements to the third-party onboarding process.
There is tremendous value in using an initial “triage” assessment, which helps determine whether a given supplier’s or partner’s risk level is high, medium or low.
Read more about governance, risk management and compliance
- A growing number of data-driven initiatives, alongside heightened demand for security in governance, data management and compliance, has led to the rise of a more holistic approach – integrated risk management.
- All organisations need to meet a variety of regulatory compliance requirements, but they don't all have the budget for GRC software. Learn about the free, open source options.
To that end, it’s also important that risk scoring considers the overall context of the supplier and the landscape in which it is operating. Instead of focusing solely on size or market share, businesses should be assessing a host of relevant considerations for IT suppliers, including system security, penetration test results, certifications, service level agreements, disaster recovery processes, and most importantly, jurisdiction-based considerations.
Let’s say you are evaluating the risk associated with a small-enterprise microchip supplier located in Japan. As part of the standard due diligence process, you will likely ask for information on any prior regulatory action that involves the supplier. But gathering publicly-available information about regulatory action is particularly difficult in Japan.
A risk management platform that doesn’t provide the functionality to adapt procedures for cultural and jurisdictional differences – like this lack of public record availability – might automatically result in this business opportunity being blocked.
A flexible, risk-based approach can preempt that, using checks and balances that are proportionate to the shape, size and risk profile of your entire supply chain.
For instance, where information about a supplier isn’t available, an intelligent risk platform would recognise the issue and raise it as a red flag, escalating the matter to the relevant compliance decision-maker and presenting them with the information needed to make an informed decision. This ensures that all vetting decisions are properly informed and that businesses don’t miss opportunities to collaborate with the innovative technology providers they need for future success.
In sum, the right platform, supported by the right technology, can help businesses work with more diverse suppliers without facing unforeseen supply-chain vulnerabilities or disruptions. In today’s business environment, that offers a win-win for all.