COVID-19, and measures to limit its spread, have led to unexpected border closures, regional lockdowns, facility shutdowns and quarantine mandates for workers causing a shortage of raw materials, reduced production levels and unprecedented supply-chain disruption and delays.
Spikes in demand for some goods and plummeting demand for others have further strained global supply chains. The shift to remote working for employees and online shopping for consumers introduced new cybersecurity, data privacy and IT risks for companies as well as their third-party vendors.
These rapidly changing conditions have upped the ante on third-party risk management. While emergency measures were instrumental in managing third-party relationships through the first half of 2020, taking a fresh look at the company’s vendors and supply chain is critical as companies prepare for the recovery phase and the new reality. According to a KPMG Board Leadership Center report, “Near- and longer-term challenges of COVID-19,” one-third of directors anticipate that the company and board will substantially reassess supply-chain and third-party risk as a result of COVID-19.
Key third-party risks to watch
Every company’s situation is unique, but a number of third-party risks, exacerbated by the COVID-19 operating environment and longer-term business model disruptions, may warrant particular attention by the company and the board, including:
• Supply-chain risk: Suppliers may face financial difficulties and severe impacts to operations due to COVID-19, opening up new vulnerabilities in the supply chain. Has the company conducted scenario modeling for the supply chain to understand critical risk points in the network? Is there an internal playbook to manage potential incoming waves of suppliers in distress?
• Business continuity and resiliency risk: COVID-19 has forced businesses to quickly modify their operations, impacting service delivery. How well have the company’s third parties executed against their business continuity plans and are their plans aligned with the organization’s?
• Financial risk: The increased costs of doing business in accordance with new health and safety guidelines, including personal protective equipment for employees, social distancing requirements in factories and stores and more stringent sanitation measures, coupled with reduced demand in some industries, have impacted the financial health of many organizations. Are any of the company’s most critical third parties at risk of becoming financially insolvent?
• Cybersecurity, data privacy and IT risk: According to a ZDNet report, cyberattacks have increased as an unprecedented number of employees have shifted to remote work and companies moved to engaging with customers online when possible. Are third parties still meeting their contractual agreements related to controls around cybersecurity, data privacy and IT? If not, what is the timeline for reconciling discrepancies?
• Geopolitical and environmental risk: Factors such as extreme weather events, geopolitical tensions (e.g., the U.S.-China trade war) and social unrest (e.g., the Hong Kong protests) may impact third parties operating in affected regions. Do the company’s third parties have contingency plans in the event of major disruptions to their operations (and their own supply chains)?
• Brand and reputation risk: The greatest reputational risk to the company may stem from third parties’ failure to deliver products and services — particularly those that have become critical during COVID-19. As demand for certain products and services has increased, what steps have been taken to better predict and monitor demand while improving supply chain agility? In addition, COVID-19 and protests for racial justice have sharpened public focus on issues such as health and safety and racial equity, which may raise new questions about risks stemming from third parties. Where do third parties’ standards and values around stakeholder issues diverge from those of the organization? How is management considering the practices of vendors and suppliers located in regions where stakeholder issues that are prominent in the United States have not yet come to the forefront?
Does the company, including the board, understand the full extent of its reliance on third parties?
According to financial software and risk solutions firm Refinitiv, the average company uses about 10,000 third parties, a significant challenge for any company to manage. The board should help ensure that management has complete visibility into all of the organization’s third- and fourth-party relationships, which are often siloed by business function, and is keeping the board apprised on the company’s third-party risk profile. The Institute of Internal Auditors’ report “OnRisk 2020” shows that board members tend to be more optimistic than the C-suite or chief audit executives about their organizations’ capability to manage third-party risk, possibly due to limited understanding of the company’s dependency on third parties or a misconception that outsourcing processes transfers their risks.
Are the company’s critical suppliers financially stable and able to weather economic stress and uncertainty?
As many companies have seen firsthand during COVID-19, economic stress and uncertainty may undermine a supplier’s ability to operate and deliver on its commitments. Monitoring the financial health of suppliers — including cash flow and other key performance indicators — can help flag potential supply-chain interruptions. More broadly, is management addressing supplier vulnerability in a proactive way, such as identifying the company’s most critical suppliers, balancing the mix of just-in-time and just-in-case suppliers, and considering how the company’s payments terms impact the viability of suppliers (upstream and downstream) during an economic crisis?
How has the company’s third-party risk profile changed and has management’s risk assessment changed to keep pace?
In light of increased risks stemming from COVID-19 related to the supply chain, business continuity and resilience, financial health, cybersecurity/data privacy/IT protocols, geopolitical turmoil and brand/reputation, among others, management should reassess each third party’s risk profile — measuring both the risk’s likelihood of occurring and potential impact, financial and nonfinancial. Risk mitigation efforts should be prioritized around those third parties determined to be the most critical to the company’s strategy. Boards should probe whether the company is leveraging technology to automate risk-monitoring and data-gathering processes where possible. Just 24% of respondents to a KPMG International survey of senior third-party risk management (TPRM) executives said that their organizations are using automation to enhance efficiency in the TPRM program by carrying out routine tasks.
COVID-19 has highlighted today’s heavy and expanding reliance on third-party relationships and is prompting boards to sharpen their focus on the company’s third-party risk profile. Robust reports from management — based on close monitoring of third parties and their risk profiles — will be pivotal to effective oversight, from minimizing financial and operational hiccups to helping ensure the long-term competitiveness and viability of the business.
Tarun Sondhi is a principal in the Cyber Security group of KPMG LLP.