Organisations must improve supply chain visibility and invest in crucial areas such as labour rights and geopolitical risk in order to manage third-party supplier failure.
A survey, conducted by Deloitte, found over eight in 10 (83%) organisations had experienced a third-party incident, such as a supplier losing data after falling victim to a cyber attack, in the last three years.
Almost half of those incidents (46%) in turn resulted in moderate to high business impact including “significant impairment to customer service, material financial losses, reputational damage or a regulatory breach”.
Organisations are underinvesting in crucial risk areas including labour rights (where just 18% are investing) and geopolitical risk (12%). Instead company investment is skewed towards information security (68%) and data privacy (62%).
Kristian Park, extended enterprise risk management partner at Deloitte, said with the rising number of cyber attacks and legislation such as General Data Protection Regulation (GDPR) coming into force, it made sense for companies to focus their investment on areas such as information security and data privacy.
“However, visibility in areas such as labour rights within a parent company’s supply chain – particularly as regulation to combat modern slavery grows across the world as recently seen in Australia – is grossly lagging behind,” he said.
"The same goes for areas like health and safety and geopolitical risk as tensions over trade wars continue, as well as financial viability and concentration risk, where systemic failures as a result of overreliance are possible.”
Only 50% of organisations are currently spending $1m annually on managing third-party risks, and just 11% – typically large and complex organisations – are spending over $10m each year and have employed up to 100 staff to manage risks.
Despite high number of businesses feeling the effects of third-party failure, only one in 10 organisations (10%) said they had a reasonable ongoing knowledge and awareness of their subcontractors, engaged by their third-party suppliers.
Only 2% of those organisations state they identify and monitor all subcontractors. The remaining 8% said they do so for their most critical relationships, including IT services and vital infrastructure.
Park said companies are “increasingly relying on an ever-growing number of third, fourth and fifth parties” to supply office stationery to bespoke services.
However many organisations do not have appropriate oversight of what is happening across their organisations, “leaving them exposed to potential failures they may be held accountable for,” he continued.
“With Brexit looming on the horizon, for those companies operating in the UK it’s more important than ever to have sufficient oversight of supply chains and any potential risks.
"Those who do so can not only proactively manage any goods or services that may be impacted in the short term, but also respond much quicker to any necessary changes – like meeting new regulations – that could lie ahead," he concluded.
Gaining supply chain visibility and investing in managing third-party risk could save organisations from large fines.
Data from Deloitte in 2015 revealed fines issued directly as a result of third party failures in the UK ranged from £1.3m to £35m and reached up to £650m for firms operating internationally.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.