A supply chain risk manager at Lloyds Banking Group (LBG) has described the benefits of identifying the “critical suppliers to our critical suppliers”.
Dan Jones, risk manager in the group sourcing and supply chain management team at LBG, said the project to identify “fourth-party” risk had proved invaluable in the face of cyber security breaches and the coronavirus pandemic.
Speaking at the CIPS Supply Management Forum, Jones said: “Never before have supply chains been such a high profile risk, and supply chain resilience is top of the agenda with our regulators and our senior execs.”
Jones described how LBG launched a pilot project in 2018 to “identify critical suppliers to our critical suppliers and to answer the board question, ‘Do we have a fourth party concentration risk?’”
Fourth parties are defined as those representing data, cyber, conduct or resilience risk, and they include subcontractors and outsourcers.
A questionnaire was designed and sent out to 100 suppliers asking them to declare fourth parties that represented one or more of the four risk areas.
Jones said a key design principle in the project was that third parties were responsible for managing fourth parties on LBG’s behalf.
“All the new processes and data we introduced should allow our supplier managers to monitor that the third parties are doing this effectively for us,” he said.
In 2019 it was decided to make the process part of normal working practices and an automated solution was considered that collected data from public sources such as audited accounts, regulatory filings and press releases.
However the data was not as useful as that produced in the pilot so a questionnaire-based approach was adopted. Guidance was issued to supplier managers and a fourth-party risk dashboard was set up.
Jones said: “It has been extremely useful in reacting to external events. So where there is a major cyber security breach in the press we can very quickly analyse the data to see if there are any third parties using that effective fourth party and we’ll try and understand if there’s been any impacts.”
Concerning Covid, he said: “We could identify fourth parties operating out of China, Italy and other affected regions. We could check with third parties to see if their fourth party was still operating and try to mitigate the impact to customers.”
Louise Waite, supply chain management and assurance director at LBG, said the organisation had an annual spend of £5bn with 3,000 suppliers.
She said suppliers were segmented according to risk and the fourth-party project involved 200 suppliers in the top risk tiers.
Waite admitted identifying fourth-party risk could slow down the onboarding process, but better planning and the involvement of procurement earlier in the process could mitigate this.
“As that regulatory stakeholder expectation around the amount of diligence that goes into supplier onboarding increases, there is clearly a risk that that slows things down, makes it more difficult to be agile. I don’t think there’s a magic bullet,” she said.
“That intensity of due diligence is warranted for the right types of engagements where you almost can’t afford not to, even if that does mean you have to take it slower.”
☛ Want to stay up to date with the news? Sign up to our daily bulletin.