Unmanaged third party risks now “costing businesses” warns MetricStream study

As companies outsource processes and services, they expose themselves to a plethora of third party risks. Whether in relation to data security, business disruption or compliance risk, organisations must have the relevant measures in place to mitigate their potential impact on business continuity and reputation.

A report just published by MetricStream shows that one-in-five (ie 21%) of those respondents to a recent survey suggest their organisation has faced significant risks due to third parties during the last 18 months. Of those that shared financial impact data on losses incurred, a quarter stated that the loss suffered was greater than a sum of £8 million (with losses generated through the cost of downtime, regulatory fines and reputational damage).

How Organisations Are Managing Third Party Risk also reveals that nearly three quarters (73%) of businesses don’t track fourth parties, meaning that they have no visibility past their immediate suppliers. This finding emphasises some of the concerns raised in the Business Continuity Institute’s latest Supply Chain Resilience Report which highlights the fact that only two-thirds of organisations maintain adequate visibility over their full supply chain.

French Caldwell, chief evangelist at MetricStream, commented: “As companies continue to outsource their processes and services in order to decrease costs, streamline or scale up quickly, they’re opening themselves up to risks. Despite some supplier incidents costing upwards of £8 million, 44% of the respondents in our study said that their business had no dedicated third party risk management function in place. Furthermore, as enterprises rapidly adopt cloud services, entities that would have been third parties when the services were managed in-house become fourth parties which are even more difficult to monitor.”

Caldwell went on to state: “Businesses can no longer plead ignorance. They’re responsible for the actions of their third parties and they’ll bear the brunt of any fall-out themselves. For example, if a business shares sensitive data with a third party without checking if it has relevant cyber security systems in place, and that supplier suffers a data breach, under some rules the company could then be liable. Not only will it suffer reputational damage, but new regulations such as the EU’s General Data Protection Regulation could see large fines imposed as well.”

Supply chain risks

In 2016, global supply chains continued to face a range of security, social responsibility and business continuity risks, with many of these issues provoked by one another. That’s according to the British Standards Institution’s (BSI) Global Supply Chain Intelligence Report.

The report notes multiple incidents that started out as a security, social responsibility or business continuity risk before cascading into other supply chain issues. The European migrant crisis is perhaps the best example of a type of event that began as a single security risk before building into a business continuity disruption as countries imposed border controls, which in turn was a situation exacerbated by blocked migrants looking for work and often falling victim to forced labour in certain nations.

As risks like the migrant crisis continue to evolve, it’s imperative that organisations work together to take an holistic risk management approach and ensure they’re informed and prepared to address multiple areas of concern.

Last year, Governments in Asia responded to increasing levels of supply chain risks, but many policies were merely reactive and often led to further threats to the integrity or continuity of the supply chain.

The BSI observed a shift in labour strike threats in China in 2016, driven mainly by concerted Government efforts to limit strikes in the country following years of increasing labour disruption.

Labour strikes still occurred in large numbers across China, but the volume of strikes dropped for the first time in recent years. Strikes at factories fell by 31%, with two-thirds of provinces witnessing a decline in manufacturing strikes. An emerging area of concern is the growth in strikes in the logistics sector, including trucking, shipment processing and delivery, which rose more than four-fold from nine incidents in 2014 to reach 40 last year.

Terrorist attacks in Europe

Europe experienced significant terrorist attacks last July (in Nice) followed by Berlin in December, along with dozens of counter-terrorism arrests being made across the continent. Those attacks in particular also underscored the threat that terrorists will exploit the supply chain to perpetrate their crimes.

In both cases, Tunisian men linked to the Islamic State in Iraq and Syria (ISIS) used cargo trucks to ram into crowds of civilians. The Berlin attacker even perpetrated an explicit disruption of the supply chain before the attack by hijacking a Polish tractor-trailer carrying a shipment of steel beams.

ISIS-linked plots involving similar timing and tactics are likely to continue challenging European security agencies into 2017.

Supply chains in the Americas faced a wide range of risks related to security, Corporate Social Responsibility and business continuity in 2016. Cargo theft remains a main concern for the Americas with the most dramatic increase in cargo theft rates being experienced in Rio de Janeiro. The year-over-year increase in cargo theft incidents in both Rio de Janeiro and Sao Paulo, combined with minimal efforts designed to curb the rate of theft, suggests that Brazil could see another year of increased cargo theft in 2017.

This year, the BSI expects continued threats of cargo theft and drug smuggling in the Americas and Europe, protests over wage and other labour issues across Asia and the persistent risk of terrorism, including terrorist targeting of the supply chain.

New initiatives to address security, social responsibility and continuity risks in many regions will undoubtedly require close monitoring to assess their effectiveness on the ground.

About the Author

Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications)

Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting.

In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector.

In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute’s George van Schalkwyk Award.

An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award.

Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site.

Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media.

Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Related Posts