Unmanaged third party risks now “costing businesses” warns MetricStream study

As companies outsource processes and services, they expose themselves to a plethora of third party risks. Whether in relation to data security, business disruption or compliance risk, organisations must have the relevant measures in place to mitigate their potential impact on business continuity and reputation.

A report just published by MetricStream shows that one-in-five (ie 21%) of those respondents to a recent survey suggest their organisation has faced significant risks due to third parties during the last 18 months. Of those that shared financial impact data on losses incurred, a quarter stated that the loss suffered was greater than a sum of £8 million (with losses generated through the cost of downtime, regulatory fines and reputational damage).

How Organisations Are Managing Third Party Risk also reveals that nearly three quarters (73%) of businesses don’t track fourth parties, meaning that they have no visibility past their immediate suppliers. This finding emphasises some of the concerns raised in the Business Continuity Institute’s latest Supply Chain Resilience Report which highlights the fact that only two-thirds of organisations maintain adequate visibility over their full supply chain.

French Caldwell, chief evangelist at MetricStream, commented: “As companies continue to outsource their processes and services in order to decrease costs, streamline or scale up quickly, they’re opening themselves up to risks. Despite some supplier incidents costing upwards of £8 million, 44% of the respondents in our study said that their business had no dedicated third party risk management function in place. Furthermore, as enterprises rapidly adopt cloud services, entities that would have been third parties when the services were managed in-house become fourth parties which are even more difficult to monitor.”

Caldwell went on to state: “Businesses can no longer plead ignorance. They’re responsible for the actions of their third parties and they’ll bear the brunt of any fall-out themselves. For example, if a business shares sensitive data with a third party without checking if it has relevant cyber security systems in place, and that supplier suffers a data breach, under some rules the company could then be liable. Not only will it suffer reputational damage, but new regulations such as the EU’s General Data Protection Regulation could see large fines imposed as well.”

Supply chain risks

In 2016, global supply chains continued to face a range of security, social responsibility and business continuity risks, with many of these issues provoked by one another. That’s according to the British Standards Institution’s (BSI) Global Supply Chain Intelligence Report.

The report notes multiple incidents that started out as a security, social responsibility or business continuity risk before cascading into other supply chain issues. The European migrant crisis is perhaps the best example of a type of event that began as a single security risk before building into a business continuity disruption as countries imposed border controls, which in turn was a situation exacerbated by blocked migrants looking for work and often falling victim to forced labour in certain nations.

As risks like the migrant crisis continue to evolve, it’s imperative that organisations work together to take an holistic risk management approach and ensure they’re informed and prepared to address multiple areas of concern.

Last year, Governments in Asia responded to increasing levels of supply chain risks, but many policies were merely reactive and often led to further threats to the integrity or continuity of the supply chain.

The BSI observed a shift in labour strike threats in China in 2016, driven mainly by concerted Government efforts to limit strikes in the country following years of increasing labour disruption.

Labour strikes still occurred in large numbers across China, but the volume of strikes dropped for the first time in recent years. Strikes at factories fell by 31%, with two-thirds of provinces witnessing a decline in manufacturing strikes. An emerging area of concern is the growth in strikes in the logistics sector, including trucking, shipment processing and delivery, which rose more than four-fold from nine incidents in 2014 to reach 40 last year.

Terrorist attacks in Europe

Europe experienced significant terrorist attacks last July (in Nice) followed by Berlin in December, along with dozens of counter-terrorism arrests being made across the continent. Those attacks in particular also underscored the threat that terrorists will exploit the supply chain to perpetrate their crimes.

In both cases, Tunisian men linked to the Islamic State in Iraq and Syria (ISIS) used cargo trucks to ram into crowds of civilians. The Berlin attacker even perpetrated an explicit disruption of the supply chain before the attack by hijacking a Polish tractor-trailer carrying a shipment of steel beams.

ISIS-linked plots involving similar timing and tactics are likely to continue challenging European security agencies into 2017.

Supply chains in the Americas faced a wide range of risks related to security, Corporate Social Responsibility and business continuity in 2016. Cargo theft remains a main concern for the Americas with the most dramatic increase in cargo theft rates being experienced in Rio de Janeiro. The year-over-year increase in cargo theft incidents in both Rio de Janeiro and Sao Paulo, combined with minimal efforts designed to curb the rate of theft, suggests that Brazil could see another year of increased cargo theft in 2017.

This year, the BSI expects continued threats of cargo theft and drug smuggling in the Americas and Europe, protests over wage and other labour issues across Asia and the persistent risk of terrorism, including terrorist targeting of the supply chain.

New initiatives to address security, social responsibility and continuity risks in many regions will undoubtedly require close monitoring to assess their effectiveness on the ground.

About the Author
Brian Sims BA (Hons) Hon FSyI Editor, Risk UK Pro-Activ Publications

Related Posts