Third party failure “could cause shareholder losses of up to ten times the regulatory fine” warns Deloitte

Regulatory action and reputational damage arising from third party actions could cost organisations’ shareholders an average of ten times the size of the fine itself as the market value of the company is impacted

Regulatory action and reputational damage arising from third party actions could cost organisations’ shareholders an average of ten times the size of the fine itself as the market value of the company is impacted

Regulatory action and reputational damage arising from third party actions could cost organisations’ shareholders an average of ten times the size of the fine itself as the market value of the company is impacted. This is the stark warning issued by business advisory firm Deloitte.

Deloitte’s research report – entitled ‘Third Party Governance and Risk Management: Turning Risk Into Opportunity’ – highlights the average combined direct fine and remedial costs of failing to appropriately identify and manage third parties. This has ranged from £1.3 million to £35 million before the cost of indirect losses, such as reduced sales and reputational damage.

Where legislation is applicable on a global cross-industry basis for businesses operating on an international basis, the range is far higher reaching as high as £650 million.

Deloitte states that the negative impact on share price itself is an average of 2.55%.

However, Deloitte estimates that organisations could gain competitive advantage over their peers, outperforming them by an additional 4%-5% return on equity by adopting effective third party governance and risk management (TPGRM).

In the case of Fortune 500 or Financial Times 500 (FT500) companies, this could mean an average uptick in earnings (EBITA) of between £17 million and £350 million.

Kristian Park, partner and global head of third party governance and risk management (TPGRM) at Deloitte, explained: “It’s not all doom and gloom for organisations reliant upon the services of third parties. Headline stories depicting regulatory action and reputational damage have caused many to reconsider their approach towards third party management. Those that adopt a proactive and leadership-led approach stand to unlock significant gains by turning risk into opportunity.”

Park continued: “Good governance and risk management isn’t about eliminating the risk of doing business with third parties, but rather managing it appropriately. An effective TPGRM structure will seamlessly incorporate the right structures, processes, people and technology into the business and ensure consistent use throughout the organisation.”

Implementing Best in Class TPGRM

The Deloitte study provides seven elements towards implementing a Best in Class TPGRM. They are:

*Governance structure: Strong governance structures are those that manage third party risk at an enterprise-wide level and have dedicated and empowered senior level teams in place to drive consistent behaviours throughout the organisation 

*Ownership (clarity of roles and responsibilities): The extent of ownership of performance and oversight of the TPGRM framework should be known by those tasked with it and kept up-to-date to avoid an inability to manage risk in the event of staff departures or role changes 

*Stakeholder engagement (awareness and commitment): An effective TPGRM programme will ensure an organisation’s people are aware of its processes and, crucially, understand how they are followed. Internal compliance is also key and dependent on the quality of ‘back-end monitoring’ 

*Capability: Ensuring that the most appropriate individuals with decision-making authority are allocated ownership for tasking TPGRM efforts. Such individuals will have the competencies and skills needed to apply judgement in line with business requirements and risk management needs 

*People and skills: Linked to the above, resourcing the right individuals will ensure that skills, experience and seniority are compatible with TPGRM demands

*Process: Good processes are not only robust, clear and achievable, but also aligned with the organisation’s stated risk appetite. The most optimised processes will provide a positive experience for both businesses and third parties

*Technology: Having the right technology in place seamlessly supports a TPGRM framework from inception to exit of a third party. At the very highest level, this would also include the ability to manage third parties at both an engagement and relationship level, in turn exploiting all opportunities arising from the extended enterprise

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts