In 1786, Thomas Reid’s “Essays on the Intellectual Powers of Man” was published with this statement: “The chain is only as strong as its weakest link, for if that fails the chain fails and the object that it has been holding up falls to the ground.” Reprinted in 1868 by Cornhill Magazine as “a chain is no stronger than its weakest link,” industries adopted the anecdote and began to utilise it to describe risks that could make a business fail.

Broadly speaking, the extended enterprise represents all parties who directly or indirectly collaborate in the design, development, production, and delivery of a product or service to the end user. Within the extended enterprise, third parties made up of, amongst others, product suppliers, service providers, business partners, joint-ventures, agents, intermediaries, and their subcontractors, link together to create a chain that stretches across the globe. That chain creates a vast interdependence of products, services, and third-party risk.

The Third-Party Lifecycle

The extended enterprise is critical to the sustainable delivery of products and services, placing effective extended enterprise risk management at the heart of your company’s operational and financial viability. By integrating your risk management framework into a series of stages, collectively called the Third-Party Lifecycle, oversight of third-party risks becomes less daunting.

Before entering an arrangement, you should consider the risk profiles of third parties, including those risks that could affect strategy, operations, reputation, and financial sustainability. Every third-party arrangement is unique, and some arrangements are likely significant to the success of your company. These arrangements can become core to your operation and a vital part of your company’s risk management system.

The extended enterprise defines your company’s ecosystem of third parties that extend the reach of your own enterprise. In the ecosystem of arrangements with third parties, it is beneficial to understand a combination of the Third-Party Lifecycle and the risk management process, which exists to identify, assess, manage, monitor, and govern third-party arrangements.

In this blog, the first of a three-part series, we discuss the Plan, Evaluate, and Select stage of the third-party lifecycle. While there are synergies in the adoption of risk management practices across third-party types, this blog series focuses on the risk management of supplier arrangements only.

This stage helps you understand the strategic implications of your supplier arrangement and what risks you are taking in pursuit of the arrangement’s benefits. To provide a coherent method for balancing strategic and commercial advantages, you will need to integrate risk identification and assessment processes into the procurement competitive bid and evaluation process. This will deliver greater intelligence into the amount of risk being taken versus the potential for rewards and ways in which the risk may be managed. Similarly, each stage of the lifecycle has potential risk that may hinder an arrangement and must be managed.

It is important to remember that supplier risk management practices should be proportional to the materiality and risk profile of each arrangement. These activities are usually set out in policies, processes, and procedures, promoting enterprise consistency in the adoption of risk management activities within the Third-Party Lifecycle.

Here, we set out some recommended actions fitting for material and high-risk supplier arrangements[1], providing you with the opportunity to benchmark your supplier risk management activities with good and evolving industry standards. These key activities within the Plan, Evaluate, and Select stage will exhibit your confidence in achieving strategic, operational, and financial returns in a risk conscious manner to your investors and Board while promoting safety and soundness within your extended enterprise.

Planning

Allowing an unrushed time to develop your plan will benefit you throughout the third-party lifecycle. As the saying goes, “if you fail to plan, you plan to fail”. This is true in the context of entering into new supplier arrangements – particularly where those arrangements are material or high-risk to your company’s business strategy or operational or financial resilience. During planning and evaluation, identify, assess, and weigh the risks against the expected benefits of each potential third party to determine whether the risk is acceptable for the intended gains to be realised through the arrangement. Below are some key examples of planning activities to be undertaken:

• Establish a clear understanding of the supplier strategy linked to the strategic, operational and financial objectives of your company’s operations, products, or services.
• Understand the implications of the supplier arrangement to the future viability of your business plan, products, or services.
• Assess the inherent risks to identify those risks presenting greatest exposure to your customers, your company’s safety and soundness and wider industry stability (particularly relevant for companies operating within a supply chain).
• Promote constructive challenge from the Board on the strategic risks, related implications, and contingency arrangements in the case of severe but plausible scenarios of supplier failure (from financial failure of the supplier to material deficiencies in the supplier’s ability to maintain sustainable operations). The Board should play a critical role in determining the adequacy of senior management’s understanding of the risks and the preparedness of mitigating actions to reduce harm to customers, investors, and wider industry stability (particularly relevant for companies operating within supply chains).

• As part of planning, senior management must consider various factors to determine the right strategy for the company. Key factors to consider are:
• Existing and maturing capabilities of suppliers within the industry to meet the current and changing needs of your business (aligned to your company’s business strategy and plan)
• The ability of your company to realise intended gains
• The reputation of suppliers within the industry
• Pricing models and commercial competitiveness with a lens on the total cost of ownership (e.g. transactional pricing, setup costs, maintenance costs, transportation costs, and when disruptions occur, contingency and recovery)
• The risk management maturity of suppliers within the industry and the alignment of risk management capabilities to the standards of risk management set within your company
  
  

The collection of this information is vital to understanding the broad capabilities of suppliers within the industry while promoting a balanced and objective assessment of the opportunities weighed against the risks. The outcomes of planning will provide necessary insights to establish proportionality in evaluation and selection and encourage an “eyes wide open” approach to constructing any potential supplier arrangement to uphold and protect the strategic, operational, financial, and reputational interests of your company.

Evaluation

Evaluation involves conducting due diligence of shortlisted third parties to gain an intimate understanding of their business. This phase gives you a window into what “married life” would be like. As we set out in planning, the risk management evaluation of suppliers should be benchmarked against the risk management standards within your company, promoting consistency in risk management posture across the extended enterprise. Key activities include evaluating:

• The supplier’s health profile to determine their past, current, and forecasted financial health, including transparency in financial reporting, key adverse media (i.e. in the case of significant reputational incidents), key legal filings (intellectual property infringement, child labour use, etc.), and social media activity
• The risk and control environment of the supplier to determine its design and effectiveness relative to the profile of inherent risks identified in planning
• The supplier’s ability to respond to and recover from operational disruptions in a manner that minimises harm to customers, your safety and soundness, or wider industry stability (including the substitutability of critical technology platforms, production sites, and the use of scenario and stress testing to determine the level of stress in which disruption would become intolerable to your company, your customers, and investors)
• Emerging industry and supplier-related risks and determining the plausible courses of treatment to pre-emptively mitigate such risks causing harm
• The third party’s risk management capabilities to ensure your company complies with regulatory and legislative requirements
• The supplier’s system of governance to determine the adequacy of Board and senior management reporting, oversight, and pre-emptive treatment of risks
• Plausible exit strategies, including orderly and disorderly exit strategies[2], ensuring your company’s interests are firmly protected during the transition of products or services either in-house or to an alternative supplier.
  
  

When planning and evaluating go wrong
Last year, one international fast food chain ran out of one of their main ingredients causing a major impact on organisational resilience. Beginning with a distribution company who generalised in cross-industry deliveries submitting a lower bid than the franchise’s prior food service industry distributor from South Africa, and continuing after the bid was accepted, the supply chain disruption evolved through the new distributor’s “operational issues” that delayed their initial delivery of frozen chicken.

The operational issues were linked to a glitchy software program provided by an outsourced food distribution company (a “fourth party” or subcontractor), a rushed transition from the previous delivery company to the new one, and inadequate crisis management capability in responding to the problem. If during planning for this selection, the C-Suite would have recognised that every third-party arrangement is unique and had evaluated the third party more thoroughly, the evaluation and selection of their new delivery company may have resulted in an alternative outcome, and avoided the resulting lost wages, lost income, and reputational harm, to name a few consequences.

Selection

The selection process brings your efforts in planning and evaluating together to ensure you balance strategic objectives, operational capabilities, and commercial and financial gains with informed risk insights.

When selection goes wrong
The medical industry believed they had made a cost-effective, efficient decision by moving the manufacturing of antibiotics to a few Chinese factories in a limited supply chain. However, the outbreak of COVID-19 and the lockdown of factories, ports, and cities across China, revealed the problem with this decision, which has caused many companies and governments to suggest decoupling from China to diversify supplier arrangements. Prior to selection, if the geopolitical risks had been initially evaluated by the medical industry, and the risk profile of outsourcing primarily to China had been compared equally to the commercial value, some of the plants in other countries might have been considered less of to pre-mitigate risks that are now the foundation for concern. An objective and balanced assessment of risks associated with third parties will promote your ability to realise intended strategic benefits and help you understand how to address the risks in the subsequent Third-Party Lifecycle stages.

Conclusion

Material and high-risk supplier arrangements require careful planning and evaluation prior to selection. The question of make versus buy has challenged the strategic viability of companies for generations. What has changed? Companies realise that the pursuit for growth in a highly competitive and transformative world means exposure to new and emerging risks, but a proper foundation prior to entering a relationship can help mitigate harm. Part two of “Your Weakest Link” series, published next week, will focus on risks and activities within the contracting and onboarding stage.