Vendor management and third-party risk

June 2024  |  SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

June 2024 Issue

Organisations do not operate in silos. Employees, suppliers, service providers, consultants, agents as well as clients and customers constitute the various stakeholders of any organisation. Each of these stakeholders contributes in some way or other to the success of an organisation.

While employees are key to the daily functioning of an organisation, suppliers, service providers, consultants and agents are a necessary plugin, whether it be for the provision of goods and supplies an organisation requires to function, or for the provision of services an organisation requires to effectively carry out its operations. Though the value of these stakeholders cannot be understated, it would be remiss to ignore the fact that each of them poses varying degrees of risk to an organisation.

These risks emerge as a result of their interaction with an organisation, and include reputational risk as well as various types of commercial crime risks such as fraud, corruption, money laundering and cyber crime. In a world of increased financial and other economic pressures, organisations need to be cognisant of and prepared to meet these risks head‑on to protect themselves from falling victim.

The consequences of commercial crime can be severe and even crippling. While some organisations may be able to withstand such an incident, in severe cases the financial and reputational damage may curtail the ability to continue business operations.

Consequently, it is critical that organisations are fully aware of the various risks they face, so they can implement measures to mitigate them and protect their business operations. The increase of commercial crime globally warrants greater vigilance, as well as a deeper understanding of who you are doing business with.

In the realm of vendors and other third parties, organisations need to consider the specific types of risks these potential threat actors may pose. In relation to vendors, this is usually easier as organisations know the business relationship and are able to identify the specific risks these players may pose.

The situation becomes a little more difficult in relation to unknown third party threat actors, specifically in the realm of cyber crime. However, even in such instances, the kinds of risks that unknown threat actors pose can be identified. Therefore, curtailing the risk posed by vendors and other third parties must be done in a way that effectively addresses risks posed by both known and unknown third parties.

The task may seem daunting at first, but a pragmatic approach makes it much easier. It is advisable to start simple and build from there. The entire process and the measures adopted should be meaningful, practical, targeted and effective.

A starting point is to conduct a detailed risk assessment of the various risks faced by the organisation. This should be done holistically, to delineate areas or processes that pose a higher risk.

For example, finance and procurement functions are generally high risk for fraudulent conduct by both internal and external threat actors. A risk assessment should take into account various factors, including geographic location of operations, size and nature of the business, types of interaction with third parties, and controls and measures currently in place within the organisation.

It is also important to ensure that whatever measures are implemented meet any applicable legislative and regulatory requirements. For example, any measures to curtail anti-corruption risk should be consistent with anti-corruption legislation in jurisdictions where the organisation conducts business.

An effective risk assessment will reveal areas of low, medium and high risk within the business. It will also highlight which, or which types of, vendors and third parties pose the most risk. The organisation can then focus more of its resources and measures on addressing areas of high risk, and dedicate appropriate resources to manage medium and lower risks. This ensures an efficient use of time and resources.

Careful consideration needs to be given to appropriate measures and controls to manage the risks identified. Various measures may be implemented, all of which will be informed by the specific nature of each risk.

Some measures may include effective due diligence and monitoring of third-party suppliers, training employees on specific red flags to look out for, specific indemnities or contractual undertakings in agreements with vendors and third party business partners, appropriate segregation of duties, and checks and balances.

Many organisations opt to send vendors a basic questionnaire to obtain limited company information about them. Once the questionnaire has been completed and submitted, the enquiry ends and the third party is then onboarded.

But this simple exercise gives organisations a false sense of security. Too much reliance is placed on the information provided by the third party itself. The concept of due diligence is, in contrast,  based on ‘doing one’s homework’ or ‘thinking things through’.

Therefore, it is important to verify the information received from a third party during its onboarding process, and to search for information about them in the public domain.

This may include: (i) verifying the identity of the third party’s directors; (ii) identifying whether the entity is involved in any litigation which may have a bearing on its ability to do business with the organisation; (iii) identifying whether any politically exposed persons are linked to the third party to warrant further scrutiny; and (iv) determining whether it may be a sanctioned entity.

Visiting the third party’s listed business address is also a useful part of due diligence, to verify the entity’s operations.

Meaningful due diligence allows an organisation to effectively manage its relationship with a third party and ensure risks are managed effectively. The organisation can walk away if the risks pose too much of a threat. It is also important to have a system in place to monitor relationships with third parties, including periodic due diligence, as their risk profile will change over time.

Actively curtailing vendor and third party risk requires a holistic approach, as well as recognition that risks will evolve over time. Failing to give risks due consideration and attention could be detrimental to even the best organisations.

 

Zaakir Mohamed is a director at CMS RM Partners Inc. He can be contacted on +27 63 620 6022 or by email: zaakir.mohamed@cms-rm.com.

© Financier Worldwide

BY

Zaakir Mohamed

CMS RM Partners Inc.

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.