Assessing, Monitoring and Mitigating Third Party Risks

Of all the strategies in commerce today, outsourcing receives some of the closest scrutiny. We have seen it become a topic in presidential elections and it frequently makes media headlines. Further, whenever it is discussed it is almost always placed in a bad light.

That fact alone demonstrates that outsourcing carries risks. Much outsourcing is conducted directly with a supplier, but overseas third-party outsourcing is commonplace as companies become involved in joint ventures; hire agents, consultants, and contractors; sell through distributors; and buy from vendors.

In 2013 when a factory collapsed in Dhaka, the capital of Bangladesh, more than a thousand workers died. They had been making garments for J.C. Penney, Walmart, Matalan, and Benetton, among others. Officials at Walmart said they were unaware that the factory had been producing garments for their stores. This shined a light on the need for companies to understand and mitigate the risks they take with third-party suppliers.

Even for many smaller companies, globalization has greatly increased the length and breadth of supply chains, which in turn has heightened the importance of risk management within procurement. Therefore, successful third-party outsourcing needs to look far beyond first-year cost savings and become focused on achieving the best long-term risk-adjusted rate of return, according to Ravi Aron, Eric K. Clemons, and Sashi Reddi in their paper, “Just Right Outsourcing: Understanding and Managing Risk,” which appeared in Journal of Management Information Systems, Vol. 22, No. 2 (Fall, 2005).

Depending on the nature of your business and your outsourcing partners, risks can include:

  • Exploitation by your supplier
  • Exchange rate changes
  • Questionable sovereignty and stability
  • Losing capability in-house
  • Damage to reputation
  • Exposure to and complicity in corruption

As you can see from this list, significantly more parties must become involved in any risk management process than were required not long ago, when perhaps the only departments working in this area were procurement and quality assurance. Today financial, operations, legal, environmental, reputation management, and technology management often have roles to play if a risk management plan is to be comprehensive. Some of the topics in the list above are beyond the scope of this article. For example, the highest levels of management need to decide if a country’s sovereignty is sufficiently stable to warrant business relationships. Of course, long-term exchange rate predictions are at best an educated guess.

However, some solid approaches to assessing many areas of risk and applying the right management systems to these areas can help minimize the overall risk and approach the “best long-term risk-adjusted rate of return,” which should be the goal when outsourcing.

Define and assess both risks and roles

The first step is to make a holistic assessment of potential risks when considering engagement with any third party. It might not be immediately clear which of your departments are responsible. Enumerating the risks and deciding whose role it is to monitor each of these is a critical first step.

As part of defining roles, it’s important that contract language is made to reflect modern realities. In its white paper on managing third-party relationship risks, accounting and consulting firm Crowe Howarth points out that some standard contracts limit auditing to issues that deal with pricing and costs. With so many more issues at stake today, the areas open to auditing must be more broadly defined including, for example, a supplier’s data, sourcing, production processes, and IT safeguards.

When buy-in has been achieved by all departments involved, each area of risk needs to be evaluated and quantified. Areas of inherently higher risk receive the greatest attention as a road map for moving forward is developed.

Working with the third party

Often there are cultural differences that need to be bridged in these relationships, and it’s important that supply chain partners are acquired who share your desire for a long-term relationship and understand the vigilance you will demonstrate as you work together. There should be a formal onboarding process when new third-party relationships are being considered. All parties must understand that in a variety of areas, including reputation management, bribery, and corruption, the success of the relationship will be judged on your company’s cultural and legal standards.

These are principles that must be reflected in the “letter” of the contracts as well as the “spirit” of the ongoing relationship. With contracts in place, a system of audit-monitor-assess becomes the standard. Crowe Howarth points out that the companies that are most successful at this process are those that work to enhance the data they have about their working relationships. This enables them to more accurately predict areas of risk.

In the process of working together with third parties, it is your responsibility to provide sufficient information and training to be sure that your contractors meet the standards required by your compliance program and commitment to ethical business and employment practices. Not only should contractors have written policies in place, your audit-monitor-assess routine should assure that employees receive adequate training and that policies are, in fact, followed.


For many, establishing a program to effectively monitor third-party relationships will not require a great investment of either personnel or capital. However, failing to assure the compliance of this growing group in your supply chain can cost you dearly. It’s better to establish these relationships understanding each situation and taking control at the onset.

Related Posts

Enter your keyword