Top Supplier Risks and What to Do About Them

ESG Risks

ESG risks are those connected to a third party’s environmental, social, and governance practices. In many cases, ESG risks can be hard to detect until they reach the front pages of major news sites, so your company’s reputation may already be tarnished. ESG risks are rising as corporate environmental and labor records face increasing scrutiny from regulators, auditors, and consumers.

Environmental Risk

Environmental criteria such as energy usage, waste, pollution, and natural resource consumption evaluate a firm's sustainability performance. Many organizations have recently come under fire for poor environmental practices, and companies are increasingly being scrutinized based on how they respond to climate change. Third parties need to be rigorously evaluated based on their environmental practices and whether sourcing their raw materials is sustainable.

Social Risk

Social criteria assess how a firm handles relationships with workers, suppliers, customers, and local communities in areas such as diversity, human rights, and consumer protection. Social responsibility is becoming increasingly important for vendors. Companies should carefully evaluate potential vendors for human rights violations such as modern slavery before signing a contract. Social risk can pose substantial disruptions to organizations that fail to account for it.

Governance Risk

Governance deals with a company’s management, executive pay, audits, internal controls, and shareholder rights. Poor management practices such as tax avoidance, bribery, and a lack of diverse hiring practices can severely damage a company's reputation and that of the companies that do business with it, both up and down the supply chain.

Mitigating Supplier ESG Risks

ESG risks can be difficult to mitigate due to their multi-faceted nature. As with financial risk, it’s important to include ESG reviews for prospective vendors during the initial due diligence process – before signing any contracts.

Also, since multiple ESG-focused regulations are now holding companies accountable for issues like bribery and slavery in their supply chains, conducting relationship mapping and 4^th- and Nth-party risk analysis is critical to uncover any potential supply chain issues that could shed negative light on your organization.

Don’t Overlook ESG During Procurement: To quickly check prospective vendors' ESG risk (or catch up on existing vendors), consider subscribing to a vendor risk intelligence network. These networks are repositories of on-demand supplier risk reports compiled from completed assessments and external monitoring data. A good network will provide insights across several types of risk, including ESG.

Include ESG Questions in Periodic Risk Assessments: For a more custom look at ESG risk at your existing vendors, you can conduct questionnaire-based supplier risk assessments. With the right TPRM platform, you can automatically map assessment responses to your business requirements and several industry and government regulations.

Recognize ESG Risks Can Surface at Any Time: Stay on top of ESG-related events as they surface by conducting continuous third-party risk monitoring across your supplier ecosystem. Risk monitoring solutions can correlate research from thousands of sources to identify everything from negative press to compliance violations affecting your suppliers.

Cyber Security and Compliance Risks

While vendor financial and reputational risks can severely impact your business, supplier risk often makes headlines when third-party breaches occur.

Data and Privacy Risks

Data breaches can jeopardize personally identifiable data (PII), protected health information (PHI), intellectual property, or any other sensitive information you entrust to your suppliers for handling or storage. They can result from concerted attempts by attackers to exploit vulnerabilities in supplier systems or from mishandled data. For instance, Morgan Stanley was recently fined $60 million by the OCC for failing to properly oversee and conduct due diligence on a third-party supplier responsible for decommissioning some of the company’s IT hardware.

IT System and Critical Infrastructure Risks

Cyber security breaches can result in stolen data and damaged or disrupted vendor computer networks, supervisory control and data acquisition (SCADA) systems, or other IT systems. Ransomware attacks like the Colonial Pipeline and Kaseya breaches, which affected managed service providers and their customers, are just one example of how attackers can halt your suppliers’ IT operations.

Compliance Risks

While compliance is a factor for almost all risk categories in this article, most regulations with implications for third-party risk management focus on data security and privacy. For instance, many government and industry requirements – such as GDPR, HIPAA, CCPA, and others – place strict controls on how and when data can be shared with third parties. Even unknowing violations can result in severe financial and, in some cases, criminal penalties.

Mitigating Cyber Security and Compliance Risks

Compared to financial and ESG risks, exposures from IT security vulnerabilities and missing or improper security controls can be more straightforward to identify and address with vendors and suppliers. Below are some best practices for revealing and mitigating third-party information security risk to a residual level your organization can accept.

Make Friends with Your CISO: Working with your chief information security officer (CISO) and their team is critical to success here. Involve them in every step of the TPRM process. Familiarizing yourself with cyber security guidelines like those outlined in the NIST report, Key Practices in Cyber Supply Chain Risk Management can give you a point of reference for collaborating with your security team.

Align with a Framework: Your IT security team should have an established set of guidelines and required controls for any supplier with access to your systems or data. Aligning with an established IT security framework, such as those outlined by NIST or ISO, will save you and your suppliers a lot of headaches vs. starting from scratch. When combined with any applicable compliance requirements, a standardized framework will provide a solid foundation for building your vendor risk assessment questionnaires. Better yet, use a TPRM platform with ready-built questionnaires that map to frameworks and regulations out of the box.

Mind the Gap Between Assessments: While periodic questionnaire-based assessments are great for identifying whether your suppliers have the right IT security controls in place, they aren’t a panacea. To get a complete picture of third-party data and privacy risks, you’ll also want to conduct continuous cyber risk monitoring of your critical suppliers. With the right vendor risk monitoring solution, you can comb the public-facing internet, deep web, and dark web to uncover vulnerabilities and evidence of data breaches affecting your suppliers. The cyber risk environment constantly evolves, so monitoring will help you maintain situational awareness between assessments.

Next Steps for Reducing Supplier Risk

The modern economy has made managing supplier risks not only extremely important but also very difficult. In many cases, companies are at the mercy of opaque and complex supply chains that are impossible to fully understand. However, by understanding supply chain risk and applying risk management best practices, you can mitigate unacceptable levels of risk and ensure that your supply chains can withstand unexpected shocks.

Prevalent makes it easy to manage third-party and fourth-party risk throughout your supply chain. Our supplier risk management solution unifies automated risk assessment with continuous cyber, financial, and reputational monitoring for a 360-degree view of supplier risk. Request a demo today to see if Prevalent is a fit for you.