Third-Party Risks that Should be on Your 2024 Radar

Reputational Risk in the Supply Chain

Reputational risks encompass threats to the name, goodwill, or credibility of a business that can ultimately affect its revenue. While reputational risk is difficult to quantify and comes in many forms – whether self-inflicted or from third-party business associations – it can spark business disruptions, fines, penalties, and lost revenue that are equally as severe as more tangible risks.

Supplier reputational risks include:

• Lapses in ethical conduct or legal and regulatory findings, such as when a supplier is penalized for using illegal child or forced labor to produce goods.
• Doing business with sanctioned companies or individuals, such as those on the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) list or United Kingdom Sanctions List.
• Working with a state-owned enterprise in a country that is suspected of sponsoring terror, or where bribery or corruption is common.
• When a politically exposed person (or PEP) working for a supplier has been compromised.

Negative news or adverse media coverage of unethical hiring practices, product quality issues, criminal activities, and environmental disasters also count as reputational risk. These adverse events can trigger pressure campaigns on organizations doing business with the supplier. The problem is that reputational risk is nebulous to monitor and account for, in addition to being difficult to spot. Further, the impact of negative press can be difficult to quantify on your business. Despite this, brand reputations have become more important in the past few years as a reflection of business success.

In response to these reputational risks, organizations need to implement comprehensive supply chain partner pre-screening that includes intelligence related to human rights, anti-bribery, and environmental practices. In addition to pre-screening, there needs to be regular assessments against industry best practices and regulations.

In 2024, organizations should also consider continuous reputational monitoring. Monitoring sources should include supplier news, financials, sanctions, politically exposed people (PEP), state-owned enterprises and more, and will help to flag important events. Further, organizations should be aware of their Nth parties. Risk doesn’t end with your suppliers. That’s why it’s important to identify and visualize relationships between your organization and third, fourth and Nth parties to discover dependencies and risks.

Lastly, compliance reporting needs to be simplified. Many regulatory regimes require organizations to monitor activity in their supply chains. The fastest, least-complex approach to audit reporting is to automatically map any vendor risk assessments to any regulation or framework.

Business Continuity Risk Associated with Third Parties

Business continuity supply chain risks can take many forms. For instance, a key supplier could declare bankruptcy and be unable to deliver on its contracts. In fact, some studies show that 25% of businesses have been affected by the financial failure of a supplier in the past year.

Mergers and acquisitions can also signal a change in strategy or market consolidation that could impact service delivery, prices, or contract terms. In addition, leadership turnover or legal trouble can impact an organization’s culture, strategy, and ability to execute against goals.

When evaluating potential vendors, it is critical to understand the organization's financial situation, existing contractual obligations, and other factors that could prevent them from effectively executing your contract. The less due diligence that is performed before onboarding a vendor, the more likely you are to experience a significant business disruption.

Implement a formal and documented third-party business resilience and continuity plan to manage these risks. Vendors should be evaluated uniformly based on a predetermined set of metrics that make it easy to compare competing vendors and identify potential suppliers that may have difficulty fulfilling their contractual obligations.

Third-Party Safety and Reliability Risk

Safety and reliability are two important aspects of risk management that deal with the prevention and mitigation of potential hazards and failures that may affect the performance, quality, or functionality of a product, system, or process. Safety and reliability are often related, but not identical, concepts. Safety focuses on the protection of people, property, and the environment from harm, while reliability focuses on the probability of a product, system, or process to perform its intended function under specified conditions for a given period.

Safety and reliability can be considered as a risk category when evaluating the potential consequences and likelihood of adverse events that may occur due to faults, errors, defects, or malfunctions in a product, system, or process. Safety and reliability risks can have significant impacts on the customer satisfaction, reputation, compliance, and profitability of an organization. Therefore, it is essential to identify, assess, and manage safety and reliability risks throughout the product life cycle, from design to operation to disposal.

One of the standards that provides a framework for safety and reliability risk management is ISO 13849-1, which defines safety categories and performance levels for the safety-related parts of a control system. Safety categories are based on the structural arrangement and reliability of the components, while performance levels are based on the probability of dangerous failures and the diagnostic coverage of the system.

Another standard that addresses safety and reliability risk management is IEC 61508, which defines safety integrity levels for the functional safety of electrical, electronic, and programmable electronic systems. Safety integrity levels are based on the probability of failure on demand and the average frequency of dangerous failures of the system.

For third-party risk management teams, this can mean asking questions about the overall safety practices and maintenance schedules of key suppliers. Safety risks become especially vital to understand in heavy industries, such as manufacturing, or in the resource extraction sector such as mining or oil & gas. Reliability of machinery is also a factor, which is why understanding maintenance practices is so crucial. Understanding these practices among suppliers can help organizations build contingency plans into their workflow in case a safety or reliability event occurs and risks interruption to the supply chain.

Supplier Environmental, Social and Governance (ESG) Risks

Environmental, social and governance risks relate to a wide spectrum of corporate conduct. Often, they can be difficult to detect until they reach the front pages of major news sites. By that point, the company’s reputation may already be tarnished or in danger of being tarnished. Typically referred to as “ESG,” this risk category includes:

• E = Environmental: Measures and reports on the organization’s values and commitments regarding stewardship of the natural world and environment. It includes reporting and monitoring of the organization’s environmental initiatives for climate change, waste management, pollution, resource use and depletion, greenhouse gasses, and such.
• S = Social: Measures and reports on the organization’s values and commitments regarding how it treats people. This includes employee and customer/partner relations, human rights (e.g., anti-slavery), diversity and inclusion, anti-harassment and discrimination, the privacy of individuals (both employees and others), working conditions and labor standards (e.g., child labor, forced labor, health and safety), and how the company participates and gives back to society and the communities it operates within.
• G = Governance: Measures and reports on the culture and behaviors of the organization in context and alignment to its values and commitment. This includes finance and tax strategies, whistleblower and reporting of issues, resiliency, anti-bribery and corruption, security, board/executive diversity and structure, and overall transparency and accountability.

ESG risks are on the rise as corporations face increasing scrutiny from regulators, auditors, and consumers. Environmental risks include climate change and how companies plan to account for shifting weather patterns and natural disasters. More attention is also being paid to “forever chemicals” such as PFAS in addition to other climate-related risks.

Management of ESG goes together with risk and compliance. Proper oversight of ESG requires expertise in third-party risk management and compliance with associated regulations. Companies’ ESG responsibilities and management of third-party risk heavily intersect due to the complexity of modern-day supply chains.

Regulatory pressure is also growing. The U.S. Securities and Exchange Commission (SEC) proposed rules requiring “certain climate-related information in their registration statements and annual reports,” including “upstream and downstream value chains.” The European Union (EU) Parliament presented mandates that EU businesses “identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment, for example pollution and biodiversity loss.”

ESG risks can be difficult to mitigate due to the multi-faceted nature of the category. As with financial risk, it’s important to include ESG reviews during the initial due diligence process for prospective vendors – prior to signing any contracts. Since multiple ESG-focused regulations are now holding companies accountable for issues like bribery and slavery in their supply chains, it’s critical to conduct relationship mapping and 4th- and Nth-party risk analysis to uncover any potential supply chain issues that could shed negative light on your organization.

• Don’t Overlook ESG During Procurement: For a quick check on ESG risk for prospective vendors (or catching up on existing vendors), consider subscribing to a vendor risk intelligence network. The networks are repositories of on-demand supplier risk reports compiled from completed assessments and external monitoring data. A good network will provide insights across several types of risk, including ESG.

• Include ESG Questions in Periodic Risk Assessments: For a more custom look at ESG risk at your existing vendors, you can conduct questionnaire-based supplier risk assessments. With the right TPRM platform, you can automatically map assessment responses to your business requirements, as well as to several industry and government regulations.

• Recognize that ESG Risks Can Surface at Any Time: Stay on top of ESG-related events as they surface by conducting continuous third-party risk monitoring across your supplier ecosystem. Risk monitoring solutions can correlate research from thousands of sources to identify everything from negative press to compliance violations affecting your suppliers.

In 2024, these risks look to be even more acute. Climate change is a growing risk category in the face of multiple extreme weather events, such as the June 2023 wildfires in Canada, ice storms in Texas in February, and uncommon heatwaves in Australia in September. This necessitates taking a harder look at environmental risks, especially as they relate to supply chain resilience.

Additionally, social accountability risks look to be on the rise. Regulations on modern slavery and child labor, as previously mentioned, are growing throughout the world. Governments in Europe, North America, and Asia Pacific have started to pay closer attention to working conditions in manufacturing facilities globally. As more consumers make socially conscious purchase decisions, companies need to take a harder look at their corporate social responsibility policies and keeping their suppliers accountable.

Bribery & Corruption Risks in Third-Party Relationships

Bribery and corruption risk will continue to be a challenge in 2024. The U.S. Foreign Corrupt Practices Act (FCPA) continues to be strictly enforced for companies seeking to do business in the United States, and other jurisdictions also have anti-corruption legislation for local and foreign businesses. Collectively, third-party relationships represent one of the most significant bribery and corruption risk exposures to organizations.

When unpacking FCPA bribery and corruption enforcement actions, Stanford Law School discovered that over 90% of incidents involve a third-party intermediary. All third parties who act as agents of a company – such as distributors, sales representatives, brokers, consultants, freight forwarders, lobbyists – can expose the organization to liability for bribery and corruption.

In fact, a company can be held liable for the actions of its third parties, even if the company claims to have no knowledge of an incident. Often, all that is needed for an indictment is a "high probability" of bribery or evidence that a company was "willfully blind" to a third party’s corruption on their behalf.

Enforcement of ABAC laws is expanding. In the United Kingdom, the Serious Fraud Office (SFO) has expanded its enforcement activities. And the European Union’s Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence will require significant due diligence for organizations operating in EU countries, with ABAC falling under the Good Governance section.

In 2024, concerns about bribery and corruption will continue to grow among organizations in countries with aggressive enforcement. The long arm of the U.S. FCPA is also likely to continue given the importance of the United States as an international market and source of finished goods. Companies under the jurisdiction of the FCPA and other anti-corruption measures would do well to analyze the financial situation of their vendors to ensure that they are not caught up in any activities that could trigger a corruption investigation.

Third-Party Risk Now and in the Future

Companies face an increasingly problematic third-party risk environment. The number and variety of risks in the categories outlined above, including a cyberattack, continuity risk, reputational concerns, and more will likely make conducting business more difficult in 2024.

It behooves organizations large and small to take a hard look at their 2024 TPRM strategies , making sure that they consider the complexity of their risk environment and quantifying the real impact of the risks outlined in this report. Further, organizations should prioritize these risk categories based on their corporate strategies. Cybersecurity could be a bigger concern than reputational risk in 2024, for example, prompting risk managers to emphasize inoculating the organization against cyber threats. Similarly, perhaps business continuity is a higher priority. Ultimately, organizations need to make those judgements and focus on reducing or mitigating the risks that are of greatest concern to their businesses.

For more on how Prevalent can help manage your third-party risk program, sign up for a demo today.