Laura Greenwood, Third-party Assurance Consultant at Crossword Cybersecurity PLC, explains how to approach Supplier Assurance and its management, as it becomes increasing important to procurement professionals.
Businesses are facing continual pressure to improve third party assurance & risk management from regulators, auditors, risk & compliance, and even customers & investors. In fact, it is typically one of the top three enterprise risks for any large company or organisation. With other areas of enterprise risk, such as big changes in global trade policies, cyber security & business continuity, there is top-level visibility of the current risk position, a consensus to invest, and often established international standards. Third-party risk, however, is often under resourced and is simply not visible at board level in the same way.
A fact well understood by all procurement professionals is that whilst supplier relationships allow you to outsource the work, you cannot outsource the risks. As a result, when taking on any third-party supplier, procurement professionals must work to ensure the service provider can provide assurance that it has sufficient controls to manage financial, operational and regulatory risks that relate to their specialism, and the service they will provide. Compliance in areas such as the Modern Slavery Act or the General Data Protection Regulation have become increasingly important, and depending on the industry, any number of specific regulations may apply.
This means that the task of onboarding suppliers, let alone the ongoing task of maintaining their supplier assurance can be very complex. Not just in terms of the process, but procurement specialists will rely on support from other areas of the business such as finance and IT to carry out assurance checks for those areas – this all requires great co-ordination, communication and management skills.
As an example, supplier assurance and procurement teams stay well away from the deeply technical and mysterious world of cyber security. Where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external. Any reports, risk acceptance or remediation activities are left with the cyber specialists while supplier assurance focuses on the core of financial risk, insurance cover, standards, supply continuity and so on.
From the cyber security specialist perspective, they typically approach these responsibilities as short-term, single-moment-in-time, instant assessments – often required on top of their day job of protecting the organisation’s IT assets and systems. It’s also common that technical cyber specialists are asked about assessing standards, cyber controls and governance – an area in which they may well have no experience. They’ll carry out these tasks as best they can, but won’t always see them as strategically important.
Whether cyber security, financial or other regulatory controls, organisations need a different approach in order to reduce risks associated with suppliers, vendors and other third parties. One that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understand of other teams. Supplier assurance and procurement teams have a far greater role to play in this than they may imagine.
Best of both worlds approach
A good framework, starts with the need for supplier assurance and other departments to gain an improved understanding about each other’s domains, objectives and responsibilities. A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that department’s sphere.
Each supplier can then be measured against these criteria, and their supplier impact level established. A different approach for each level of impact should be agreed jointly and completely standardised across the organisation. For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls. With cyber security, for example, this should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST. This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work. It also has the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.
Where a technical assessment or test is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed. This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.
The approach at each level of supplier impact should also contain the ongoing levels of compliance required in order to maintain good risk management. Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third-party risk – whether cyber, continuity, financial or regulatory.
A strategic approach to supplier risk information
Taking a formulated and strategic approach to supplier assurance creates an environment where the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks. We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, Slavery and other risks all on one simple chart for each supplier. This creates a shared understanding of the totality of risk from each supplier and helps specialist teams, such as IT, and the supplier assurance team understand how their worlds fit together. This is what a truly strategic approach to supplier assurance looks like, and it creates direct benefits for the business and its wider supply chain partners.
