Identifying key metrics can be a thorny proposition. In order to meet the expanding definition of fourth/Nth parties as “material,” it is essential on a practical level to use metrics that are viable and have a measurable scope for assessment and monitoring to improve visibility into down chain vendors. Once visibility of vulnerabilities and opportunities is improved at the Nth party level, then a more streamlined quantitative and analytic risk-based vendor risk management program can be established to better anticipate and manage disruptions at any point in the chain.
How Opaque the Supply Chain is Depends on Where You Sit
The sheer number of vendors and interdependencies in a complex supply chain can present an opaque view that makes it difficult to readily recognize and mitigate risks at a level that provides for resilience. TPRM needs to proactively manage vendor risk, working with first line partners to bring to light scope creep that could increase risk. Toward that end, robust and accurate supply chain and vendor mapping is essential. Knowledge of a service provider’s sub-contractor ecosystem should be followed by the identification and mapping to the users specific service(s), product, and data impacted by the subcontractor.
Key issues that practitioners encounter in monitoring Nth parties include failure to update vendor inventories with all additional suppliers behind the third party, failure to update contract addendums to reflect changing risk environments and incremental service expansion, incomplete ongoing due diligence, and not assigning a high enough level of criticality to a vendor and its Nth parties that are actually material to the outsourcer’s operations.
How Can TPRM/VRM Help?
The growing mandate for resilience requires updated policies, strategic shifts for vetting vendors, and changes to vendor management processes. To make changes that will be effective, third party risk managers must have enhanced visibility across relationships and across all user groups enterprise-wide. By working with control function partners to gain expertise, practitioners can better determine the acceptable risk appetite and the appropriate controls required to form a cohesive picture of the true risk landscape. A Vendor Manager (VM) can serve a clearinghouse function to support this effort by providing insight into the synergies across roles and responsibilities to allow all stakeholders to better understand the interdependencies of vendor relationships. Each user department and control function should determine what indicators should be monitored, and the cadence of the monitoring within their areas of expertise.
To determine how far and how deep into the supply chain active monitoring and analysis should be conducted, consider the following questions:
- How do I document all the parties in my supply chain or source chain?
- How can I determine what my organization’s actual Nth party exposure is at the Nth party?
- How can I understand the materiality of Nth party exposures?
Allowance for monitoring third, fourth, and Nth party risk indicators must be included in the third party contracts; as well as in their contracts with their vendors. If your vendor contracts do not allow for fourth/Nth party monitoring, that is a key indicator for change within your ERM TPRM processes. If your organization cannot clear this hurdle, a Self-Identified Gap should be raised with a corresponding Corrective Action Plan established that is consistent with company protocols.
Defining Nth Party Risk Indicators
A full inventory of service providers is required to get the complete picture and guide selection of appropriate risk indicators. To drive effective forecasting and early response to issues, key indicators should be expanded beyond descriptive metrics to include diagnostic and quantitative data. Those indicators must reflect not only that a control is in place or absent; they should also provide an indication of the efficacy of those controls.
Examples of areas to build key metrics around include:
- Fourth/Nth party metrics define internal and external handoffs upstream and downstream to provide transparency into vulnerable links in the chain.
- Privacy and security metrics involve the volume, types and transport of data, transport mechanisms/networks, monitoring, transmission, and ultimate destruction of data.
- Financial viability metrics down through the Nth party level include filings, M&A, and other key factors based on a specific outsourcer’s ecosystem.
- Other key indicators tracked through continuous monitoring include multi-factor viewing of cyber, business intelligence, real-time Environmental, Social and Governance (ESG), location, and use of fourth/Nth parties.
- Event horizon scanning and predictive analytics are designed to help identify black swan, gray rhino, and white elephant events.
- Timely risk management metrics for up-to-date tracking of identified risks and mitigation status to align with risk appetite and tolerance protocols.
Information garnered through monitoring processes should be mapped to threat intelligence alerts and must be shared organization-wide to be effective. Reporting content needs to be appropriate for the intended audience’s focus and actions.
The top five metrics for reporting:
- Fourth and Nth party indicators that reflect overdue risk remediation tasks by vendor, supplier and sourcing type, and across the entire portfolio.
- Areas of concentration risk to reveal where a single point of failure exists.
- Procurement and sourcing disconnects where fourth/Nth parties are not identified and/or approved, with an escalation process to enhance the identification of workflow handoff points.
- Event Management responsiveness for breaches, ransomware, etc., with an established incident management process that is reviewed for effectiveness over time.
- Upstream and downstream transparency dashboards that identify where exposure points reside that, if impacted, may affect resilience. An established plan of action should be established for disruptions, and that plan should be monitored over time for effectiveness.
- Risk & Control Self Assessment program should be implemented consistent with company protocols.
Well-developed metrics can help organizations unmask hidden risks across intricate supply chains. In turn, those metrics can drive appropriate contract terms, corrective action plans, and a more secure TPRM program.
Metrics that are based around key goals will help TPRM practitioners to identify risk, better plan for remediation, and follow through with effective risk mitigation. Identification and quantification of criticality goes hand-in-hand with establishing and mapping supply chain components and including third/fourth/and Nth party vendors. Review and adjustment of key metrics must continue throughout the third party relationship lifecycle.
Mature programs can predict where risks might occur and enable disruption avoidance as well as develop and implement appropriate mitigation techniques. Mapping the complete supply chain is essential to identifying key indicators that work for your organization’s unique supply ecosystem. And finally, monitoring programs must include a feedback/feed-forward loop in which learning and adaptation play an important role to ensure key indicators are adjusted consistent with the changing continue to inform an improved risk landscape.
Related Practitioner Resources:
- Archived webinars:
- Shared Assessments TPRM Framework modules – Module 6 on Due Diligence; 7 Contracts; and 9 Assessments & Monitoring.