The stakes are alarmingly high. According to a survey by Rapid Ratings International Inc., 87 percent of companies experienced a "disruptive incident" with third parties over the past two to three years, with half of those disruptions caused by Tier 1 suppliers.
Clearly there’s a need to monitor third parties, especially in the area of supply-chain finance, more closely. But that’s no easy task. Up to 80 percent of third parties are private companies, which tend to conceal their financials from vendors, according to Rapid Ratings chief executive officer James Gellert.
The universe of third parties serving global supply chains is large and varied. It consists of suppliers of finished goods, components and raw materials, often several steps removed from the brand owner or original equipment manufacturer. Additional vendors in the mix include logistics and transportation providers, credit-card processors and joint-venture partners. Each presents the possibility of a business failure or unethical behavior that could threaten the entire supply chain, and expose the end seller to severe liability issues.
The biggest pain point in the world of supply-chain risk today is the inability of companies to fully evaluate their privately held partners, says Gellert. In addition, they struggle with crafting comprehensive, integrated programs for managing risk throughout the chain.
On the financial side, the U.S. Treasury Department’s Office of the Comptroller of the Currency (OCC) and the Federal Reserve are the chief regulators of banks that fund supply-chain activities in the U.S. Their range of oversight includes compliance, procurement and information security — elements that companies have a hard time approaching in anything like an integrated fashion. As a result, banks today are “in a scramble to make these internal functions as efficient as possible,” says Gellert.
There’s a new understanding among businesses and financial institutions that they need to work more closely together to meet strict OCC standards, he adds. In particular, companies must acquire a complete understanding of new third parties, beginning with the request for proposal and extending to vendor selection, onboarding and long-term relationship. Gellert likens the effort to “herding a lot of cats and making them all run in the same direction.”
The emergence of non-bank entities into the supply-chain financing realm has further complicated the picture. Much of the money flowing from business-development companies, hedge funds and private equity firms has been lightly regulated, if at all. “That adds an element of risk to the market that is new as of the [2007-2008] financial crisis,” Gellert says. The challenge today lies in assessing the stability of these newcomers, while adhering to a slew of new regulations affecting public companies, as set forth in the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
Risk managers aren’t working entirely in the dark. OCC’s lengthy Bulletin 2013-29 offers detailed guidance to banks on assessing and managing risks associated with third-party relationships. OCC “expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party,” the bulletin states. “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
The bulletin lays out the elements of an effective risk-management process, including the crafting of a long-term strategy for identifying third-party risk, due diligence in vendor selection, written contracts specifying the rights and responsibilities of all parties, ongoing monitoring of third-party activities, contingency plans for terminating the relationship, independent reviews and detailed documentation of oversight efforts.
In the bulletin, OCC expresses concern that “the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.” The language serves as a clear warning to banks and global supply chains that they need to get their houses in order when it comes to dealing with third parties.
There’s still the knotty problem of acquiring those private-company financials. Historically, companies have simply refused to provide them. Rapid Ratings reaches out to private vendors on behalf of its clients, arguing the value of transparency and the commercial benefits of disclosure. One might interpret that message as a threat to withhold business from a recalcitrant third party, but Gellert prefers to frame it as “a basis for discussion and relationship building — not necessarily a threatening action.”
Increasingly, he says, private companies are seeing the wisdom of disclosing their numbers to valued customers. According to Gellert, Rapid Ratings has had an 86-percent success rate in obtaining that information. Still, there are other ways to assessing the stability of a potential third party. Media reports and the internet offer a wealth of information that, taken as a whole, can paint a reasonably accurate portrait of a vendor’s organization. Rapid Ratings looks at a total of 73 factors to grade the financial health of targeted companies, Gellert says. They include credit profile, compliance with foreign statutes, conflict-minerals disclosures, adherence to the Foreign Corrupt Practices Act, imposed sanctions, and whether executives are on any “no-fly” lists.
The challenge of assessing third-party risk has grown more serious against a backdrop of persistently low interest rates, says Gellert. The trend has allowed many companies to refinance debt and put off tackling their long-term structural problems. Now, though, that cushion could be coming to an end, with the Fed recently taking steps to raise interest rates for only the second time since the financial crisis of 2008. Further hikes are likely, making it essential that supply-chains address any underlying weaknesses in their third-party relationships once and for all.