• i-confidential

‘Third Party’ or ‘Supply Chain’ – in Risk Terms, Does It Matter What We Call It?



By Colin Fraser, Director at i-confidential


I had a conversation with a risk leader in one of our clients recently. There was a determination in this company to get people to think ‘supply chain’ rather than ‘third party’. The risk of fourth and fifth-party criticality and potential concentration risk was front of mind.


I didn’t disagree with the need for focus down the supply chain. There are, however, still good reasons to think ‘third party’.


Often, we are seeing the most critical threat factors involved in non-procurement type deals. Other third-party relationships involve network connections for example – a key attack vector for the bad actor.


Most companies focus on procurement type commercial relationships and don’t have a broader perspective. A recent Ponemon report highlighted the problem of inventory:


It’s troubling that 54% of respondents say their organizations do not have a comprehensive inventory of all third parties with access to their network.”


In our experience, the challenge is even more significant. Most organisations don’t have an inventory of all third-party relationships, including suppliers, partners, alliances, and clients. With a full inventory, you can take comfort that your risk management processes have a chance to completely cover the third-party estate. Without it, your third-party risk management system is broken.


The next challenge is to perform a competent inherent risk assessment on that estate. Once we have identified where the highest risk is within our extended enterprise, we can then think ‘supply chain’.


This is where my client has it dead right. For relationships with the highest inherent risk, organisations must think supply chain. They won’t have the resources to drill down to fourth and fifth-party relationships for all third parties. Equally, the risk appetite and impact tolerance of the board will have indicated where they need to expend those scarce resources.


So, my advice: think ‘third party’ first and then think ‘supply chain’ on a risk-prioritised basis.