'Fourth-party risk' rising during supply chain disruption

Dive Brief:

Companies face mounting risks from “fourth parties” as they try to overcome pandemic-induced supply chain disruptions by relying more on subcontractors, KPMG said in a report on third-party risk management (TPRM).
“Across sectors, fourth parties have been responsible for much recent disruption,” according to Alexander Geschonneck, a KPMG partner. “In manufacturing, that might result from shipping failures. More broadly, it could be a security vulnerability at a supplier’s cloud provider that results in a cyber incident.”
Nearly eight out of 10 (79%) businesses said they need to urgently improve their assessment of fourth parties in their supply chains, KPMG said in the description of survey results. KPMG flagged the risk management challenge for a company that lacks a direct relationship to its vendors’ contractors, or fourth parties.

Dive Insight:

CFOs aiming to avert business disruption and reputational harm through TPRM face challenges from pandemic interruptions, cyber criminals, the highest inflation in four decades and sharper scrutiny of environmental risks from regulators, investors and other stakeholders, KPMG said.

Most recently, the Russian invasion of Ukraine has jolted global trade and finance, further complicating TPRM and prompting warnings by the federal government of potential cyberattacks.

“Global businesses are assessing their operational resilience and reviewing their dependence on third and fourth parties,” KPMG said.

Nearly three out of four (73%) of 1,263 senior TPRM professionals surveyed worldwide reported that their business faced at least one third-party disruption during the past three years, with energy, minerals and utility companies reporting the most incidents, KPMG said.

Thirty-eight percent of respondents weathered three or more interruptions from third parties such as suppliers, vendors and contractors, while half of respondents (52%) said they lack sufficient in-house TPRM capabilities, KPMG said.

Three out of 10 plan to assess the environmental risks posed by third parties within three years, an increase from 23% that do so today, KPMG said. Half of the businesses with annual revenues exceeding $10 billion said that within three years they will assess the environmental, social and governance risks posed by all third parties.

“We expected TPRM to become even more of a strategic priority following the pandemic,” according to Jon Dowie, a KPMG partner.

“It’s concerning that businesses are not taking TPRM as far as it needs to go,” Dowie said. “The focus up to now has often been on addressing tactical issues rather than getting an enterprise-wide fix and engagement across the organization.”

Billing is a common third-party vulnerability, according to KPMG. More than half (54%) of respondents believe they were overbilled by a third party during the previous 12 months. Businesses can trim such losses by creating a system that flags when the invoiced fee exceeds the amount in the statement of work.

CFOs can reduce third party risk by carefully vetting compliance, cybersecurity, business continuity and other risks before signing contracts with third parties, KPMG said. They should monitor a third party’s activities throughout the duration of its contract and prioritize their time and resources by focusing first on third parties involved in the most critical services.