Analyst Insight: The performance and risk of an organization’s third-party ecosystem, which may include suppliers, vendors and service providers, are becoming increasingly linked to its business reputation, ethos and even its continued viability. As such, shareholders, investors, government regulators and consumers demand and expect that organizations drive positive social change, and protect the health, safety and rights of workers and communities that supply them.

Procurement is the business function that conducts sourcing events, supplier due diligence and risk assessments. As such, it’s the vanguard of an organization’s extended enterprise. Procurement is the company’s first line of defense against third-party risks and is accountable for ensuring  supply chain integrity by focusing on multiple various initiatives, including:

• Diversity, Equity, and Inclusion (DE&I). Are people of all abilities, ages, ethnicity, genders, races, sexual preferences, and veteran statuses represented in third-party relationships? For federal contractors, it’s often a requirement to work with certified minority-owned businesses as a precondition for bidding on projects. 

• Employee Policies and Labor Protections.  Do suppliers have environmental, occupational health and safety programs to protect their workforce? Are they compliant with related laws and regulations? 

• Human Rights.  Are companies advancing and protecting worker human rights across their extended enterprise? Do their suppliers have anti-slavery programs in place? Are they working with their third parties to identify and mitigate forms of modern slavery from their supply chains? Are they complying with applicable laws and regulations, such as the Uyghur Forced Labor Prevention Act? 

• Local Communities.  Does the organization consider the impact that its operations and third parties have on their communities, such as employing local workers or protecting their environment?

Despite the increased focus on ethical supply chains, 43% of companies struggle to identify ESG factors as part of their due diligence processes. It’s the soft underbelly of organizations that leaders must fortify. 

There are steps that leaders can take to drive positive social changes across their supply chains. Procurement teams can use third-party risk management (TPRM) to automate processes, drive efficiencies, and monitor and mitigate the risks that third parties bring into supply chain operations. Following are six steps to solidifying an organization’s risk-management strategy and helping to drive positive social change across the extended enterprise. 

Needs assessment and planning. As with any journey, developing socially responsible third-party relationships begins with a plan. Businesses must first identify or confirm their need for third-party products or services, and determine whether they want to renew relations with a previous supplier or forge a new one. 

Once you’ve established a need for outside relationships, screen any potential third parties before further communication. Determine the initial risk profile of potential suppliers based on their services, their location and the data they can handle. 

Due diligence. This expands on the planning phase and understanding  inherent risks with a potential third-party relationship. During this stage, businesses should assess the third party’s controls, policies, procedures, financial health, reputation and compliance with laws and regulations. It also requires third parties to attest to the organization's code of conduct, ensuring alignment on expectations for integrity and ethical business practices.

Businesses must also assess every tier of the third-party’s subcontractors, as their activities can also bring risks to the operations. 

At this point, many businesses use sanction lists and other sources to determine if any ethical or compliance concerns would make these relationships too much of a risk. This is a prime opportunity to use a dynamic assessment or questionnaire and a risk-scoring engine to help determine whether the relationship is worth pursuing. Consider requests for proposals and decide which parties you’re willing to work with based on the potential risks and how easily those risks can be mitigated.

Negotiations and contracting. This stage is crucial for embedding risk-mitigation strategies directly into the contract. While contracts often include elements that fall outside the immediate scope of a TPRM program, the contract serves as a fundamental tool to ensure that the third party adheres to all necessary labor, safety and trade regulations and standards.

During negotiations, the organization and the third party will collaborate to establish contract terms. These terms should clearly define responsibilities, expectations, and service-level agreement (SLAs) specifics. Additionally, the terms should outline remedies and actions in case of non-compliance. The contract should outline the third party’s obligations for recordkeeping and reporting to ensure transparency and accountability. It should also allow the organization to conduct audits when and as needed.

Ongoing monitoring. Managing risk is an ongoing process that requires organizations to remain vigilant. It’s not unusual for companies to experience sudden disruptions or find themselves in the news when their third parties violate labor, human rights or safety standards.

Organizations should define key performance indicators to help ensure their suppliers meet business objectives and fulfill ESG goals. They should also continuously conduct risk assessments, performance reviews and audits, to identify any changes to the supplier’s risk profile that may require attention. Continuous monitoring will ensure you catch issues early and allow you to take corrective action.

Risk and issue management. Organizations must have procedures in place for incident management and risk mitigation. It’s vital for companies to identify, diagnose, and respond to risks and issues quickly. Along with regular performance and compliance reviews and audits, a TPRM program can determine specific actions based on the emergence of risks.

For example, metrics can be used as automatic triggers. The TPRM program could automatically send notifications to critical stakeholders if a new risk becomes apparent, such as a report of forced child labor following a routine supplier site visit. Organizations could also use the expiration of a third-party security certification or the detection of breaches or sanctions to automatically trigger actions, such as sending a reassessment or notifying a stakeholder.

6. Renewal or Termination

During the final step, the organization decides whether to renew, revise, or terminate the third-party relationship based on its performance and risk assessment. Renewing or revising a contract with a third party often takes organizations back to the third step — negotiations and contracting.

When terminating a relationship, it’s crucial to have a thorough and detailed offboarding process. To ensure information security, organizations must ensure that third parties attest to data privacy, comply with record destructions requirements and that any vendor employees with access to systems or physical buildings are disabled. Organizations need to maintain detailed records of the offboarding process with a full audit trail to ensure all appropriate measures are taken and to demonstrate compliance.

In an environment where operational processes, compliance requirements and threats to the workforce fluctuate, a TPRM program is foundational to organizational stability. It ensures an organization’s proactive posture against ESG risks while helping to promote its integrity and that of its supply chain while bolstering its brand reputation.