Geopolitical risks are disrupting global supply chains and compelling business leaders to take third-party risk management more seriously.

Active war zones, extreme weather conditions, and “black swan” events affect the ability of procurement and supply chain organizations to source, manufacture and deliver goods.

Take Houthi attacks on shipping in the Red Sea. It’s a vital waterway for global commerce, with 12% of global trade, 30% of container shipping and seven million barrels of crude oil and refined energy products passing through it daily. Despite an international coalition to ensure freedom of navigation, including joint U.S.-U.K. air strikes to disrupt Houthi drone and missile capabilities, attacks have been occurring almost daily since December. Several ships have been damaged or hijacked. 

As a result, four of the world’s five largest ocean carriers (Maersk, Hapag-Lloyd, CMA CGM Group, and Evergreen) and some of the largest energy and tanker companies (BP, Shell, and TotalEnergies) have paused on transiting the Red Sea. At least 90% of the containerships that would normally sail through are diverting around the Cape of Good Hope on the southern tip of Africa, extending their journey by 10 to 14 days and 3,500 nautical miles. Longer trips mean higher fuel, freight and insurance rates; and they prompt businesses to reevaluate where they source their goods and how to ship them.

Mitigating Concentration Risks

Many businesses cannot shift sourcing or shipping out of regional hotspots, such as the Red Sea or the larger Middle East. For them, mitigating concentration risk should be a top priority. 

To avoid disruptions to maritime trade caused by geopolitical risk, and improve supplier visibility and business resilience, supply chain teams need to prioritize third-party risk management (TPRM). Yet such programs face a number of challenges today, including:

• The lack or immaturity of a TPRM program. Just 54% of companies in Ernst & Young’s 2023 Global Third-Party Risk Management survey have a centralized TPRM program. Businesses that lack or have immature TPRM programs rely on manual processes that cannot scale with the growth of third parties they work with, and the myriad of risks they bring. 
• Siloed third-party records and risk data. Valuable supplier mapping and risk data that could be useful to reevaluate sourcing strategies, pivot to alternative third parties and get ahead of geopolitical crises are often siloed within multiple business units. In addition, risk intelligence data aren’t integrated with the TPRM solution. 
• Poor management of third-party risks. Unsurprisingly, Gartner’s Third-Party Risk Management Governance and Technology Investments report finds that only 28% of organizations continuously monitor third parties throughout engagement cycles, and just 16% say they’re effectively managing third-party risks.”

Why TPRM Is Indispensable

The scope and scale of risks to companies operating in or sourcing from conflict zones necessitate a digital approach, one that automates cross-functional processes for assessing third-party risks, continuously monitoring those risks, and mitigating them through corrective actions. TPRM programs can help with providing unified visibility across all risk domains. 

Technology tools can help your organization manage its third-party risks. First, though, you need to wrap your arms around who owns which functions within TPRM and related programs, and how they work together. From there, analyze processes that perform well, perform poorly, need to be updated or should be thrown out altogether.

It’s vital to understand the value and impact of using the correct solution for the job, and the ability to scale it, design it and execute without limits. A poorly designed system can slow user adoption, leaving your organization vulnerable to third-party threats and disruptions. The best TPRM programs are those that provide supply chain teams with:

• Third-party due diligence to assess and review risks prior to onboarding, as well as at regular intervals throughout the year. Five out of six suppliers that pass an initial due diligence experience a risk event in the next year.
• A risk scorecard for each third party, which is a roll-up of scores for each risk attribute. Risk scores are used for analysis and decision-making, such as whether to onboard a third party, as well as to tier suppliers based on risk profile and criticality.
• Continuous risk monitoring of third-party relationships to review changes that could impact the supplier’s ability to meet its contractual obligations. And when risk intelligence is integrated, such as maritime data, real-time hazard incidents and meteorological forecast, risk reviews are enhanced. Any changes to the third-party risk profile can trigger alerts and automated workflows to generate corrective actions. 

Businesses, commercial carriers, shippers, and third-party logistics providers had already been relying on the Red Sea route to ship goods in the wake of the war on Ukraine, threats to Black Sea Shipping, and drought-related delays at the Panama Canal. With known threats to the Malacca Strait and China’s perennial threat to Taiwan independence, business leaders should shift their thinking to better manage third-party risks, or pay the price of product delays, stockouts and disappointed consumers. 

The optimal way for business leaders to enhance their TPRM programs is to think big, start small, and grow fast. Think big by designing a program that prioritizes risk domains in the supply chain, such as cybersecurity, modern slavery and sustainability, and aligns to business objectives. Start small by building a technology foundation that focuses on one or two critical risks first, to gain immediate business value. Lastly, using your foundation, grow your program quickly by expanding into other risk domains, continuous monitoring, supplier performance management and implementing improvements to processes and technology.