Third Parties – Trusted partner or necessary evil?

By Sean Miles, Head of Operational Risk, Shawbrook Bank

Who knew that Carbon dioxide was used to stun and kill animals for slaughter, cool critical nuclear reactors and keep food fresh and medicines cold amongst other uses? Consequently, Carbon dioxide is a critical product for several industries. So, it shouldn’t be a surprise that when the price of natural gas increased recently, caused by the conflict in Ukraine, the wholesale price of carbon dioxide rose increasing grocery costs in the UK by $2bn. This one example highlights the flow-through impacts of price rises in a supply chain.

Third Parties play an essential, irreplaceable role in the delivery of products and services. This is especially true in the current connected, complex business processes. Outsourcing leverages specialist knowledge and allows organisations to benefit from economies of scale. Outsourcing allows organisations focus on their own unique selling points, enabling them to become more effective and efficient in the process. Whilst surveys suggest that 60%-80% of organisations outsource some part of their business, there is no definitive measure on the scale of outsourcing. I would be amazed, though, to find any organisation that did not outsource some element of their business.

However (there is always a however from a risk managers point of view); whilst organisations can outsource the process, they cannot outsource the risk. Organisations retain the risk of delivering their products and services effectively, securely and profitably whilst taking on risks of third-party performance when outsourcing processes. If organisations are exploit the benefits of Third Parties to deliver products and service to customers effectively, it is critical they understand their end-to-end supply chains and the resultant risks.

Why outsource

Organisations should start their Third-Party Risk Management by setting a risk appetite to define what they will and what they will not outsource. Firstly, an organisation should clearly understand it is unique selling points, which it won’t outsource. Thereafter anything else is fair game, though organisations need to be clear on why they are outsourcing. This is a critical step. If an organisation’s strategy is that it will not outsource product design, there is no point even considering proposals or tenders that include product design.

Having defined a risk appetite and outsourcing strategy, organisations then need to understand the risks and opportunities they are taking on by outsourcing products or services. To do this, organisations should decide what their most important risk drivers are. With respect to outsourcing, the following factors can be used to assess the materiality of the supply:

  • Performance Risks (Will the outsourcer supply the service or products as needed).
  • Financial Risks (both the costs of the service and the health of the provider).
  • Asset Risks (What assets, such as IP, Data, Hardware, or Software etc are affected by the arrangement).
  • Technology Risks (What infrastructure or applications, or what access to systems etc is provided).
  • Geographical, Political Risks (Where is the supplier, supply, service based?).
  • Regulatory, Compliance Risks (What aspects of the product or service are subject to laws or regulations).
  • Customer, Stakeholder Risk (What customers or stakeholders are affected by the arrangements).
  • Resiliency Risk (How resilient is the service? Are there any concentrations or recoverability impacts of the arrangement)?
  • Reputation Risk (Does partnering with the outsource pose any threats to the organisations brand or reputation).

At the outset, the organisation outsourcing its business should be clear on what service or product it wants. The contract should set out clear expectations of both parties in relation to the above drivers. Getting these steps right is key. Neither side should ‘win’ or ‘lose’ the contract negotiations. Starting from such a position sets the wrong tone for future collaborative working. Whilst there should be proper focus on costs and price, these should not be the only drivers.

Effective due diligence is needed to ensure the contract is appropriate and the T&Cs need to give proper weightings to the golden triangle of cost | quality | time if the service and partnership is to succeed.


The contract should supply sufficient oversight to allow the organisation outsourcing their business to oversee the performance of the third party. The required, resultant controls should be commensurate to the risks of the service provided. When calculating the costs of the service sufficient internal resource should be budgeted for to manage the outsource service effectively. Many organisations get this step wrong from the outset and never recover.

Once the contract is complete, it should be regularly reviewed with the supplier. Mike Tyson was right when saying that everyone has a plan until they get punched in the face. In the same spirit, every contract is fine until the service and operation begins. Hence, establishing a collaborative ‘win-win’ relationship at the start and adopting a partnership approach will pay dividends when inevitable issues arise once the service and operation goes live.

Once a contract is agreed with a supplier and the contract goes live, the fun really starts. The organisation will hopefully start to see benefits crystalise as it receives a quality service or product. The Third Party can start to earn revenue and supply a first-class product and service.

It sounds obvious but unless organisations understand how their whole, end to end, supply chain and evolves, they cannot hope to manage ongoing risks. Supply chains can be exceptionally long and blurry. Organisations must protect themselves, their investors and customers, for the host of risks that arise from depending on such a supply chain.

Having identified the core risks outlined above, organisations need to keep their risk assessments up to date as the service progresses. For example, if they had previously decided to outsource your technology to a foreign country, they will need to keep up to date with changes in Sanctions’ regimes and Data sharing arrangements to ensure they can continue to follow prevalent laws and regulations.

The best way organisations can achieve this is by looking to build effective, long-lasting ‘win-win’ partnerships with suppliers, ensuring suppliers understand the business they are servicing and vice versa. Partnering, based on mutual understanding and respect, is the best form of Third-Party Risk management.

This article represents the thoughts of the author and does not necessarily reflect the position of their employer

Hot Topics

Related Articles