The supply chain ecosystem has evolved into a complex network of interconnected technologies and relationships. This complexity is driven by the increasing reliance on an expanding supplier landscape for the delivery of critical business operations.
While these interconnections create opportunities for efficiency and innovation, they also introduce potential risks and threats. Organisations and regulators across sectors have identified the significant role of suppliers, particularly where the use of consistent suppliers across a geography, supply chain or industry, create significant concentration risks. This trend has identified a need for organisations to consider the concept of Nth party risk, extending the traditional concept of third-party risk management. In this article, we will explore exactly what it is, some examples of real-world disruptions and how you can better manage the risk and why.
What is Nth party risk?
Nth party risk refers to the broader risk landscape that lies beyond an organisation’s direct (third-party) suppliers – extending deeper into the supply chain to include fourth, fifth and even sixth parties. Managing Nth party risk involves gaining visibility into these extended relationships to identify potential vulnerabilities and implement the right mitigation strategies. This approach enables organisations to reduce the overall risk profile of their supply chain and build greater resilience against disruption.
This topic has become an increasing focus for regulators with mandated requirements both here in Australia through the CPS230 standard and Security of Critical Infrastructure (SOCI) Act, and further afield in the EU through the Digital Operational Resilience Act (DORA). The intent of these legislations and standards, respectively, is to place further accountability on organisations to manage downstream risks across the extended network in their supply chain.
Examples: Real-world impacts of Nth party risk
- Software providers have become an attractive target for cyber threat actors shown through a previous data breach, where a zero-day vulnerability was exploited on a file transfer solution. This solution was used across industry sectors to share data throughout the supply chain and lead to both customer and employee data being obtained and impact to over 62 million people.
- A flawed software update from a technology provider caused a significant IT outage, affecting millions of systems globally and resulting in severe disruptions across various sectors. Importantly, it was not just direct customers of the provider who were impacted, as the outage had a widespread effect on multiple elements of supply chains.
What are the key challenges?
As organisations begin to build capability to apply Nth party risk management practices, we’ve noticed the following challenges:
- Achieving visibility of organisations which are deeper in the supply chain (e.g. fourth and fifth parties).
- Developing a fit-for-purpose approach including the right level of depth of assessment and oversight.
- Understanding the dependencies between your Nth party relationships and the impact of a disruption event such as a cybersecurity breach or a technology outage.
- Maintaining accurate and relevant information can be resource intensive and timely.
How can organisations approach Nth party risk management?
Below we have listed some of the better practice approaches that are emerging across the globe:
- Leverage advanced technology: Use technologies, such as artificial intelligence, to gain real-time insights and enhance transparency across the entire supply chain. These technologies can automate monitoring processes, identify anomalies and enhance reporting capability to proactively address potential risks.
- Develop an Nth party risk management framework: Create a framework to provide governance and guardrails for your Nth party risk management processes. Define the assessment approach for fourth and fifth parties, across the lifecycle of your suppliers.
- Identify critical suppliers further down the supply chain: Conduct assessments to pinpoint which suppliers, beyond your immediate third-party partners, play a key role in your operations (fourth, fifth and even sixth-party suppliers). AI-based capabilities can help execute additional supplier risk assessments and questionnaires, allowing valuable human effort to be spent analysing key data.
- Identify potential concentration risks: Through assessment and consideration of your critical suppliers, consider the risks cohorts of suppliers may present to your organisation. Increasing availability of artificial intelligence capability in this field can identify where you have areas of concentration risk.
- Uncover dependencies of your key suppliers: Map out the dependencies your primary suppliers have with other entities within the supply chain. This involves identifying their key suppliers to ensure that you are aware of potential vulnerabilities, and can implement safeguards against disruptions. Data feeds and discovery features from industry leading technology platforms can support the identification of key dependencies.
- Gather meaningful data points: Collect and analyse data from all levels of the supply chain to build a comprehensive risk profile, to allow for informed decision-making and prioritisation.
What is the value of managing Nth party risk?
- Improved supply chain efficiency: Understanding and managing the risks with Nth parties can improve efficiency and reliability, through better delivery times, reduced disruptions and optimised operations.
- Long-term cost savings: Proactively managing risks associated with Nth parties can prevent costly disruptive incidents. By identifying and mitigating risks early, organisations can avoid significant financial losses.
- Potential competitive advantages: Strong risk management practices can be a differentiator by enhancing customer trust and loyalty and being a more attractive partner or supplier.
Final thoughts
Ultimately, managing Nth party risk in today’s complex supply chain environment requires a strategic approach that combines governance, technology and collaboration. Organisations must extend their oversight beyond direct suppliers to ensure a comprehensive understanding of their risk landscape and implement effective risk management practices. By doing so, they can safeguard their operations, enhance resilience and maintain compliance in an ever-evolving regulatory environment.
Interested in managing Nth party risk more effectively? Connect with Pia Chakravarti, Michael Boddie or Matthew Griffin to explore how we can help.
