Real-time and Continuous Risk Monitoring

Do you monitor your third parties and suppliers in real-time and continuously? How do you do that? What solutions do you use? 


The numerous and complex interconnections between contemporary corporations and their third-party contributors — including suppliers, consultancies, brokers, partners and financial enterprises — represents exposure to an increasingly diverse range of risks that are often underestimated in their potential to disrupt business. Even when the risks are properly understood, corporations often respond with periodic threat-management programs that cannot safeguard against the continuous and rapidly morphing risks that occur in an increasingly globalized modern world. The consequences of inadequate risk monitoring can be catastrophic.

The Proliferation of Third-Party Participants

Before the spread and eventual dominance of digital communication, even large-scale enterprises used a limited number of third-party suppliers. The difficulty of communicating business status, stability or process health by phone, wire or mail meant that it was often faster and more economical to ramp up capabilities within the parent company. The internet changed all that. A McKinsey position paper on the subject emphasizes that the ease and fluidity of communication between suppliers and buyers increases interactions between them at an accelerated pace. As a result, outsourcing, once too cumbersome, has now become routine.

When, for example, Boeing faced an accelerated schedule for developing the 737 MAX, it created or enhanced relationships with over 600 supply-chain partners. While this made faster development possible, each of these third-party suppliers also represented an increased risk. Multiplied hundreds of times over, that risk became substantial and daunting. Unfortunately, Boeing didn’t understand the extent of its exposure, and the resulting crashes cost hundreds of lives.

After the second crash prompted a careful look at how their various supply components interacted, what became clear was that the Maneuvering Characteristics Augmentation System — an apparently minor software component from a third-party supplier that was added to increase the plane’s operational safety — contributed significantly to both crashes. But as the Seattle Times reported, Boeing’s inspectors (who were authorized to act on behalf of the FAA) were pressured to speed-up inspections of this first-of-its kind system and re-evaluate places where they had previously flagged problems with MCAS in order to keep production of the aircraft moving forward.

Why Risk Assessments Have Limited Utility

Boeing’s misjudgments are not uncommon. Most companies rely on their own employees to make third-party supply risk assessments. But descriptions of defects and other problems that proceed upward from employees to managers frequently go unheard by the senior decision makers who need to hear them. Human beings generally have a built-in aversion to conveying bad news to authorities who may not want to hear it — a problem represented in the admonishment against “shooting the messenger.” This is why, for example, although all large financial institutions have internal watchdogs, they’re also monitored by the Securities and Exchange Commission and other outside regulators. It’s a fundamental truth that objective, effective risk assessments need to come from an independent source outside the institutions at risk.

Why Focused Monitoring on Cyber and Financial Risks Isn’t Enough

As companies become more aware of the need to assess the risks inherent in relationships with third parties, they may employ an outside firm with specific expertise in the same enterprise area to do the monitoring. Hi-tech firms, for example, may only focus and hire a third party with particular expertise in cyber threats.

The problem with this approach is that it’s in the nature of threats to have chaotic rather than rational roots. A monitoring firm with cyber expertise, for example, may concentrate on technological network deficiencies, while the risk that eventually emerges has nothing to do with technology or networks. A third-party supplier, for instance, may have financial problems that rapidly worsen to become a collapse and create a severe supply shortage. Similarly, an agricultural supplier may have an excellent product reputation but still fail suddenly as a climate event reduces product output below the break-even point. Failure can have a nearly infinite number of causes and can arise at any time and anywhere in the world, which makes it a necessity to pursue the widest possible kind of business disruption threat monitoring.

Why Periodic Monitoring Is Inherently Inadequate

Perhaps the biggest obstacle to effective threat reduction is, ironically, a practice that was once considered standard: point-in-time/periodic risk management. Companies traditionally assessed third-party risks through reviews that might be quarterly or, more commonly, annually or even biennially. There have always been inadequacies with this approach, but the shortcomings have become more apparent with the increased use of third parties and the maturation of digital technologies, where seemingly insignificant threats can grow rapidly and morph unpredictably.

Technological advances, for instance, have made it more and more difficult to accurately assess the real source of a digital communication, so that periodic reviews, no matter how frequent, can’t spot a destructive threat that can become fully active within hours and without warning. A 2019 University of California study, for example, notes that very recent developments in artificial intelligence threaten the reliability of online medical data—methods of communication that were adequately protected a month or even a week ago may no longer be safe.

How serious can these threats become? In reality, they’re already significant. Over 2,000 interviews conducted worldwide with major corporations in 2018 by the Ponemon Institute determined that a quarter of them had suffered significant data breaches and lost business because of them. Most of these originated with a third-party supplier.  Moreover, these incidents have increased year after year, both in number and in the amount of financial damage caused. Frequent triggers are failure among third-party suppliers, destructive events (many of them climatological) and threats occasioned by technology itself.

Elevate Your Risk Program to Continuous and Real-time Monitoring

Enterprises today need an ongoing and in-depth understanding of worldwide risks. As supply-chain risks have risen dramatically, a commitment to ongoing monitoring of all third parties, by fully committed risk-assessment professionals using the best available wide-ranging means, is now a necessity. A third-party risk management solution like Supply Wisdom makes this possible, thanks to our continuous and real-time ability to monitor, verify and analyze third-party and location risks globally across fourteen different risk categories with more than 300 different risk parameters. This approach allows companies not only to react swiftly when a risk event occurs, but it also allows them to predict when and where risk events will happen — allowing them to take proactive steps to safeguard their supply chain before disruptions occur.

About the Author

Patrick Gleeson holds a doctorate in 18th-century English literature, has more than 15 years of investment-management experience, and is a FINRA registered investment advisor. He has contributed hundreds of financial articles to U.S. print and online publications. In his spare time he performs his own compositions at electronic music festivals, most recently Moogfest.

About Supply Wisdom 2020.pdf

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 913

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 206

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 131

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 315

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 90

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!