The business world is constantly changing, at a pace which humans are not able to catch up with. The premise of machines taking over the most tedious, low value-adding business processes is very attractive from a budget and cost cutting perspective, which is so prevalent in the current low interest rate environment. From Boston Dynamics’ robots replacing humans in physical activities to medical nanobots correcting human bodies through to financial bots taking care of human’s investment decisions – automation and artificial intelligence are taking the world of commerce by storm and it is unstoppable.
One of the earliest adopted trends – robotic process automation – allows firms to reduce the cost of outsourced activities, however there is one aspect of outsourcing and automation which requires special attention, i.e. third party risk management. It is becoming an ever increasing problem for Chief Risk Officers of global organisations operating in a modular economy, in which the majority of business processes are executed beyond organisational boundaries.
How to assess and mitigate third party risk?
In my previous article1, I have introduced the concept of economic supply chain risk capital (ESCRC) which is a useful tool that helps managers to quantify and mitigate (or transfer) their third party risk exposure. In the wake of cyber threats, this approach becomes even more important as many firms rely on shared cloud resources, such as Amazon Web Services or Microsoft Azure. These services are often used to outsource even the most critical business processes. The associated concentration risk is hard to identify and manage if you don’t look beyond your own organisation.
In the age of modular economy, financial services and manufacturing firms are buying more and more new technologies than ever before. By doing so, they can offer enhanced services to their clients without having to develop them in-house (and later on maintain the costly IT infrastructure). However, the reliance on external service providers bears supplier risks that include facilities in geographical locations prone to disruptions, incompatible cultures, activities being further outsourced to unidentified suppliers, wrong business practices or even costly law breaches in countries that have very different local labour laws.
Supplier development is an important business practice that can help to bring your suppliers to the next level, however, it is costly and time consuming. In that new reality, ESCRC is a tool that can help you to make the decision on which suppliers to develop and which business relationships to wind down.
A practical example of using ESCRC
As an example, think of an SME managing a global complex supply chain for high-tech manufacturing with its factories and supplier base exposed to disruptions in Thailand and Japan. For this manufacturer and auto supplier, business continuity and loss of profit must be managed as top priority. The firm had only limited information about its first tier suppliers, not to mention sub-suppliers further in the supply chain. But even with this partial information, the company’s management did not have to waste resources on mapping the entire supply chain. The company selected their most critical products and began to collect data on products, suppliers and trajectory. In the second step, the firm polled its staff about historical occurrences of disruptions, likelihood and times to recovery. Based on this data, ESCRC was computed, revealing aggregated information about expected losses and profit at risk in the next year’s time horizon.
Furthermore, several strategies to minimise impact of systemic risk could be tested (such as the relocation of the factory, supplier switching or reallocation of purchasing volume). A focus on their most critical business case was enough to assess the company’s third party risk profile and help to decide what it can afford to lose in the most conservative worst case scenario (and hence helped to define the firm’s risk appetite).
The study revealed several surprising and important insights:
- Procurement managers normally focus on stock keeping units with the highest spend, but a low-volume component actually had the biggest impact on profit-at-risk.
- Alternative or backup suppliers do not guarantee business continuity. Normally companies do not look at all the different risk types and their differentiated impacts. Only the statistical modelling of ESCRC revealed the impact of these very real effects.
- Further testing revealed trade-offs and identified which suppliers were worth keeping based on their
individual reliability.
A forward looking approach to third party risk management
As the above case study shows, third party risk can be understood, measured, owned and mitigated in a forward looking fashion if statistical risk measurement techniques like ESCRC are carefully applied with enough high quality data. Future development of this methodology includes macroeconomic variables and scenario consistent simulation of future states of the world, in which value added activities are becoming more and more fragmented and performed in locations where they can be done most efficiently. From this even more sophisticated third party risk management strategies can be evaluated by the digital risk manager of the future.
Machine learning is another potential avenue to be explored for even more comprehensive model formulation that predicts future supply chain disruptions based on similar events happening elsewhere in the business ecosystems. For this to happen, both vast amounts of internal and external data and computing power is already available and ready to be applied to assess third party risk in complex supply chain network that your organisation is inevitably part of.
This article was originally published in The European Financial Review on 23 December 2019. It can be accessed here: https://www.europeanfinancialreview.com/managing-risk-in-a-modular-economy/
About the Author
Kamil J. Mizgier works as Group Manager, Model Development in the area of Enterprise Risk Analytics in the financial services industry. Until 2016, he was a Senior Researcher in Supply Chain Management at ETH Zurich. Prior to this role, he gained professional experience in risk modeling at Credit Suisse, UBS and Aduno Group in Zurich. He has published several academic and practitioner articles on supply chain and operational risk management, supply chain networks and economic risk capital. He obtained a Master’s degree in Applied Physics from the Warsaw University of Technology and a PhD from the Department of Management, Technology and Economics at ETH Zurich.
Reference
1. Mizgier, Kamil J. (2018): On Economic Supply Chain Risk Capital, The European Financial Review, August/September 2018.