Supply Chain and Third-Party Risk Management Considerations

In a recent DHG Manufacturing, Distribution & Retail industry survey, 67 percent of respondents noted that supply chain interruption is one of the top three risks to their business. Furthermore, 77 percent said that the COVID-19 pandemic has impacted their supply chain. As a result, 52 percent of those surveyed plan to qualify secondary vendors, and another 31 percent plan to utilize more domestic suppliers. Depending on the products, some companies cannot produce enough to meet demand (e.g., home fitness equipment) while many others are struggling to move product (e.g., restaurants and brick-and-mortar retailers.) With the pivot in business models and practices, risks associated with third-party management will increase significantly. Additionally, companies are evaluating their inventory levels and challenging historical approaches to monitoring raw materials and finished good levels.

Third-Party Risk Management (TPRM)

Companies are beginning to rationalize their suppliers and give more consideration to the location from which their materials come. This is coupled with a more “nationalist” sentiment about sourcing domestically, rather than internationally. Another trend is qualifying secondary (or back-up vendors) and spreading the risk over geographies and industries. Although a good strategy, there are risks to “on-boarding” new suppliers too rapidly, without performing the appropriate due-diligence, potentially allowing lower quality, or even forfeited materials into the supply chain. With pressure on companies to adapt and perform, some employees may succumb to this pressure, as supply chain personnel might enter into bribes and other nefarious schemes to secure vital raw materials and supplies needed for the company to continue operating at a certain level. Supply chain disruption incentivizes companies to review their TPRM program and determine if revisions are needed.

How to Create a TPRM Program

Management should create an inventory of their third parties, including those in the supply chain, by reaching out to all departments with authority to enter into third-party contracts. In addition, in order to achieve the completeness of this population, companies should consider whether to perform reviews of certain expense line items to detect other contracts. At a minimum, companies should be able to identify all of their third-party relationships and understand the nature of each one. Ideally, they should be able to evaluate the types of risks associated with each third party and prioritize them by severity and likelihood of risk exposure. Third-party relationship analyses should be completed at an enterprise-wide level, which will highlight concentrations of exposures to individual third parties as well as concentrations by risk type.

Companies will then be able to prioritize and focus on the highest concentrations with the highest risks garnering the most attention. As it relates to a manufacturer, considerations might include which raw materials are the most critical to have on hand, versus those that have substitutes. It might also include the company’s ability to source the materials from a secondary vendor and the financial/operational impact. Typically, third-party vendors are first subject to a due diligence review that evaluates the quality of their operations and helps define their inherent risk profiles and long-term viability. Once the review is completed, a company must assess additional risks associated with the third-party relative to data security, customer interaction, brand reputation, liability, fraud, intellectual property rights, business continuity and geo-political issues. A determination can then be made from a risk acceptance or mitigation perspective as to whether the risks posed by the potential third party can be remediated contractually or mitigated to an acceptable level by internal controls at the company. To achieve the most impactful program, companies should establish a single TPRM framework that is employed consistently across the entire company. The TPRM should address all dimensions of the company/third-party relationships, including alignment with the business strategies and goals of the company, the selection of third-party providers and the contractual agreements to be made with them, the necessary ongoing oversight and monitoring requirements, and the processes to terminate relationships as risk exposures change. Sourcing strategies will change, and as mentioned above, inventory of third-party providers is dynamic with new risks and disruptors constantly emerging. These combined inputs create a highly complex situation that has the potential to create significant disruption and distraction if outlier risks are not adequately identified and controlled. A centralized, comprehensive and integrated third-party oversight framework should become the lever to managing the influence of outside sources on this system. Risk is inherent to businesses – therefore, in order to drive performance and growth, businesses must understand and effectively manage risks related to supply chain and third-party providers.


Conventional wisdom means thinking about assessing risk from likelihood of occurrence and magnitude of impact perspectives. Some of the more mature assessments have started to address velocity as a third consideration. The speed at which the pandemic impacted and disrupted many companies’ supply chains emphasizes the importance of a well-structured TPRM framework to maintain uninterrupted business operations. For more information about TPRM frameworks and supply chain management, reach out to us at


Mike Dempsey
Senior Manager, DHG Risk Advisory

© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.