The benefits of

taking a data-driven
approach to risk
The benefits of taking a data-driven approach to risk
The events of the past two
years mean it’s more important
than ever that organisations
understand the full range of
risks to which they are exposed.
The use of data and effective
supplier – or ‘third party’ –
assessments can help them
to do just that.
66% 64% 23%
of UK businesses have
experienced delays
revenues decrease
2
The risks modern organisations face have never
been more clearly illustrated than over the
past couple of years. A global pandemic, war
in Europe and subsequent impact on trade, and
the rising cost of living are all evidence of how
volatile the business landscape is, and that’s on
top of the perennial dangers organisations face.
A report by SAP highlights just how damaging
this has been; 66% of UK businesses have
experienced delays as a result, 64% have
seen revenues decrease and 58% have lost
customers. Perhaps even more concerningly,
a quarter (23%) believe their supply chain
problems will not have improved by the
summer of 2023. >>
of UK businesses of UK businesses
have seen their believe their supply
chain problems will not
have improved by the
summer of 2023
 The benefits of taking a data-driven approach to risk 3

>> For those working in supply chain and

procurement functions, this has only served
to increase the focus on risk, and the need to
ensure they understand not only the direct
dangers posed to their operations but also
those that could impact, or stem from, their
supply chains.

This can be problematic. “Modern supply chains

are so extended that many organisations
may be putting themselves at risk from
organisations they do not have any direct
involvement with,” points out Simon Chard,
managing director global business development
of KY3P®, at S&P Global. “They may know who
their suppliers are, but they don’t necessarily
know who their suppliers’ suppliers are.”

The increased risk is compounded by just

how interlinked supply chains are, meaning
the possible consequences of an incident are
felt more widely. “Today’s modern world is
more interconnected while at the same time
supply chains are as lean as they have ever
been,” says Nicolas Walden, senior director
and UK procurement advisory program leader
at The Hackett Group. “Without built-in shock
absorbers, this means any disruption or
volatility flows quickly throughout markets and
supply chains, as seen in recent macro events
of lockdowns, the pandemic, wars and new
regulations having potentially catastrophic
effects on business and supply chains.”

“Today’s modern world is more

interconnected while at the same
time supply chains are as lean as
they have ever been”
The benefits of taking a data-driven approach to risk
The risk landscape is changing
“It is broadly recognised that the emphasis
in the past has largely focused on financial
risks with a corresponding approach and risk
methodologies,” said David L Loseby, former-
Group CPO at Rolls Royce. Further, the risk
landscape will continue to evolve and change
relative to the dynamics of the VUCA (Volatility,
Uncertainty, Complexity, and Ambiguity) world
we currently operate in.
“More recently the Federation of European
Risk Management Associations (FERMA) and
others have recognised that this needs to be
more comprehensive within the organisation
and across its entire supply chain (all tiers) to
embrace wider and broader criteria.”
The risks organisations face today from
their supply chains typically fall into four
categories, says Andrew Black, a principal at
consultancy Efficio. These include financial,
where the viability of suppliers is threatened;
health, safety and environmental, social and
governance (ESG); cyber; and reputational,
which underpins the other three as well
as encompassing other threats such as
inadvertently trading with a supplier in a
country currently under sanctions.
4
80%
experienced a significant
cyber security incident
in the past two years
Cyber is a particular threat, with more
than 80% of companies experiencing a
significant cyber security incident in the
past two years, according to research by
Gartner. There are different levels of risk
here, says Mark James, senior consultant
at compliance firm DQM GRC. “From a data
protection perspective an organisation,
or controller, has a legal and accountable
obligation to determine how data is
processed,” he says.
“If a third party has weak processes that
pose a risk, and as a consequence are
breached, the controller could have liability.
Some third parties will pose greater risk –
for example, a third party that hosts all of
your IT, and is subsequently breached, could
see operations of the organisation ceasing.”
The benefits of taking a data-driven approach to risk 5

Some How well different industries and sectors

approach the wide range of risks currently

industries
varies, raising the prospect of some
over-emphasising certain threats while
simultaneously not paying enough attention

do better to others. “Manufacturing, retail or FMCG

companies tend to be more mature than

than others others and are often laser-focused on complex

supply risk and financial risks,” says Walden.
“Services companies adopt a different lens and
are primarily focused on top risks relating to
information security and regulatory risk.”

Any kind of safety risk has always been a

“Services companies adopt a
different lens and are primarily
focused on top risks relating to
information security and
regulatory risk”
priority for businesses in certain sectors,
such as energy, utilities and pharmaceuticals,
says Chard. “Checking safety had a different
meaning in financial services, but cyber has
always been viewed as a risk, so there are some
interesting lessons learned from industry to
industry,” he adds. “Financial services firms are
more than ever looking to see where they could
learn from others.” >>
 The benefits of taking a data-driven approach to risk 6

>> Even leading organisations, though, struggle

when it comes to dealing with fourth-party
risk. “Regulated industries such as financial
services and healthcare tend to be more
mature in identifying and mitigating risk,”
agrees Sri Rangachary, senior director at
global technology research and advisory firm
ISG. “But even they may not recognise risks
that are deeply embedded in their supply chain.

“Those risks might not be within their

immediate third parties but could be further
down the chain. Other industries – such
as manufacturing and hospitality – have
recognised the need to mitigate third-party
risk in their extensive supply chains. This has
been partly driven by the disruption of the
pandemic, but also by an increasingly
globalised supply chain.”

For some organisations, there’s a danger of

over-prioritising risks which may generate
significant attention among consumers and the
media but may not be the most likely to occur.
“Some companies more recently have shown
greater interest in considering geo-political or
PESTEL-related risks in decision-making, for
example, over-reliance on China, technological
or social impacts, and even ‘black swan’ risks
which are very low probability yet catastrophic
if they occur,” says Walden. “In between there
has been a much greater focus on cyber, data,
reputation and brand-related risks across all
spend areas.”

“Industries such as manufacturing

and hospitality have recognised the
need to mitigate third-party risk in
their extensive supply chains”
The benefits of taking a data-driven approach to risk
Data can help
businesses
manage risk
“Proper monitoring of third-party
risk will require some collaboration
with those suppliers, such as
informal information sharing”
7
The growing breadth and depth of the risk
organisations face means it’s no longer enough
to rely on gut instinct when it comes to
assessing and monitoring threats, or to hone
in on one particular risk at the expense of
others. “In the past, organisations have
typically focused most of their time on
monitoring the financial risks of their suppliers,
partly because risks to continued supply of
materials and services tended to be the major
priority for management and partly because
it is by far the easiest to assess from the
outside,” says Black.
“But as the range of risks being assessed
multiplies, organisations will need to get
access to better, but harder-to-find data, and
realise that proper monitoring of third-party
risk will require some collaboration with those
suppliers, either in the form of contractual
KPIs or informal information sharing.” >>
 The benefits of taking a data-driven approach to risk 8

>> Data is now playing a critical role in helping

organisations assess and prioritise the various
risks they face. “Organisations can now exploit
insight from an increasingly sophisticated set
of risk data sources across a range of domains
from ESG to cyber to financial risk,” points out
Chard. “An example over recent years is the
emergence of cyber-scoring organisations such
as Security Scorecard that score companies
in relation to their cyber health. They do that
through various metrics, in a similar way to how
credit rating agencies such as S&P Global do in
the financial space.”

This approach can be adopted for all suppliers

across key risk areas such as anti-bribery
and corruption, environmental credentials,
financial health, IT security, data privacy and
business continuity, he adds. Performance can
be assessed using frameworks and industry
standards such as the new UK Finance Supplier
Assurance Framework.

The use of data means such analysis can be

carried out throughout an organisation’s
supply chain. “Increasingly many teams are
focusing on external intelligence sources and
going deeper into the composition of supply
chains, for example, lower-tier suppliers,
parts, components, and ingredients – all the
way back to original sources,” says Walden.
“Information comes from many sources,
including mapping and surveys, tapping into
third-party databases or through collecting
social and sentiment data.”

“Increasingly, many teams are

focusing on external intelligence
sources and going deeper into the
composition of supply chains”
The benefits of taking a data-driven approach to risk 9

Ongoing, In today’s fast-moving environment, using

external sources such as sanctions data and
news alerts is just as important as an initial
third-party assessment. These assessments can cover a
range of threats, including financial, Euromoney

assessments Country Risk (ECR) or location risk, ESG, cyber

and the risk of a data breach.

“Real-time data will give you the information

you need to comply with fast-changing
requirements such as the kind of sanctions
we’re seeing against Russia and Belarus,” points
out Rangachary. “You should also monitor for
adverse news or controversies that affect
third-party suppliers, in case you have to
course-correct at short notice.”

For more critical suppliers, businesses may

“Real-time data will give you the
information you need to comply
with fast-changing requirements”
want to go beyond data feeds, and engage
directly with suppliers, or suppliers’ suppliers,
to conduct third-party assessments. “Firms
will either use a shared utility such as KY3P®,
their own teams or consultants to validate
controls or other aspects of organisational
performance,” says Chard. >>
 The benefits of taking a data-driven approach to risk
>> Using a dedicated third-party assessment
firm means suppliers only have to go through
one process for multiple clients, he adds,
using a standard framework; something that
will be appealing to them and could help
organisations become customers of choice
in competitive categories.
As Simon Chard points out, monitoring the
financial health of suppliers also remains
important not just to ensure they remain viable
but because this also gives an indication of how
vulnerable they are to other risks. “Financial
health is almost like a buffer against all these
other issues,” he says. “As we move into a
period where more organisations are going
to come under more financial pressure with
rising interest rates and inflation, that will
probably lead to an uptick in some of the other
challenges that they’re going to face and will
impact on their ability to deal with them.”
10
It’s a responsibility that needs to be shared
across different functions, states Walden.
“At an enterprise group level, the risk
and compliance team will take ultimate
responsibility for risk under direction of
the executive board,” he says. “Procurement
and supply chain as part of the overall risk
framework need to take a leadership role in
third-party and supply risks. Managing risk
is a group sport, requiring the participation
of many different stakeholders across the
company and externally.”
“Using a dedicated third-party
assessment firm means suppliers
only have to go through one process
for multiple clients”
The benefits of taking a data-driven approach to risk
It makes good business sense
Organisations from all sectors understand the
need to have an effective risk management
strategy, even if many feel they will struggle
to keep on top of it on their own in a rapidly
changing landscape. “If you don’t have this
visibility and you do experience a major incident,
it takes a significant amount of senior leaders’
time and resources to manage,” says Chard.
“We’ve seen in various areas, including cyber,
that it can be hugely disruptive if you’re not
planned, tested and prepared.”
From a practical perspective, the benefits
of taking a data-driven and more proactive
and predictive approach to risk are evident.
“It means, for example, that businesses can
receive early warnings of delays or disruptions
in shipping, shortages of key components due
to a factory fire, or a key supplier impacted by
a cyber-attack or compliance issue rather than
11
waiting for the goods to miss their scheduled
delivery date or a force majeure notice,” points
out Walden.
Ultimately, the biggest driver for having an
effective grasp on risk, including monitoring
how this may change over time, is that it
simply makes good business sense. “Companies
effectively managing risk will logically
outperform competitors in terms of customer
satisfaction, revenue, cost control and,
ultimately, profitability,” concludes Walden.
“After all, if we cannot supply, we cannot sell.”
“From a practical perspective, the
benefits of taking a data-driven
and more proactive and predictive
approach to risk are evident”
S&P Global
KY3P®
To find out more about how S&P
could help your business, go to:
https://ihsmarkit.com/cpo