“Third party failures can cost companies as much as £783 million per incident” reports Deloitte

Interestingly, these figures show a marked increase since 2015, when large multinational businesses estimated the cost of a third party failure at between £1.6 million and £40 million.

Deloitte’s Extended Enterprise Risk Management Survey* was undertaken between November 2019 and January this year, prior to the outbreak of COVID-19 being declared a global pandemic. At this point, 17% of organisations had faced a high-impact third party risk incident in the past three years. That’s up from 11% in 2019.

Looking at the ways in which they could be financially affected, 30% of respondents thought share prices could fall by 10% or more if a third party incident was not adequately managed.

Kristian Park, risk advisory partner at Deloitte, commented: “Despite an increase in incidents, companies are not yet investing sufficiently in managing third party risk. The COVID-19 pandemic has only highlighted the need for investment in risk management. Companies experienced a wide range of third party incidents at the peak of the pandemic including supply chain, logistics and financial failures, as well as data breaches resulting in fines, all of which can have a significant impact on customer service, regulatory compliance and reputation.”

Investment in responsible business

For the first time in five years, the desire to be a responsible business that effectively manages social and environmental issues throughout its supply chain was one of the key reasons companies have invested resources in third party risk management. Almost half (43%) cited that point as a prime reason for investment. Despite this, a large proportion were still not allocating budget to associated areas. 74% had not allocated funds to manage climate risk, 57% to environmental risk and 54% to modern slavery and labour.

Over half (59%) of respondents thought they were under-investing in extended enterprise risk management, although this fell from 70% last year. Budget for managing third party risk was skewed towards certain areas, including information security, cyber risk, data privacy and Health and Safety. This is predominantly in line with the largest proportion of third party incidents, which were related to cyber risk (23%), bribery corruption (23%) and information security (9%).

Park continued: “The survey shows a desire to develop risk capabilities and to become a responsible business. While efforts were paused at the beginning of the pandemic, these themes are widespread and constant as companies start to recover, particularly so around workplace safety and carbon footprint. Given a growing dependence on critical third party relationships, it’s key that companies act now to protect themselves and their extended enterprise.”