Tackling Nth party risk for a safe supply chain

Supply chains are increasingly complex, with risks extending far beyond direct suppliers. Leonard McAuliffe explores how businesses can manage Nth party risk to ensure resilience and compliance

The supply chain ecosystem has evolved into a complex network of interconnected technologies and relationships.

This complexity is driven by rising reliance on an expanding supplier landscape for the delivery of critical business operations.

While these interconnections create opportunities for efficiency and innovation, they also introduce potential risks and threats.

Organisations and regulators across sectors have identified the significant role of suppliers, particularly where the use of consistent suppliers across a geography, supply chain or industry, create significant concentration risks.

Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial loss and reputational threat.

The complexity of today’s supply chain ecosystem has given rise to the need for organisations to consider the concept of ‘Nth party risk’, extending the traditional concept of third-party risk management.

What is Nth party risk?

Nth party risk refers to the broader risk landscape that lies beyond an organisation’s direct (third-party) suppliers, extending deeper into the supply chain to include fourth, fifth and even sixth parties.

Managing Nth party risk involves gaining visibility into these extended relationships to identify potential vulnerabilities and implement the right mitigation strategies.

This approach can help organisations reduce the overall risk profile of their supply chain and build greater resilience against disruption.

This topic has become an increasing focus for regulators with mandated requirements both here in Ireland and further afield.

In Ireland, organisations are guided by the General Data Protection Regulation (GDPR), the European Union’s Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive 2 (NIS2), which are indicative of a broader EU initiative to enhance digital security standards.

These regulations aim to hold organisations accountable for managing downstream risks within their extended supply chain networks, thereby ensuring enhanced operational resilience and data protection.

Such legislative frameworks mark a significant step in reinforcing Ireland’s commitment to digital security and operational integrity across various sectors.

Nth party risk: management challenges

As organisations begin to build capability to apply Nth party risk management practices, we’ve noticed the following challenges:

  • Achieving visibility of organisations deeper in the supply chain (e.g. fourth and fifth parties).
  • Developing a fit-for-purpose approach, including the right level of depth of assessment and oversight.
  • Understanding the dependencies between your Nth party relationships and the impact of a disruption event, such as a cybersecurity breach or a technology outage.
  • Maintaining accurate and relevant information, which can be resource-intensive and time-consuming

Nth party: risk management approach

Several better practice approaches are emerging across the globe:

  • Leveraging advanced technology: Use technologies, such as artificial intelligence, to gain real-time insights and enhance transparency across the entire supply chain. These technologies can automate monitoring processes, identify anomalies and enhance reporting capability to address potential risks proactively.
  • Developing a risk management framework: Create a framework to provide governance and guardrails for your Nth party risk management processes. Define the assessment approach for fourth and fifth parties across the lifecycle of your suppliers.
  • Identifying critical suppliers further down the supply chain: Conduct assessments to pinpoint which suppliers, beyond your immediate third-party partners, play a key role in your operations (fourth, fifth and even sixth-party suppliers). AI-based capabilities can help execute additional supplier risk assessments and questionnaires, allowing valuable human effort to focus on analysing key data.
  • Identifying potential concentration risks: Through assessment and consideration of your critical suppliers, consider the risks cohorts of suppliers may present to your organisation. The increasing availability of AI capability in this field can help identify where you have areas of concentration risk.
  • Uncovering your key suppliers’ dependencies: Map out the dependencies your primary suppliers have with other entities within the supply chain. This involves identifying their key suppliers to ensure you are aware of potential vulnerabilities and can implement safeguards against disruptions. Data feeds and discovery features from industry-leading technology platforms can support the identification of key dependencies.
  • Gathering meaningful data points: Collect and analyse data from all levels of the supply chain to build a comprehensive risk profile, allowing for informed decision-making and prioritisation.

Governance, technology and collaboration

Ultimately, managing Nth party risk in today’s complex supply chain environment requires a strategic approach combining governance, technology and collaboration.

Organisations must extend oversight beyond direct suppliers to ensure a comprehensive understanding of their risk landscape and implement effective risk management practices.

In doing so, they can safeguard their operations, enhance resilience and maintain compliance in an ever-evolving regulatory environment.

Leonard McAuliffe is Partner, Cybersecurity, PwC Ireland