Third party and supply chain risk management

Ken Stoneham

Partner, PwC Canada

Finding the hidden risks—and value—in your extended enterprise

Organizations often have an obscured view of the risks that suppliers and other third parties pose to their operations, reputation and bottom line. Increasingly complex supply chains and outsourcing arrangements can hinder your ability to spot lax cybersecurity controls, logistics vulnerabilities or unethical behaviour among subcontractors and fourth, fifth and nth parties (suppliers of suppliers, and so on). The results can have tangible implications for your business: sensitive client data can be leaked, orders can be delayed and products made from materials sourced through forced labour can land on your shelves—all of which can lead to losing customers, market share and your brand reputation.

Different organizations are at different stages of developing their approach to managing third-party risk. While some businesses still treat it as a procurement-driven issue focused on compliance and business continuity, others are using it to support their business strategy and growth ambitions. Regardless of your own organization’s starting point, new opportunities are emerging to make third-party risk management (TPRM) a source of value. We’ve seen how organizations that take a predictive and proactive approach to managing third-party risks can enter new partnerships with confidence while building and retaining trust with customers.


of Canadian organizations say operational risks, including supplier/third-party risks, are among the most concerning threats to their revenue.

two contractors talking

Staying ahead of the evolving regulatory landscape

TPRM is already a compliance requirement in some industries. For example, federally regulated financial institutions—a bellwether sector that often foreshadows compliance obligations for other industries—are currently navigating new draft TPRM expectations.

Elsewhere, new cybersecurity incident reporting and privacy laws are emerging as the cyber risks associated with organizations’ dependence on third-party vendors multiplies. But as we saw in our 2022 Digital Trust Insights report, relatively few organizations are responding to these escalating threats. For example, only 51% of Canadian respondents say they audit or verify the security posture and compliance of third parties or suppliers.

Validating that your suppliers have strong safeguards in place is critical to protecting the trust you’ve built with your customers.

It’s not only regulators who are pushing organizations to consider their third-party risks more closely. Customers want to know their sensitive data is protected and are holding businesses to higher environmental, social and governance (ESG) standards. We saw this come into sharp focus for retailers in our latest Consumer Insights survey. Approximately three in five (59%) Canadian consumers say the protection of their personal information greatly influences their trust in a brand. And nearly half (46%) say social factors such as a company’s support for human rights—an issue often intertwined with a company’s supply chain—often or always affects their trust in a company. 

As you think about your own approach to TPRM, it’s helpful to reflect on the following questions:

  • Do your stakeholders have clear roles and responsibilities for managing third-party risks?
  • Do you maintain an inventory of your third-party relationships?
  • Do your risk assessments go beyond information security and business continuity management?
  • Do you have visibility into your extended supply chain, beyond your tier-one suppliers?
Woman on comuter

Rethinking your approach to managing third-party risks

TPRM is more than a procurement or contract administration process. It’s a strategic imperative that improves the value your business gets from working and sharing data with other organizations. As you reflect on your existing TPRM program, it’s often helpful to review your existing operating models, technology and capabilities. 

Here are some areas where organizations can start:

Build from the foundation

A strong governance structure, clear responsibilities across your teams and processes to assess and monitor risks are among the core elements of a sustainable and scalable TPRM program. Additionally, visible executive leadership and buy-in can help bring different parts of the business together to create a coordinated approach and make best use of the insights your program creates. Establishing these and other foundational elements at the onset can reduce the time needed later on to put new technologies in place or engage a managed services provider. It also increases the likelihood that these investments will produce the desired results.

People looking at building

Dig deeper into your extended enterprise

Mapping your most critical third-party relationships can identify weak links across your extended enterprise. But to be effective, it needs to go beyond third parties. In many cases, risks are often buried within complex subcontracting arrangements and other relationships, within both your supply chain and vendor partnerships. Nearly three-quarters (72%) of Canadian respondents to our Digital Trust Insights survey said they only have a limited understanding at best of the risks arising from these nth-party relationships. Illuminating your extended network to see beyond third parties is critical to assessing, mitigating and monitoring the risks posed by sub-tier suppliers. It also provides the information your organization needs to proactively reduce the impact of disruptive events such as trade restrictions or geopolitical conflict that could affect your suppliers’ subcontractors, for example.

Power it with technology

The right technology investments can help you execute your TPRM program with greater speed and accuracy. Many organizations have an opportunity to reduce their reliance on cumbersome manual processes by supplementing traditional third-party assessments with external data feeds that produce more proactive insights. But it’s important not to reflexively jump on the latest tech trend or rush into new technology partnerships before thoroughly understanding your requirements and how new investments will work with your existing tools. More than four in five (83%) Canadian respondents to our 2022 Global Risk Survey say that having tech systems that don’t work together is a significant challenge—underscoring the value of establishing your operating model and defining your processes before overlaying technology solutions. 

Man with augmented reality glasses looking at conversations illustration

Group of 3 people devising technology strategy illustration

Augment your capacity and capabilities

Effective TPRM takes expertise in information security, privacy, sanctions, ESG and other specialized fields. While some businesses have this expertise in-house, we’re seeing many organizations gain these capabilities and add capacity to their risk management function by outsourcing portions of their TPRM programs. Nearly one-third (31%) of Canadian respondents to our 2022 Global Risk Survey say they plan to increase spending with managed service providers to support their TPRM program. Managed service providers can also help organizations finish risk assessments faster, gain access to new tools and technologies as well as redeploy internal staff to higher-value activities.

Effectively managing third-party risks builds trust with your board, suppliers and customers by protecting your operations, brand and reputation.

The case for smarter, faster third-party risk assessments

We’ve seen organizations develop greater resilience and safeguard their reputation through their approach to managing third-party risks. The right operating models, technology and capabilities can act as a cost-effective insurance policy of sorts to protect against the risk of your customers experiencing service interruptions, having their data leaked or learning of your suppliers behaving in ways that fall short of their expectations.

But we’ve also seen how it can also unlock new sources of value. Transitioning from legacy systems to new technology platforms can reduce costs through automation. And businesses can improve their performance by focusing on the relationships that pose the greatest risks, rather than painting all third parties with the same broad brush. This lets you engage suppliers faster—allowing them, in turn, to start adding value to your organization sooner.

A robust TPRM strategy is a foundation for creating stronger relationships with suppliers that help build and maintain trust with your partners, customers and other stakeholders. The importance of managing and mitigating third-party risks only grows as your supplier relationships rise in volume and complexity. Improving your ability to manage those risks today can help your organization move with greater speed, confidence and agility in the future.


Rate the content on this page

Five stars = highest, one star = lowest

Thank you for your feedback

This content was relevant
This content was valuable to me

Contact us

Kenneth M. Stoneham

Kenneth M. Stoneham

National Assurance Operations Lead, Partner, PwC Canada

Tel: +1 416 814 5807

Follow PwC Canada