Don't gamble with your company's investigation process.

Learn about i-Sight software today

How to Find the Risks in Your Supply Chain

Vetting third and fourth parties is essential to a comprehensive supply chain risk assessment

Posted by Dawn Lomer on October 31st, 2019

When assessing the risks that your company faces, there are variables you can easily control and those that are more difficult. Your supply chain falls in the latter category, and many companies have been taken down by their inability to control the weaknesses in these third- and fourth-party networks.

One of the deadliest industrial accidents in history, the Rana Plaza collapse in Bangladesh, thrust supply chain risk into the limelight. Yet many companies still aren’t fully aware of what’s happening at every level of their supply chains because it’s so difficult and because modern supply chains can be so complex.

Need help assessing and documenting your level of risk? Read How to Use a Risk Assessment Matrix. Then download the Risk Assessment Form and Matrix template.

In large companies and in certain industries, supply chains can include thousands of third parties, all with their own supply chains. Proctor and Gamble, for example, has more than 75,000 suppliers. Retail giant Walmart has more than 100,000 suppliers. Even smaller enterprises can have hundreds of vendors.

Vetting and monitoring these partners thoroughly and continuously is critical to the health and sustainability of your business.

7 Steps to Reviewing Your Supply Chain Risk

According to John Henry Abrenilla, Director of Global Investigations at Seagate Technology in
Sunnyvale CA, reviewing your supply chain reputation is a good place to start. He suggests taking these seven steps as part of your supply chain fraud risk strategy:

  1. Run all of your suppliers to see who is out of business, not current, or doesn’t exist.
  2. Review which suppliers are underperforming. This could lead to uncovering potential fraud (sub-contracting, inferior parts, etc.).
  3. Have a look at your billing accounts. Which ones have seen an anomaly in spend year-over-year?
  4. See which vendors tend to do “everything” for you; these may be middlemen companies that are increasing your costs and depleting your margins.
  5. Work with your CFO to obtain previous ethics cases. Study them and see if there was anything from a billing or procurement standpoint that could have found it. This is where you can start to develop controls and monitoring.
  6. Partner with finance to see which customers are paying late, which ones are “ghosting” your company from making payments.
  7. Match your employee file to the customers that are in billing. Check if there are undisclosed matches and if they are receiving favorable terms that are costing the company money.

Don’t Forget Your Fourth Parties

According to a Compliance Week survey entitled Third Party Risk: A Journey Towards Maturity, oversight of fourth-party relationships is another risk that isn’t getting the attention it needs. “Only 40% stated that third parties are always required to identify fourth parties, while 31% of respondents reported having controls within all of their third-party relationships for the management of fourth parties,” the survey reports. “Just 21% say they always conduct due diligence on critical fourth parties. Some 46% do not conduct due diligence on critical fourth parties at all.”

A company’s code of conduct should apply to the entire supply chain. Download the free Code of Conduct template to make sure you haven’t missed anything.

You probably don’t have a direct relationship with your fourth-party vendors, but you still need to assess them for risk. The first step is to ensure you know who they are. Require that all of your third parties commit (in writing) to notifying you before they engage any other vendors. Now you know who your fourth parties are.

The next step is to request that your third parties conduct their own due diligence on anyone they contract with. Read the risk assessments and flag any potential issues, conflicts of interest or other concerns, and follow up to ensure they are explained or resolved.

It’s a good idea to do your own risk assessment on fourth parties as well, and this may require that you request documentation from your third parties. If you do find that a fourth party presents a risk to your company, you can work with your third party to re-evaluate contracts or take steps to mitigate the risk.

A fully functioning risk strategy takes into account every company that your company does business with. As business relationships evolve, so too should your strategy. By continuously assessing your vendor risks at every level, documenting the assessment findings and addressing issues as they arise, you can foster a healthy and safe supply chain.


Dawn Lomer
Dawn Lomer

Manager of Communications

Dawn Lomer is the Manager of Communications at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.

Book A Demo

To our customers: We’ll never sell, distribute or reveal your email address to anyone. Privacy Policy

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.