Every industry has its unique challenges when it comes to vendor risk, and retail is no exception. Most retailers today depend on global suppliers for inventory, logistics, operations, and other products and services. In addition to restrictions, embargoes, and government sanctions, retail and consumer goods are subject to many laws and regulations.
Retailers must comply with laws and regulations concerning conflict minerals disclosure, anti-bribery and corruption, and more. And every municipality, state, and country have its own building codes, employment laws, and consumer protection laws.
In this regard, the retail sector faces some of the highest vendor and supplier risks of any industry.
Retail organizations must understand, identify, and manage the risks associated with their direct relationships with third parties (vendors and suppliers) indirectly through their extended supply chains. Cybersecurity, privacy, reputation, operational, and financial risks are a few risks typically associated with third parties that need to be identified and managed. Yet, retailers must also consider another complex set of environmental, social, and governance risks (ESG) risks. Vendor ESG risk is influenced by several factors, including governance structure, materials, labor practices, and treatment of local populations and resources.
It goes without saying that third-party risk management is a necessity for the retail industry. Retailers can use third-party risk management to mitigate risks associated with customer service providers, professional services, banking services, shipping, wholesalers, distributors, and others.
However, third-party risk management as a practice within the retail sector is relatively immature. Retail organizations struggle to implement effective third-party risk management programs for multiple reasons including:
Considerations for Implementing Successful Third-Party Risk Management in Retail
So, what can retail organizations do to move the dial?
- Change begins at the top. First and foremost, your board and senior management must establish third-party risk management as a priority for the organization. This means supporting your third-party risk management program by providing the right resources, including adequate program funding for tools, technology, and skilled professionals. At the end of the day, the board and senior management are responsible and accountable for the effective execution of third-party risk management at the organization, so their involvement and oversight are paramount. They need to be engaged not only in developing the third-party risk management program but also in its maintenance and continuous improvement.
- Think beyond cybersecurity. For the many retail organizations with third-party risk management practices in place, most of these are centered solely on cybersecurity protection. And while everyone can agree that cybersecurity is an urgent third-party risk management priority, it isn't the only risk that requires mitigating. Regulatory compliance, supply chain stability, and protecting your brand and reputation merit time and resources too.
Effective third-party risk management requires a healthy balance of risk identification, assessment, management, and monitoring, for all third-party risks, not just cybersecurity. That means budgets, full-time employees, tools, and technology are also allocated for a comprehensive third-party risk management program, not just as another line item for information security.
- Consider how technology and services can support or improve your third-party risk management efforts. The use of SaaS-based third-party risk management tools eliminates the need for manual processes, reduces errors, and allows for reliable data trails. Doing "more with less" can often be achieved more effectively through outsourcing certain third-party risk management tasks, such as due diligence document collection and professional subject matter expert (SME) vendor risk assessments. Accessing technology and services through outsourcing provides many benefits and can supplement the third-party risk management needs of organizations without in-house expertise.
As new risks and challenges emerge, retailers cannot remain passive or wait for worst-case scenarios to materialize. Third parties can present risks to retail organizations and their consumers in the form of cyber-attacks, data breaches, poor-quality goods, regulatory noncompliance, safety issues, and supply chain disruptions. Retail organizations must prioritize third-party risk management now to protect their organization, consumers, reputation, and brands today and in the future.