Sometimes it is useful to challenge one’s own assumptions and the importance of understanding and responding to supplier risk is one of those that seems obvious based on many well documented incidents of diminished supplier capacity and capability, but some may argue that, in most cases, the operational or reputational harm is short-term and rarely fatal in isolation from wider strategic factors.

To help work this through, I decided to take 30 minutes to write down as many scenarios as came to mind and evaluate whether any fatal scenarios were among them.  Here’s my list of scenarios where harm is incurred (in no particular order!)

1. Supplier achieves lock-in and pushes up prices impacting cost base due to over-concentration of business
2. Supplier is black-listed by a regulator/government causing service transition pain
3. Supplier becomes a successful competitor, i.e. forward integrates
4. Supplier has superior knowledge of risks and does not share with the customer, leading to lack of preparedness and extended disruption
5. An unknown critical widget (including software) is revealed too late due to lack of visibility into supply chain
6. Key supplier becomes insolvent
7. Poor performance by supplier
8. Supplier cannot resource the service required
9. Change of control – supplier acquired by a company that has “issues”
10. Supplier does not have competence to deliver the service
11. Breach of regulation that is licence-affecting for the customer leading to sanction, financial loss and reputational harm
12. Supplier changes strategy – the product or service bought is not longer attractive to them and they wind-down/divest; legacy issues in maintaining skilled support on the supplier side
13. Too much focus on contract and ‘use of stick’ over relationship development and reputation leverage, i.e. not ‘customer of choice’ from supplier’s perspective
14. Collusion (fraud) through sourcing process between customer representatives and the supplier
15. Outsourcing a service with inadequate retained organisation leading to extended outages – only knowing about the risks when the incident occurs
16. Country risk – offshoring and outsourcing to unfamiliar countries and locations exposed to significant political and environmental risks
17. A new Y2K type bug
18. Supplier lies about capability and contract is awarded (inadequate due diligence)
19. 3rd party treats customer’s customers badly
20. Key suppliers prioritise their other customers over you when they face severe disruption and would rather pay the penalties in the contract (taking a risk-based approach on their side)
21. Force majeure event declared (correctly)
22. Supplier insolvency and reputation harm to customer caused by customer terminating agreement
23. Upstream Tier 2 supplier found to be more significant than Tier 1 supplier  – but too late as it fails to deliver
24. A direct or indirect supplier is found to have poor working practices by the media/NGOs leading to regulatory/statutory breaches and/or reputational harm
25. Supplier introduces unproven product into a production environment causing a major and extended outage
26. New services can’t be launched because supplier cannot deliver (on time) or too difficult to exit from incumbent (risk of change is too great)
27. Data breach involving customer data at third party or caused by third party’s poor controls

I’m sure there are many more!  How impactful these events are will naturally depend on context but I’m pretty sure that number 3 has the potential to be terminal.  Given the trend towards virtualised organisations and business model dependency on orchestrating third party relationships, it does seem reasonable to reaffirm that the capability to manage third party risk effectively is one that will be a key determinant of the success or failure of companies.