Third party failures thought to cost firms £783m per incident

The cost of a third-party risk incident is thought to have risen to as much as £783m per incident, according to figures released today by Deloitte, which says the impact on share price could be as much as 10%.

More than half of companies in the study estimate the cost of a supply chain failure, data privacy breach or disruption to IT services to be somewhere between £391m and £783m, or even more. This represents a marked increase since 2015, when large multinational businesses estimated the cost of a third party failure at between £1.6m and £40m.

Deloitte’s Extended Enterprise Risk Management survey was undertaken between November 2019 and January 2020, prior to the outbreak of COVID-19 being declared a global pandemic. At this point, 17% of organisations said they had faced a "high-impact" third-party risk incident in the past three years (up from 11% in 2019). Some 30% of respondents thought share prices could fall by 10% or more the incident was not adequately managed. COVID-19 is predicted to further increase need for investment in risk management.

Kristian Park, risk advisory partner at Deloitte, commented: “Despite an increase in incidents, companies are not yet investing sufficiently in managing third-party risk.

“The COVID-19 pandemic has only highlighted the need for investment in risk management. Companies experienced a wide range of third-party incidents at the peak of the pandemic including supply chain, logistic and financial failures, as well as data breaches resulting in fines – all of which can have a significant impact on customer service, regulatory compliance and reputation.”

For the first time in five years, a desire to be a responsible business, that effectively manages ESG issues in the supply chain, was one of the key reasons companies invest in third-party risk management, with 43% citing it as a reason for investment.

These desires were not matched in action, however, with a large proportion still not allocating budget to associated areas - 74% had not allocated funds to managing climate risk, 57% to environmental risk and 54% to modern slavery and labour.

Budget was instead directed to the more pressing issues of information security, cyber risk, data privacy and health and safety. Cyber risk made up the largest proportion of incidents at 23%, followed by bribery corruption (23%) and information security (9%).

Park continued: “The survey showed a desire to develop risk capabilities and to become a responsible business. Whilst efforts were paused at the beginning of the pandemic, these themes are wide spread and constant as companies start to recover, particularly around workplace safety and carbon footprint. Given a growing dependence on critical third party relationships, it’s key that companies act now to protect themselves and their extended enterprise.”

Deloitte's findings were based on a survey of over 1,145 respondents from 20 countries.

    Share Story:

Recent Stories