In an October 2009 article in McKinsey Quarterly the authors Eric Lamarre and Martin Pergler outline how indirect risk is the key to reducing net residual risk.
Net residual risk is the risk a business is left with after they have dealt with all the obvious risks. For instance, obvious product liability, insurances for warranties and even hedges for currency or commodity price volatility. Net residual risk of over 30% is often standard for ICT contracts (scope creep, unforeseen faults etc).
Significantly, net residual risk is hidden risk. More importantly, hidden risks can sink deals and kill companies because not only is the risk uninsured (financially or operationally) its unforeseen nature means that surprise brings with it increased cost and severity (i.e, by the time it percolates to the top it has already boiled over into a significant issue).
The fact of the matter is that indirect risk creates potentially huge financial exposure. It does so because indirect risk cascades. Indirect risk is exponential in its nature because it cascades through an organisation or throughout a contractual network. As each party adds its own risk premiums to a cost which has a hidden risk, it aggregates in a non-linear way. The resulting overall exposure can be huge.
Take, for instance XYZ Parts Inc. have a manufacturing contract for making Widget X as part of a navy submarine. The widget is made to the wrong dimensions. XYZ Parts is liable but has no way of paying and their insurance is minuscule and will not cover the liability. As this risk has cascaded throughout the contract network it has aggregated exponentially to create huge financial exposure to the Prime. The diagram below shows how this happens.
In a recent CFO survey (CFO magazine, “Working Well Together: managing third party risk in a more integrated world) CFO magazine came up with some surprising results, namely:
- Fewer than 50% of CFOs thought their company had well defined processes for dealing with third party risk, however
- 38% noted that third party risk identification and visibility is one of their top 3 priorities, and
- roughly 75% responded that a third party had harmed their business in some way.
Pegler and Lamarre note that the likely causes are due to (a) lack of senior executive involvement in enterprise risk management, and (b) poor and disconnected risk management practices.
In a recent brochure I outlined one way to manage third party risk. It is very difficult to develop operational procedures to deal with contingent risk. Corporate feudalism dictates that identifying risk and stepping in to another division (or company) to deal with it is complicated. Firstly, in the opaque and murky world of rivalries between companies or divisions in a contractual network the risks need to be identified architecturally. The architecture (engineering or ICT) is the only aspect that is transparent. Only by using central models can all parties identify risks which impact their business. Secondly, contingent risks can be ‘sold’ to other companies in the network (through, for instance, put or call options in the contract). In this way, an internal hedge market is created for dealing with third party risk). This is a far better way of dealing with significant indirect risks as ultimately it engages the powerful finance function and creates huge inducements to contractual performance (such as wholesale loss of intellectual property).
Regardless of how risk is managed most senior executives agree that in our modern, interconnected world it is no longer sufficient to leave third party risk to chance or to blanket boilerplate of standard contract clauses. If companies are to reduce financial exposure from third parties risk must be hunted down and dealt with; specifically and in detail.