Minimising risk: supplier segmentation and effective due diligence

Managing third-party risks effectively is crucial for maintaining operational resilience and integrity. Supplier segmentation and due diligence are pivotal strategies in this endeavour, enabling organisations to categorise suppliers based on risk levels, strategic importance and performance history. This segmentation allows for targeted risk management efforts, ensuring that critical suppliers receive the necessary attention.

Subsequent due diligence activities further strengthen this approach by evaluating various domains applicable to third parties, such as the ethical and legal standing of suppliers, regulations, cyber posture and industry standards. This evaluation is achieved through comprehensive background checks, compliance verification and continuous monitoring.

Integrating these practices with a defined and formalised TPRM lifecycle provides a robust framework for managing third-party risks.

A TPRM lifecycle encompasses six key phases:

1. Planning and vendor selection;
2. Due diligence and risk assessment;
3. Contract negotiation and onboarding;
4. Ongoing monitoring and performance evaluation;
5. Incident management and response; and
6. Renewal or termination.

Each phase plays a critical role in identifying, assessing, mitigating and monitoring risks throughout the entire lifecycle of third-party relationships. By combining supplier segmentation, due diligence and the TPRM lifecycle, organisations can enhance their ability to manage supply chain risks effectively, ensuring a resilient and compliant third-party portfolio capable of withstanding various challenges and disruptions.

This holistic approach not only safeguards but also promotes long-term sustainability and operational efficiency, making it an indispensable strategy in today’s dynamic business environment.

Supplier segmentation

Supplier segmentation involves categorising suppliers based on various criteria such as risk, value and performance. This process helps organisations prioritise their efforts and resources towards managing the most critical suppliers. Key segmentation criteria include:

1. Risk level: assessing the potential risks associated with each supplier, including financial stability, geopolitical factors and compliance with regulations.

2. Strategic importance: identifying suppliers that are crucial to the organisation’s operations and long-term goals.

3. Performance history: evaluating past performance in terms of quality, delivery and reliability.

By segmenting suppliers, organisations can tailor their risk management strategies to address specific risks associated with different supplier categories.

Third-party due diligence

Due diligence is the process of assessing controls and compliance levels of third parties. This involves assessing their compliance with laws, regulations, and industry standards. Key steps in integrity due diligence include:

1. Background checks: conducting thorough background checks on suppliers to identify any past legal issues or unethical practices.

2. Compliance verification: ensuring that suppliers adhere to relevant laws and regulations, including anti-corruption, labour laws and environmental standards.

3. Ongoing monitoring: continuously monitoring suppliers for any changes in their risk profile or compliance status.

The future of TPRM: a new series from PwC

This article is the third in a 12-month series exploring the evolving domain of TPRM. In the coming months, we will dive deeper into the many aspects of TPRM, including the impact of the Digital Operational Resilience Act (DORA), the integration of artificial intelligence (AI), and best practices for managing third-party risks. Next month, we will focus on technology and AI in TPRM.

Key actions businesses can take today

Organisations can enhance their ability to manage supply chain risks by:

1. Implementing effective supplier segmentation: categorise suppliers based on risk, value and performance to prioritise efforts and resources towards managing the most critical suppliers.

2. Conducting effective and meaningful due diligence: assess suppliers’ compliance with laws, regulations and industry standards through thorough background checks, compliance verification and ongoing monitoring.

3. Adopting a structured TPRM lifecycle: integrate a defined and formalised TPRM lifecycle to provide a robust framework for managing third-party risks.

By adopting these practices, organisations can ensure a resilient and compliant supply chain capable of withstanding various challenges and disruptions.

We also recommend: 

• Follow the series and stay up to date with our monthly TPRM series for valuable insights.

We are here to help you

PwC has developed an end-to-end supplier criticality segmentation methodology to categorise and define the importance of suppliers and services for clients. This aligns with industry best practices and regulatory expectations, including the Network and Information Security Directive 2 (NIS2) and DORA. The toolkit is suitable for all supplier and service types, aligning with clients’ risk appetite.

We aim to enhance efficiency and reduce subjectivity by designing a tailored, intuitive question taxonomy, developing an enhanced supplier criticality methodology with in-built categorisation logic, and critically assessing the future state approach. We also provide coaching to the first line of defence team in preparation for second line of defence review.

To discuss any of the topics mentioned in this insight, contact our team of experts today.