Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Supply-chain risk: Julie’s short list of best practices

I was surprised to hear some financial services industry experts say that many large firms don’t always know who their third parties are and what exactly they are doing for the firm.

I work for a large company that uses a decent amount of outsourced labor, as do most large companies, and creating an accurate list of all contractors, their duties, and their understanding of any such firm’s policies, procedures and values is a challenge. The first of many challenges, but a logical and possibly under-appreciated one.

Should you create an inventory of every single contractor — or just those that pose a certain level of risk to the firm because of the type of data they handle, deals they broker or communications they create? Only you and your team can answer that one.

Ironically, many firms hire consultants to track their consultants and then do this risk analysis.

The firm should also not forget another step in the early game of managing supply-chain risk: Identifying the third parties that are paying the firm to work with it.

Is your firm getting an item of value from a third party for its ability to appear on your site in some fashion, or use your customer/subscriber lists, or market its wares at your events? You can’t just look for those parties you pay in doing these risk determinations.

If I can use the word “lastly” when creating just a preliminary list of action items, here goes: Lastly, who should be in charge of supply-chain risk in your firm?

It probably can’t just be the department finding the suppliers or signing the contracts with them. It is likely some collection of the procurement, legal, compliance, risk, audit, information technology and human resources departments.

These departments must work together to collect the information mentioned above and decide how to proceed with the data in terms of risk, training, oversight, etc.

Since your company is likely to continue using third parties to get work done, the goal is to do so knowledgeably. And to manifest this awareness in documentation that you can show a regulator or two.


Julie DiMauro is a contributing editor of the FCPA Blog. She’s a regulatory intelligence and e-learning expert in the GRC division of Thomson Reuters Accelus. Follow Julie on Twitter @Julie_DiMauro. Email Julie at [email protected].

Share this post



  1. Good rundown on best practices when it comes to supply chain management. Thanks for sharing.

  2. I completely agree with the point about needing various departments involved. Forming a cross-functional team is critical to getting buy-in from the various departments and effectively implementing the program.

Comments are closed for this article!