Energy and utilities (E&U): threatened by third risks | NTT DATA

Energy and utilities (E&U): threatened by third risks

Risk management of third parties (subcontractors, suppliers, etc.) is becoming increasingly important to prevent crisis situations in the energy and utility companies.

NTT DATA, global leader in digital and IT services, publishes a white paper on the growing importance of third-party risk management in the energy and utilities sector.

The E&U sectors – i.e. the energy sector and utilities involved in water treatment and the production, trading, distribution, and marketing of electricity and gas – have undergone rapid digitization in recent years, coupled with significant technological advancements, which have enabled them to increase their production, optimize, reduce costs, and meet new consumer needs. Just think of smart grids, renewable energy sources, digital twins, the Industrial Internet of Things (IIoT), etc.

However, there is a downside to the application of these technologies: the E&U sectors have become much more dependent on their technology suppliers than before and are therefore exposed to risks from those external partners.

The increasing interconnectivity and interdependence of systems, both internal and external to companies, increases the risk of data breaches, cyberattacks, and technology failures. Then there are the geopolitical risks when the suppliers are located in critical regions. Think also of the financial risks for those who work with suppliers who themselves are struggling with financial problems or who are unable to provide the desired services and goods.

More regulation in risk management

Regulations and compliance standards are constantly changing (stricter cybersecurity and supply chain security regulations, stricter environmental regulations, etc.). Organizations must therefore be able to verify whether their external partners comply with the applicable regulations , otherwise they risk fines, reputational damage, and even production or business interruptions.

The European NIS2 (Network and Information Security) Directive was adopted in January 2023 and must be transposed into national law by the Member States by October 2024. The new regulations will require thousands of providers of 'essential' services – particularly in the E&U sectors – to tighten their IT security standards. Security incident reporting, cyber risk management, security testing and audits, supply chain security are all critical areas of concern, which can lead to penalties or fines (up to €10 million or 2% of global turnover, depending on whichever amount is higher).

Free up resources for risk management

Many organizations still use spreadsheets to check whether their suppliers, subcontractors and other partners meet their standards regarding safety, compliance, sustainability, financial stability, etc. This approach is not only time-consuming, because large amounts of data from different sources have to be collected, analyzed and updated, but is also susceptible to human coding or formula errors. In addition, this approach offers only limited possibilities for real-time monitoring, analysis and reporting, making it difficult to identify risks and emerging trends.

Information access issues can also cause inefficient communication between the departments involved (logistics, legal, risk and compliance, finance, etc.). In addition, the E&U sectors suffer from a shortage of qualified personnel in risk management, which can limit their ability to identify, assess and mitigate risks.

Real-time monitoring is an essential part of efficient third-party risk management.

“Companies today can already rely on real-time monitoring solutions that use automation and machine learning to continuously monitor the risk level of their suppliers and partners,” explains Michiel Donders, Director Energy & Utilities at NTT DATA Netherlands. “NTT DATA has a strategic partnership with 3rdRisk in which the offered SaaS solution efficiently fills in the risk management of third parties. The platform uses, among other things, relevant data from content providers such as BitSight, SecurityScorecard, Altares - Dun & Bradstreet, EcoVadis and Refenitiv. A real-time alert system immediately sends a notification to the risk managers upon detection of a possible risk."

Anticipate to improve business resilience

By proactively addressing vulnerabilities, E&U companies can strengthen the resilience of their operations and ensure the continuity of their essential services, even in the event of outages. In this way, they not only avert costly business interruptions or image crises, but they can also identify and remedy weak links in their supply chain, as well as optimize their business performance. That makes them more competitive.

"An organization's reputation is heavily influenced by the actions and performance of its external partners. By incorporating efficient third-party risk management into their strategy, organizations can verify that their partners meet stringent cybersecurity, environmental and corporate social responsibility. Investing in high-quality tools can help them build and sustain trust with their stakeholders," adds Michiel Donders.

Read the full white paper here.