In an era when corporations commonly have hundreds and sometimes hundreds of thousands of third-party suppliers, managing the risk these third parties represent is no small task yet has become essential for corporate success.
Obviously in these circumstances, your third-party risk-management (TPRM) program becomes critical to ensure operational continuity and possibly even financial survival. But what are the leading practices that enable a successful and effective TPRM program?
Following the principles of Jim Collins “Good to Great”, we’ve identified seven essential disciplines for managing all third party risk. In the near future, this topic will be covered by a series of articles that will discuss each of the disciplines individually in detail, but this first installation gives an overview of them all.
1. Clarity of TPRM & Corporate Role
A robust TPRM program requires a governance structure that extends from the board of directors to the front lines with all parties understanding the entire risk picture and the role each plays in risk management. Ensuring collaboration between the corporation’s overseeing entities is enabled through the establishment of a TPRM Committee with a formalised structure, participation, and meeting schedule.
The committee should have carefully defined roles and responsibilities with established upstream and downstream communication channels. It is imperative that the committee develop a sourcing strategy framework with risk appetite guidelines that are aligned across the organisation and board approved.
2. Third-Party Integrity: Know Who They Are
Third parties are often engaged without an assessment on how they fit into the overall corporate enterprise risk management picture. Successful TPRM begins with a detailed assessment of every third party during the onboarding process. Without a shared understanding of the third-party’s role and possible risk impact, risk managers are unaware of when they should step in or how specifically they should manage the impending risk, thereby possibly jeopardising ongoing operations.
The same assessment of system integrity used at the corporate level must extend equally to every third party. This includes identifying details about the third party, such as, ownership structure, key officers, financial health, sanctions, foreign operations and other such related matters.
3. Know Your Risks & Compliance: Beyond Cyber & Financial
Successfully management of third-party risks extends beyond cybersecurity and financial risks — the two risks most often identified. There are other often overlooked but potentially significant risks that arise from a third-party’s business operations or even location-based risks from where the services are being provided that should be considered.
These risks include third-party employee issues, their other clients, governance structure, regulatory actions, compliance issues, and solutions maturity. Location-based risks include changes in government, corruption and crime levels, natural disasters, ethnic tensions, social unrest, and macro-economic issues. Therefore, an effective TPRM program must account for these areas of risk exposure and monitor them continuously.
4. Life-Cycle Management: Trigger-Based Assessments,
Risk Changes & Control-Program Agility
Periodic risk assessments are often costly and time-consuming. Worse, they’re also limited in their value and can be ineffective as risk management should not be a one-and-done process. Appropriate life-cycle management requires continuous oversight and modification as events can happen at any time that cause changes in risk. Curated real-time and continuous risk intelligence not only assures timely responses; it anticipates disruptions and identifies trends that may provide opportunities. Backing up this continuous monitoring with follow-on actions to the risk event trigger can help initiate re-assessments of targeted risk categories.
As an example, if a third party has a cyber breach a month after an annual assessment, it’s not prudent to wait 11 months to do the next assessment. An efficient TPRM program would use that risk event trigger to conduct a risk re-assessment of the third-party’s cybersecurity susceptibility. Not only will a TPRM program configured this way help to avoid and mitigate risk exposure, it can enhance risk management productivity, mitigate disruptions and reduce program costs.
5. Proven Risk-Tiering Approach: From Critical to Low
Effective TPRM must include a formalised risk tiering process — the relative risk exposure to which each third party exposes the organisation. The common practice is to rank third parties using four tiers from low through moderate and high up to critical. Accurate tier assessment requires the use of a risk grading matrix developed by the TPRM Committee. Assessment at all levels should extend to N-level third parties.
Take for example the cyber breach at Target in 2013. Hackers accessed the Target customer service database, installed malware on the system and captured sensitive customer data all by using the credentials of a HVAC and refrigeration services supplier. This third party apparently had access rights to Target’s network for carrying our remote tasks like monitoring the energy consumption and temperatures at various stores. Unfortunately, the hackers exploited weaknesses in Target’s POS system through the network linked HVAC system. A proper risk tiering would have identified the HVAC supplier as a high risk third party because of their access to Target’s network. This awareness could have resulted in a more effective risk management approach. for Target to segregate the HVAC systems from its customer data systems.
6. Governance: Monitoring Aligned to Risk Tiers & Incidents
Although previously understood as risk avoidance or risk mitigation, governance in risk management now extends to managing risk. As an extended Deloitte position paper on the subject observes, good governance and risk-management procedures not only avoid punitive costs and reputational damage, but also provide a competitive advantage.
When the TPRM Committee designates the appropriate level of risk monitoring necessary for each risk tier, enterprises can establish real-time and continuous risk monitoring procedures that are aligned with risk management goals. Matching risk monitoring to the relevant risk level —critical, high, moderate or low — enables an enterprise to be both effective and cost-efficient at managing risk.
7. Response Playbook & Learning Loop:
Continuous Feedback & Enhancement
Successful TPRM solutions recognise that third-party relationships are always changing, and the related risk exposure is in a constant state of flux. TPRM programs need the ability to respond to these changes with agility and speed. Avoiding or reducing the impact of negative disruptions requires clearly established behavioural analytics and cooperative relationships between teams with different functions at all levels of the enterprise.
It should go without saying that a structure that enables both behavioural analytics and cooperative inter-team relationships needs to be firmly established from the beginning. Finally, mechanisms should exist across the entire lifecycle for sharing and collaborating in a learning environment between all stakeholders and third parties so that the TPRM program can be reviewed, modified and enhanced as needed.
Ready to learn more?
Request a Supply Wisdom demo to see the 7 Disciplines in action.
This article was originally published by SupplyWisdom and is shared with their kind permission.
SupplyWisdom is a NeoGroup Company. NeoGroup, Inc. has been monitoring suppliers and locations around the globe since 1999. During that time large companies have at an exponential rate sourced and leveraged third parties around the globe. As a result, today a significant portion of their ongoing operations are now globalised. The very nature of globalising business operations around the world creates a whole new set of risks of disruptions. These risks come from many different factors such as political, regulatory, weather, and so many others. There now exists a tremendous need to monitor these factors or any changes in the business environment in order to minimise or avoid costly business disruptions. It’s no longer prudent to monitor these risks on an annual, quarterly, or even monthly basis. These are factors that now need to be monitored continuously in near real-time.
At the behest of two of our clients, a financial services company and a pharmaceutical company, we collaborated and co-created a risk monitoring solution. Supply Wisdom was born in 2012 out of this need for an early warning service to help clients detect and prevent disruptions.
Today, Supply Wisdom equips global enterprises with continuous third-party risk intelligence, real-time risk monitoring, in-depth risk assessments, and health scorecards to minimize the risks of disruption facing all global businesses. Learn more at https://www.supplywisdom.com