How do we manage third party risk? Building stronger relationships for the future
@ the IERP® Global Conference, October 2022
The use of third-party vendors has increased exponentially over the past five years. Many companies have even outsourced their core functions for more efficiency and savings, relying on a network of third-party vendors to provide them with organisational value, and increase their competitive advantage. But doing so has exposed them to high-profile risks, and the biggest challenge today may be the development of third-party risk management (TPRM) processes that will not only be the basis of stronger long-term relationships, but will also provide appropriate oversight. This session was presented by the IERP Chairman, Ramesh Pillai.
He said, “A lot of people have a problem when it comes to third-party risk management because they don’t know what to do – how do you do risk prioritisation for third parties?” and introduced five emerging themes for consideration: third-party incidents which are disrupting the business and damaging reputations; businesses underestimating the need for a sound TPRM programme; technology not yet fulfilling its promise; the challenge of limited resources; and the struggle that most businesses have to maintain a fit-for-purpose TPRM operating model. Besides these, he also covered the concept of fourth-party risk management.
“Third parties also include fourth parties, such as subcontractors for transportation and logistics, cybersecurity, IT management and other services,” he said, explaining that these were similarly vulnerable because everything was now interconnected. The Central Bank, too, was now moving in the direction of fourth-party risk management, he added. Businesses will eventually be expected to not only know their customers, but their customers’ customers as well. Knowing suppliers’ suppliers may be necessary as well, but this may be manageable with the incorporation of the appropriate technology. Also, TPRM needs to be viewed enterprise-wide, like ERM, because it is a strategic issue.
Most companies do not have TPRM because businesses underestimate the need for a sound TPRM programme, and thus do not budget for it. Companies almost always do not have sufficient funds, but boards must first see the value of it; directors need to be educated about the issue to appreciate the full complexity of TPRM. They may see it as an operational matter that does not need their intervention but TPRM needs to be viewed from a perspective which includes the legal and financial aspects as well. “If businesses understood the full complexity of a TPRM programme rather than narrowing it down to individual components, they would support a larger budget,” Ramesh said.
Organisations rely greatly on technology but in the case of TPRM, technology is not yet fulfilling its promise. TPRM teams rely on technology where possible to lighten their load, and expect technology to continue improving in the next few years. An issue to consider here is whether the technology or its implementation is flawed. TPRM is essentially about workflow management but many managers fight integration challenges due to cross-functionality and prevailing silo mentality in organisations. “A lot of executives are frustrated by the construct of the technology, over-engineering of the programme, and a lack of effective general reporting of programme and third-party performance,” he said.
Information should be exchanged; shared information can remove vulnerabilities and the potential for fraud, and strengthen cybersecurity – but sharing doesn’t always happen. As technology improves, however, workflow automation may play a larger role; technology may also become more affordable. Many businesses do not have the TPRM capabilities they need. Teams may need to be expanded to assess the ESG readiness of third parties, and the frameworks of fourth parties, as part of the company’s ESG efforts. “We have to strive to do the best we can technologically or otherwise,” Ramesh said. “Perfection is an ideal that is nice to strive for, but you don’t have to get there in one go.”
Not all third parties present a risk so it does not make sense to evaluate all of them. “The focus should be on increasing awareness and the interconnection between ESG and reputational risk,” he advised. “Look at where you are going to be hit highest from the reputational risk perspective, and prioritise that. ESG is about managing reputational risk.” Another challenge is that everyone operates with limited resources. No one ever says they have enough resources to do everything, much less allocate anything for TPRM, Ramesh pointed out, adding that the challenge is that people don’t know how to do it. “If we had better TPRM, the supply chain problems would not be as dire as they are now.”
Following the pandemic, TPRM is expected to become even more of a strategic priority but most businesses struggle to maintain a fit-for-purpose TPRM operating model. Third parties are actually causing disruption and loss of value. Statistics show that almost 73% of companies have had at least one major disruption directly attributable to third parties in the last few years, and four in ten companies surveyed have weathered three or more such incidents in their time. Describing it as simultaneously very significant and worrying, Ramesh said that there were huge weaknesses in current TPRM operating models that were leading to missed opportunities to mitigate risks.
Board-level scrutiny was required; directors should ask the right questions and actively query the status of the organisation’s TPRM. “It’s not just about resilience…it indicates poor financial control as well,” he said. “TPRM brings overall payment systems, contract management, delivery and quality controls under one roof, and goes beyond to fourth-party risk management. Fourth parties are ramping up the pressure because of the current environment, and regulators are starting to talk about it. But how do you identify and assess fourth parties? How do you enforce and manage? Contractual arrangements must make it clear whose areas of control apply.”
Also, many TPRM managers believe that they are undervalued, despite the extent the business relies on third parties. “Very few risk managers will tell you that they are strategic partners,” he said. “Instead, they are administrators.” Operational resilience needs TPRM; it is a critical component of operational risk management. Operational risk is the risk arising from failed or inadequate people, processes, systems and other external events – and TPRM falls right in the middle of people, processes and systems. It covers the whole lot, making it a critical component to manage. It also needs strong, consistent leadership from the people running the TPRM team, and the management team.
Emphasising that TPRM was also about culture, Ramesh advocated a concerted, enterprise-wide approach, with clear definitions of resilience, to help manage the complexity involved in running services across multiple business units. “It’s not simple,” he cautioned. “You need to map and understand the people, location, technology and the third – and fourth! – parties involved. And if you want to be a strategic partner, you need to talk the language of business. You need to have a holistic view of things, and understand the metrics of the business.” He urged risk professionals to have an enterprise-level view of the organisation that was not silo-driven.
Most organisations have a long way to go before they achieve the requisite maturity, he remarked. TPRM is only one component of a larger programme focused on procuring and managing services, and is expected to remain high on the agenda. Ramesh cautioned that there was no quick-fix solution, but urged risk professionals to start by identifying common focus areas; outlining a process flow for the departments and people involved; identifying processes like payments and services etc; then mapping the process and identifying stakeholder needs while listing all relevant processes. Regulations should be adhered to, and updates made in a timely manner.