Integrating ERM into third-party risk management (TPRM) is about how to manage third parties, and how we build stronger relationships for the future, said Ramesh Pillai, at the start of a recent Tea Talk on the subject. He noted that this was a subject that had already been discussed at the international level, with some businesses even heading towards fourth-party risk management. In some cases, regulators have already mentioned that companies should consider this. “Third-party risk management is now moving to fourth-party risk management,” Ramesh said. “It’s not way out on the horizon. It’s already here.”
It was imperative for businesses to understand how to deal with TPRM as it will need to be extended to fourth parties (FPRM) but “TPRM has become critical because in today’s environment, companies are beginning to specialise in the things they do, and are looking for collaboration outside so that they can concentrate on their core business,” Ramesh said. Additionally, costs were rising, and more companies were concentrating on their specialisms. He presented five emerging TPR themes:
- Third-party incidents are disrupting the business and damaging reputations
- Businesses underestimate the need for a sound TPRM programme, resulting in insufficient budgets
- Technology is not yet fulfilling its promise
- The challenge of limited resources is here to stay
- Most businesses struggle to maintain a fit-for-purpose TPRM operating model
The environment was exacerbated by a lack of understanding of what TPRM entails. “Practitioners are held back by limited budgets,” Ramesh said. “Tactical initiatives are being prioritised over strategic improvements. If businesses understood the full complexity of a sound TPRM programme, rather than just narrowing it down to its individual components, they would support larger budgets.” Doing so would allow companies to benefit from new efficiencies around operational resilience, Cyber security and fraud. Citing statistics, he said that respondents currently used technology to automate or support about 58% of TPRM-related tasks.
This, they believed, could allow them to focus on activities requiring human review and interaction. However, they were frustrated by the lack of visibility caused by the technology they were using to mitigate third-party risks. Limited resources are a constant challenge; many businesses struggle to maintain a fit-for-purpose TPRM operating model. “Businesses largely accept that it was luck rather than their TPRM programmes which helped them avoid major third-party incidents during the Covid-19 pandemic,” Ramesh said. But they also believe that the TPRM model should be overhauled. Third-party incidents are disrupting the business and damaging reputations.
Weaknesses in the TPRM model leading to missed opportunities to mitigate risks are proving to be a critical, painful major problem for businesses worldwide. “TPRM leaders have reported that during the pandemic, boards and management started paying more attention to the TPRM programme and their overall dependence on third parties,” he said. “This board-level scrutiny highlights how disruption caused by third parties is having a material impact on performance and is likely to become more prevalent if steps are not taken to improve TPRM. Third parties are causing disruption and value loss.” Research indicates that most businesses have experienced disruption because of a third party.
But resilience is not the only issue. Many firms have indicated increasing concern that inefficiencies in the billing process meant they were not obtaining full value from service providers. “If organisations do not have mechanisms in place to compare service delivery with the terms specified in their contracts, they may end up paying in full for incomplete or unacceptable services,” Ramesh said. “Some may have contracts with third parties that do not specify service level agreements and associated financial incentives.” He illustrated this point with the example of the three-way match system which brought together and matched the purchase order, delivery/acceptance note and invoice, which would result in automatic and prompt payment.
Another challenge for TPRM is the growing reliance of businesses on subcontractors in the supply chain. This adds another layer of complexity. Fourth parties, too, have been responsible for disruptions, spurring companies to urgently identify, review and assess fourth parties in their supply chains and the broader ecosystem. “Most companies may not look or even consider their fourth party but the bigger the company, the more you have to up your game,” Ramesh cautioned. “The challenge will likely be exacerbated further if there is no contractual arrangement relationship with fourth parties.” Risk professionals need to understand the relationships of their third parties and subcontractors, he said.
“We need to understand where they are exposed because this becomes our exposure as well,” he pointed out. Many TPRM programmes are also underfunded; they can’t do what needs to be done. This is often due to companies underestimating what a sound TPRM programme requires. “These budgets need to meet requirements at the enterprise-wide programme level, instead of at the level of individual third-party transactions,” Ramesh stressed. Businesses may not fully appreciate the complexity of TPRM, but many managers believe TPRM is undervalued, given the extent the business relies on third parties, he added.
This lack of funding also prevents TPRM leaders from uplifting the technology, talent and processes that could enable companies to create new efficiencies and strategically assess third parties. But what should firms consider? “Operational resilience needs more TPRM,” Ramesh said. “This is a critical area where the various TPRM teams could make a stronger contribution and play a more active role. Considering what could potentially go wrong when inadequate TPRM assessments are made in the supply chain, and how goods are delivered to the client, any third party provider that is utilised to supply or deliver, basically becomes part of the value proposition we give our clients.”
Operational resilience is more than just business continuity; companies have to look at multiple factors around the delivery of goods and services to understand how the value chain can withstand third-party technology, location, people and other disruptions when they often end up occurring together. Strong, consistent leadership, a concerted enterprise-wide approach, and the ability to talk the language of the business are prerequisites to managing the complexity involved in running services across multiple business units, locations, technologies, and people involved. But what will it take for proper budgets to be allocated?
“If a more holistic view is factored into the design and build of a TPRM programme, showing how other programmes depend on it, its scale and scope will become clearer,” Ramesh said. “This will allow leadership to allocate appropriate budgets to deal with enterprise-wide TPRM needs.” TPRM teams are already relying on technology, where possible, to try and lift the load; almost half of all TPRM tasks are already supported by technology or some form of process automation, he said. But issues remain. Feedback suggests that existing tools are unsatisfactory or burdensome, leading to user dissatisfaction.
The lack of visibility remains a critical and primary issue. These visibilities refer to the different stages of the contracting process, from understanding what kind of controls are based in a third-party environment to managing service delivery in line with expectations. With these existing limitations, scaling up automation can present several challenges and risks which could prove counterproductive. Procurement, contract, life cycle management, and vendor performance systems vary, and integrating all this with the underlying data needs to be dealt with holistically, not separately and independently, which tends to happen in today’s environment.
“We need to be sensible about how we do some of these things,” Ramesh cautioned. “Many businesses do not have all the TPRM capabilities they require. Expanding the team’s remit to cover a holistic array of risks and to achieve a deeper understanding of how these risks are managed, by each of the third parties, can significantly increase the pressure already on them.” One example of additional pressures comes from corporate ambitions around ESG performance, he said. “ESG has grown rapidly in importance and the TPRM focus on ESG-related risks is expected to increase.” He recommended focusing on the interconnection between ESG and reputational risk.
While companies may want to assess third parties to know if they are affiliated with other third parties who may have a chequered past about ESG, it may not be necessary to do a full environmental risk assessment. Increasing background checks from a reputational perspective, for example, may be all that is required. “Pick the ones who have a bad track record of environmental matters, and put them on a watch list,” he advised. “Any of your third parties dealing with these subcontractors will automatically raise a red flag.” Additionally, it was worrying that businesses were not taking TPRM as far as it needed to go.
“The focus up to now has been on addressing tactical issues rather than getting an enterprise-wide fix throughout the organisation,” he said. “There is a real need to sort this out. Risk managers have to drive this throughout the organisation. One of the challenges is that TPRM tends to be a component of a larger programme focused on procuring and managing services. Businesses today are all highly interconnected entities with extensive interdependencies on third-party vendors who provide everything. Every supplier relationship and the risk it poses to business sustainability if the supplier experiences disruption needs to be understood.
Third-party vendors should be subjected to rigorous due diligence at the start of the relationship and the onboarding, and be regularly monitored as new risks emerge. “In addition to everything else, you need to monitor data risks across the organisation,” Ramesh said. “Corporate data must continue to flow. This is critical and must therefore be protected and managed in a way that is compliant with data protection and regulation.” The health of third-party IT suppliers needs to be regularly monitored as well, to ensure they are robust and resistant to disruption, including cyber security incidents and physical events.
TPRM is likely to remain high on board agendas, as businesses grapple with new and evolving regulations, complex operating models, and fast-growing vendor bases, as well as other realities such as cyber security and supply chain disruptions. “There are no quick fixes, especially as budgets are limited and executives find themselves continually prioritising and re-prioritising their resources in this evolving business landscape,” he said, suggesting some common focus areas for organisations which may be seeking to put in place a TPRM programme. “One easy but key method of dealing with implementing and achieving TPRM transformation is by extending best practice ERM principles throughout the corporate ecosystem. There is nothing that can solve this problem better than by applying basic ERM principles.”
