Maturing the third party risk management program to bring efficiency and value to the business

Shamial Afzal, Global Head of Strategic Supplier Oversight, Legal & General Investment Management

Below is an insight into what can be expected from Shamial’s session at Vendor & Third Party Risk USA 2023.

The views and opinions expressed in this article are those of he thought leader as an individual, and are not attributed to CeFPro or any particular organization.

What does the process of designing a TPRM program to bring efficiency look like?

Firstly, set out an approach that addresses what TPRM will look like within your firm. Is this something new? Are there existing programs and teams that you can bring together to work with you in getting the right attention and focus on the TPRM program?

Either way, it’s important a robust gap analysis is carried out once you have decided which key components you are looking to address in a TPRM program. Key components include regulatory obligations, senior management role and responsibilities, supplier risk taxonomy, reporting requirements, alongside identifying, and categorizing the materiality of your supply chain.

Securing sponsorship of the TPRM program is important, and regular engagement with the C-suite including the Chief Operating Officer/Chief Risk Officer is important. Ensuring they are not only kept updated on progress but can also steer you to keep things real and aligned to appetite and proportionality. This will also help you in driving further efficiencies in your TRPM approach.

Once you have a TPRM program up and running, you can tailor TPRM activities so that they complement the firms’ culture and support building out a strong TPRM culture too. It is important that firms focus on outcomes and how this will be reported and shared, to ensure that TPRM not only addresses immediate gaps and on-going concerns but also brings an efficient way of bringing the right level of TPRM intelligence into the firm.

If in a subsidiary, the TPRM program needs to integrate with Group approach whilst considering any nuances for non-UK entities

How can we ensure the TPRM program is cost efficient?

Once you have mapped out the key components of the program and identified existing versus new requirements that will need to be developed, it’s important to complete a cost benefit analysis. This will consist of an honest and open review of the firm’s environment and capabilities whilst looking closely at existing tooling and what can be improved.

Alongside other factors such as resources to deliver the TPRM program, a leaner and agile approach are key considerations. An agile approach can deliver a series of smaller yet impactful changes that demonstrate further value and efficiency of a TPRM program. Utilizing external practitioners in the shaping of a program and getting resources to execute and run into the business-as-usual environment could be another way of demonstrating cost efficiency.

This in turn gives a firm’s program the right level of attention and makes the case for further investment easier as the program clearly drives out the right outcomes in a timely and efficient manner.

Demonstrating value as you progress the TPRM program is key, and this can be easily completed at each milestone and stage of the process.

Spending the time in identifying key resources with the right skills, experience and ability to drive the TPRM agenda is important. This needs to mirror the firm’s appetite as well as being the right fit for the environment post TPRM activity. Firms could also look to combine resources from offshore entities that will also bring together a diverse set of thinking that can only benefit the overall TPRM program.

How can Technology be utilized to ensure an effective TPRM program?

Technology plays an important part in the delivery and more importantly in the sustainability of any TPRM program.

However, firms will grapple between existing and new requirements to enable a good system that reports with the right level of meaningful intelligence that can be extracted and shared amongst key stakeholders within the firm.

It’s important to signal at the beginning of a TPRM program that the technology requirements and the utilization of existing risk-based systems must be reviewed and perhaps configured to identify third- and nth-party risks such as concentration risk.

Ideally the tooling should be able to integrate data points across various risk domains to make reporting more automated than manual.

Reporting and subsequent findings need to be efficient and meaningful so the insights can be used for multiple purposes and reporting to relevant committees and boards.

The utilization of other technology solutions by firms can also be adopted for TPRM, such as information security and resilience-based tools. These tools should provide essential information that can plug into your TPRM profile and further strengthen your program.

Technology is important when you are moving from program status into a business environment. Analyzingthe right technology solution and tools enables the firm to be able to spend time reviewing the profile and identifying key themes and trends of third- and nth-party risks and performance.

What is difference between traditional DDQ and real time monitoring? What benefits can this swich bring?

Traditional DDQs are sent at a particular time of the year and reflect the current state of the third party in that period and has more of a focus on control design and effectiveness. Whereas real time monitoring focuses on actual performance and crystalized risk events.

There is a place for both in the overall assurance of third parties. A mixture of both traditional DDQs and real time monitoring can bring about a good level of intelligence relating to third parties and their supply chain.

Many benefits include the opportunity for firms to pull together different outputs of due diligence and monitoring that hone in on key supplier risks that may crystalize and in turn spark actions to mitigate those types of risks identified, which is an ideal solution.

Clearly, there are further benefits of due diligence and real time monitoring that also contribute to upward reporting and providing vital intelligence that demonstrates a firms’ third party risk oversight capabilities. This in turn aims to keep firms safe when it comes to the oversight of Third Party Risk Management.