Trust-based TPRM: How to extract greater value from your TPRM program

Why is trust so important when it comes to third-party risk management?

Trust looks beyond traditional risk management, focusing on risk and control structures along the lines of cybersecurity, resilience, and compliance, and encompasses broader concepts with respect to ethics, ESG, governance, responsible AI, performance, and alignment with an organizations mission, brand, and purpose.

With a trust-based approach to third-party risk management (TPRM), organizations can focus on the upside of working with third parties and not solely focus on limiting the downside. Your third parties are a reflection on your organization, and your reputation is critical to business success, making a trust-based approach to managing third parties vital.

This is not just an idea. Organizations that have invested in trust have recovered faster and performed better when compared to their peers since the COVID crisis. Trust unlocks much deeper client and third-party relationships and helps organizations maximize the collective value of their third parties.

How can we pivot TPRM strategy to fully integrate with the silos of enterprise trust?

The first step for any organization is to define what trust means for them. This is a broader topic than just third parties, as organizational trust accounts for all of an organization’s stakeholders including, but not limited to customers, employees, investors, regulators, boards, and yes, third parties.

Once the components of trust have been agreed upon, risk models must account for non-risk factors and facilitate quantification of trust through the establishment of limits or appetite. Typical risk models historically have been structured to evaluate inherent risk conditions across many risk domains, then applying controls to arrive at a residual risk. What they have not considered are non-control-based data points that may erode stakeholder trust, such as reputation. Each organization should define what trust means to them and make sure the program has an ability to set appetites not only on risk elements but also the elements that round out their definition of trust.

How do we transition to trust-based third-party risk management?

While third-party risk has remained a compliance-centric exercise, it has gotten to a size and scale where some organizations are starting to consider the frequency of disruptive events and the likely impediment to their business these events pose.

Companies are beginning to stop and ask: “Is there a better way to do this?”

To find this better way, organizations must make a strategic mindset shift to move from a tactical, traditional activity of questionnaire-driven third-party risk to a value-added program built on trust – aligning with the company’s aspirations, brand, and appetite.

In an equivalent way, let’s say a company has evaluated a particular third party for seven years running using a questionnaire and consistently gotten the same results. Is there any added value in simply repeating that evaluation for the eighth year in a row? Has anyone asked what the ultimate objective of the activity is and wondered if decisions are based solely on risk, instead of what’s right for long-term growth. There is a wealth of data at our fingertips that did not exist five or ten years ago. Cyber scores, location risks, carbon footprints, diversity metrics, historical performance, and more – and yet this data is rarely used to make trust-informed decisions.

To enable this, one of the first considerations should be operating model. How does the organization come together to make enterprise-wide decisions on trust and not just siloed decisions on risk? Organizations that lead with trust have an ability to see multiple trust-related data points through a single pane of glass to make informed, trust appetite-based decisions at speed and scale.

What are the necessary steps required to implement third party trust management?  

1. Define what trust means for your organization
2. Evaluate how your organization is structured and what changes may be necessary in your operating model to embrace trust
3. Define your trust appetite on a per-domain basis; both on individual relationships as well as in aggregate
4. Report to executive management and the board on trust-first principles; refining as necessary

Today, companies are asking themselves: “What are the different risks we’re dealing with now?” But within that broader risk lens, they are adapting to a slightly more relaxed control structure because there isn’t any alternative due to increased pressure on costs combined with increased volumes of third parties.

Legacy standards that defined third-party risk programs for the last fifteen to twenty years are being re-examined, and that ties right into the evolution of a “risk” assessment into trust-centric approach. With each passing year that we collect and analyze market data, it’s amazing to uncover the amount of progress that has been made in just a small period of time. Some portions of the market have gone from audit-like assessment execution functions to full-blown, multi-dimensional trust management functions. These companies are starting to lean into third-party risk functions as strategic differentiators for their organization – as opposed to business impediments and check-the-box compliance activities.

Embracing trust allows organizations to focus efforts where they are the most fruitful while reducing low-value activities and aligning with company-wide aspirations to improve the world around us.