Why is your Third Party Risk Management (TPRM) programme failing?
How to drive end-to-end supply chain risk management including people, process and technology
May 31, 2022
Leveraging lessons learnt from heavily regulated industries to identify best procedure
May 31, 2022The views and opinions expressed in this article are those of the thought leader and not those of CeFPro.
By Malcolm Parker, TPRM Service Line Leader, Mobius Consulting
Can you provide an overview of third party risk management best practices that institutions should consider to enhance their programme?
We have seen an evolution of third party risk management practices over the last few years. Organisations are moving away from the manual spreadsheet assessments and questionnaires , rather choosing to adopt workflow and automation tools that will modernize and optimize their third party risk management programmes.
These automated third party risk management tools also allow organizations to collaborate across the lines of defence. Consider leveraging your internal audit functions to review assessments and your compliance function to provide input on your assessment questionnaires to ensure alignment with internal control catalogues.
The last best practice trend I would like to mention is the increased complexity of the third party landscape and nature of risks be assessed. A few years back, the primary risk driver was cyber and the risk of a third party data breach. Now, companies are responsible for assessing a myriad of other risks that third parties may pose. In this new era, organisations have to keep in mind resilience, sustainability, brand compatibility, workplace safety and many more factors in order to ensure the organisation business and brand is not derailed by an irresponsible or delinquent third party.
How do you see programmes differ across industries and how can different sectors leverage insight from each other?
Third party risk management differs between industries when it comes to the maturity of their risk management programmes, some sectors being more mature than others. A prime example is within the financial services industry; due to the sensitive nature of financial transactions and stringent industry specific regulations; most organisations are further along their maturity journey towards optimization.
With that said, cross industry regulations such as GDPR have forced other industries to catch up quickly and often leapfrog maturity levels by being early adopters of workflow tools or choosing an outsource model.
Where do you see some of the common pitfalls in third party risk programmes that could help institutions identify early signs?
One of the most common pitfalls that I have seen in new third party risk management programme is an almost robotic focus on annual assessment with too little emphasis on tracking and driving the remediation of vendor control weaknesses. It is simply unacceptable to identify the same gaps one year later. Unfortunately, this fairly common in the first few years of most programmes.
In a similar vein, many organizations fail to align their new vendor due diligence processes with the TPRM requirements. Your TPRM programme will be fighting a losing battle if you don’t collaborate with procurement and contracting functions to ensure all new vendors are assessed and vetted prior to onboarding.
Another common pitfall is not working with existing internal vendor relationship managers. These managers have the best knowledge of the vendor, especially their products and services. Relationship managers can provide invaluable information in a few minutes, these insights allow us to risk profile third parties quickly and accurately.
Without giving too much away, what 3 tips would you give to an institution in any sector to enhance TPRM oversight?
Firstly, it’s important to understand where your organization is in terms of maturity. Begin with identifying the largest obstacles that need to be managed in order to maintain a sustainable TPRM programme that actually reduces your third party risk. It seems like an obvious thing to say but many organizations get so bogged down in the volumes of third parties being assessed and the monotony of reassessing third parties on an annual basis that you lose sight of the objective of the programme.
I’ve mentioned it before and I’ll say it again, if you are still doing manual assessments it is time to make a change. Take advantage of the different automated workflow solutions that are available on the market, like the Triplicity solution we utilise. It is difficult to get your head above water if you are still doing manual assessments.
Finally do not underestimate the importance of leadership and executive support for your third party risk management programme. If the risks are not being escalated to the highest level when appropriate, you will not get the resources and tools you need to be successful.
Why is it so important that industries have oversight and management of their third parties on an ongoing basis?
Simply put, third parties are probably your biggest blind spot in terms of risk to your organization. It is essential to place reliance on third parties, so your organization can focus on its core operations. However, you cannot outsource the risk and it will come back to bite you if you are not managing your third party risk effectively.
How do you see the risks of third parties and oversight requirements evolving over the next 2-3 years?
Ironically, I believe that the future of third party risk management lives with third parties. To keep up with the times, third parties are being driven to create new and innovative solutions that allow organisations to assess and manage third party risk on a continuous basis.
Malcolm presented at Global TPRM: Cross Industry, which took place virtually on December 8-9. Click here to view the full event agenda, as well as insights from the event.
Have you registered for…
Have you made your free account?
