SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Erran Thomas discusses how to establish the operating framework of a Third-Party Risk life cycle

Regarding the Third Party Risk Management practice, we recognized that our organization performs many of the needed activities in a siloed manner. Many of the activities are happening in different ways to different levels of rigor, so there was a need to standardize the necessary actions, as we believe that it will help bring efficiency and support our organization in making better risk intelligent decisions, which in turn reduces time later. 

As a result, I will focus this essay on the learnings as it applies to establishing a formalized framework. The learnings covered in the C3PRMP course have helped by providing insights on some of the structured building blocks required in establishing a standardized Third Party Risk Management program (TPRM, which will be developed and piloted later this year). In one of the modules, Linda Tuck Chapman discussed the term' operating framework', which describes the necessary tasks and activities that organizations would go through within the TPRM lifecycle from the beginning of a relationship through termination or renewal. We've learned in the modules that the TPRM Framework (Operating Framework) sets out the requirements for effectively managing risks arising from Business Arrangements between our organization and Third Parties. This can range from arrangements that include products or services, business activities, functions, or processes that need to be undertaken.  

Thrust into the spotlight due to the pandemic and now the war in Ukraine, the demand for sourcing professionals to deliver maximum value has never been greater.

To start, "maximum value" is no longer about getting something at the best price – if it ever was. I base the "ever was" on the words of a 20-plus-year industry veteran who has held senior executive positions with a major global brand and stressed that it has never really been about cost savings alone. If it were, they added, they would have left the industry a year and a half after they started.

So, if it isn't about cost savings, what is it about?

It is about agility, resilience, and being strategic. It is also about breaking through existing barriers to achieve optimal outcomes through digital transformation. In other words, the merger of people skills with emerging digital tools such as Life Cycle Contract Management (CLM) solutions.

The Seven Steps to Success in Sourcing paper was written with the above objectives in mind.

Beyond providing an outline of the challenges with which sourcing professionals are now contending, in this article, I will review the paper's "seven steps" within the context of a CLM framework. Included will be a deeper dive into one of the steps – Improving transparency.

Barriers To Agility

The paper talks about the challenges of "cumbersome siloed data" and points out that sourcing professionals are weighed down (and slowed down) by "outdated traditional systems" and "complex, often manual" processes.

While these have been significant issues, they take on new meaning in a post-pandemic world, a new meaning in which supply chain resiliency is being stretched to the breaking point.

As a result, the risk of "slow, inflexible sourcing processes" reduces agility and, with it, the ability to adapt to the at times, unpredictable changes in the marketplace.

Before any organization can do business with an external vendor, it needs to examine its data privacy protocol against new legal requirements. Recent legislations like General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the U.S. has cast a spotlight on the handling of consumer data, especially the way it is shared among third parties. Organizations of all sizes in every industry are upgrading the vetting processes to make sure that new vendors don’t bring additional risks.

These risk assessment processes contain several moving parts, and a mistake at any point along the way can jeopardize the result. The easiest way to pinpoint the holes in your organization's vendor vetting workflow is to review the entire process from beginning to end and examine the opportunities for data privacy lapses. Here are four common pitfalls to look for:

1. Overlooking Contract-level Details

Amid all the changes happening to the regulatory landscape, it’s easy to overlook errors in the language of your contracts. In a short window of time, contract language—on old and new agreements—needs to be updated to provide consumers with new legal protections and redefine business-to-business relationships with any party that touches consumer data. If contracts are being negotiated in that window, some terms might slip through the cracks and expose you to new risks.

According to reports authored by the International Association of Contract and Commercial Management, the Aberdeen Group, and the International Association of Outsourcing Professionals, the average contract loses approximately 17% to 40% of its value from the time of execution through to close-out. Value leakage can range from things like low adoption rates, non-value-added change orders, lack of innovation, poor governance, etc. This blog post will help contract professionals understand how customer-supplier relationships lose value and three best practices to preserve value.

Move Beyond Deal Points

Typically, negotiators think in terms of “getting the best deal”, meaning, financial and legal Terms that are favorable to the negotiator’s organization. Here is the problem: if businesspeople accept this premise, they are negotiating short-term “deals” in a complex, long-term business environment.

Focusing on the “deal” often leads to losing focus on the larger business goal(s) that a customer-supplier relationship seeks to address. For example, an overemphasis on “getting the best deal” often results in failing to fully document costly aspects of the work in the Statement of Work, failing to include adequate inspection, testing and cure processes, and failing to document and control common risk events.

Furthermore, focusing on the “deal” also precludes the inclusion of innovation in the delivery of goods and services. Buying emerging technologies like artificial intelligence, robotic process automation, cloud computing, or cognitive automation is the new norm, yet only 21% of respondents in Deloitte’s 2016 Global Outsourcing Survey reported that innovation was a key part of their contracts.

Edward J. Hansen brings more than 20 years of experience representing clients in technology transactions that involve significant business change. If you’ve attended a SIG Summit, then you are likely familiar with Ed and his work. In addition to being an active speaker at industry conferences, he has authored and presents the “terms and conditions” module of the SIG University certification program, regularly conducts contracting master classes (including for SIG’s Executive Immersion Program), serves on the advisory board of the Shared Services and Outsourcing Network, and is a regular guest lecturer at New York University’s Executive Master of Business Administration program.

You have a lot of experience representing clients in technology transactions. What are some examples of how technology has changed or impacted the way you approach your job?

The technology in place at any given time actually has little impact on how I approach my job. What does impact my job is the fact that the technology landscape when the deal is two years old may not be the same as it was when we went out to RFx.

I started working in the technology space in 1993 and spent almost a decade working with companies who were undertaking reengineering efforts. What I learned, mostly through trial and error, is that the process you go through in procuring and contracting for transformational technology is at least as important as the contract that emerges. Because of the velocity of change, the relationship you form during the process is often what carries the deal, and the contract has to reflect that.