Large fast growing multinational companies involving multiple mergers & acquisitions will often have many disparate processes in place to manage Third-Party Risk. There may be programs developed by individual group companies or parts of the group to meet general procurement needs. Corporate functions such as Privacy, Information Security, Corporate Social Responsibility, or Anti-Corruption may have developed customized programs to meet regulatory requirements or address audit findings. Other programs may have been driven by the need to respond to vulnerabilities arising from macroeconomic events: systemic risks in the financial market; or the impact of Covid on the viability of cross-border supply lines. The multiple languages and cultures add a layer of complexity.
A root and branch review may enable the business to simplify processes, strip out unnecessary costs and duplication and ensure that the key risks are appropriately overseen proportionately. The approach must be focused on the return on investment to make it easier to justify and obtain necessary resourcing.
But where to start?
It is tempting to jump in and start solving the problem before it is well understood. But do not rush.
First - Remember to Reinvent the Wheel.
Nathan Coffey, Senior Vice President of Privacy & Compliance, Teleperformance
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate Charlie Swartwood shares his description of important elements in an effective and efficient third-party risk management program and how he plans to make good use of them in his firm.
Charlie Swartwood, Vendor Compliance Advisor, Hyland Software Inc.
All companies rely on a third party, if not multiple. Therefore, it is critical to pick the right ones. Choosing a third party aligned with your company’s third-party risk framework and understanding your company’s overall objective will make your organization more robust and competitive in the long run. I will begin by defining what a third-party is and then shed light on these topics: the main drivers of third-party risk management, the steps of third-party lifecycle management, and why third-party risk is often overlooked.
A third party is a business relationship between your company and another entity that is not your customer, including an affiliate company. When we think about third parties, we are usually thinking about vendors. Other examples can be service providers or outsourcers. In this Global environment, corporations are engaging with countless third-party’s to complete their business needs. Unfortunately, with every third-party arrangement comes an ever-growing scope of risk. As more and more companies begin to rely on third-party relationships, effective risk management, due diligence, and continuous monitoring need to grow with it.
Mitchell Gustafson, Third Party Risk Analyst, NationsBenefits
Organizations increasingly depend on third-party service providers of varying sizes, including start-ups, to meet the digital age challenges of technological innovation and heightened competition. In a quest to succeed, organizations involved in digital transformation initiatives partner with more innovative start-ups, thereby increasing third-party risk. There is a progressive shift from a traditional 'cost' focus to a 'shared risk' and 'value-driven partnership.
This is also a growing reflection of organizational recognition that third parties can create strategic win-win opportunities. These new-age partnerships require a different approach to managing third-party risks. Organizations that can continuously monitor and take on calculated risks with their engagement with third parties are the ones that will be able to Stay Ahead. This article reflects on how technology can help support a new Integrated third-party governance and risk management approach.
Traditional Third-Party Risk Management Approach – the challenges
Traditionally, organizations had relied on total upfront due diligence for risk mitigation. This approach attempts to identify potential third-party risks upfront before contracting, resulting in longer onboarding time. Typically, this involves sharing due-diligence questionnaires and collating responses from third parties. This only provides a point-in-time assessment – a highly ineffective approach prone to failures.
Jai Chinnakonda, Co-founder of ENGAIZ, ENGAIZ Inc.
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate John M. Lehr discusses how third-party risk management teams must enter into a safe third-party relationship and how to build and maintain trust, as well as how to adapt as the consumer wants and needs evolve rapidly.
The world of Third-Party Risk Management is one of frequent change. As consumer needs evolve rapidly and our lives speed up the market for the "next new," we are faced with changing our business and operating models. With each wind of change, our sails just as well – at least in theory. In the face of changing winds, organizations must work harder and faster to keep up.
But we must ask ourselves, is slowing down the new speed up? In her blog titled, "RegTech and the Role of Third-Party Risk Management," a well-respected leader in the Third-Party Risk Management industry, Linda Tuck Chapman, states, "Since the 2008 financial crisis, the U.S. has arguably become the most complex and costly jurisdiction for regulatory compliance." She goes on to state that "The financial services sector leads the pack in terms of the amount of regulation it is subject to, including the compliance challenges, regulations, and laws in near and far-flung jurisdictions, as well as the cost and complexity of compliance, risk management, and governance practices."
John M. Lehr, Lead Business Risk and Controls, USAA
Regarding the Third Party Risk Management practice, we recognized that our organization performs many of the needed activities in a siloed manner. Many of the activities are happening in different ways to different levels of rigor, so there was a need to standardize the necessary actions, as we believe that it will help bring efficiency and support our organization in making better risk intelligent decisions, which in turn reduces time later.
As a result, I will focus this essay on the learnings as it applies to establishing a formalized framework. The learnings covered in the C3PRMP course have helped by providing insights on some of the structured building blocks required in establishing a standardized Third Party Risk Management program (TPRM, which will be developed and piloted later this year). In one of the modules, Linda Tuck Chapman discussed the term' operating framework', which describes the necessary tasks and activities that organizations would go through within the TPRM lifecycle from the beginning of a relationship through termination or renewal. We've learned in the modules that the TPRM Framework (Operating Framework) sets out the requirements for effectively managing risks arising from Business Arrangements between our organization and Third Parties. This can range from arrangements that include products or services, business activities, functions, or processes that need to be undertaken.
The Bain Of The Unknown
SIG University Certified Third-Party Risk Management Professional (C3PRMP) program graduate MJ Ellis shares a unique perspective on the fundamentals of effective third-party risk management through the panes of Johari's Window.