Third-Party Risk Management: An Opportunity for Procurement

Risk spelled out on individual colored sticks on a black background.

Hundreds, thousands, or even tens of thousands of third parties power your company every minute of every day, in all your markets and geographies, for every product and service. Third parties are everywhere, in virtually every part of your business. You have less control over third parties than over your internal operations, so getting this right is essential for your company’s success. 

Third-party relationships are complicated. But the “right” third parties, if thoughtfully evaluated, managed and controlled, deliver what you contracted for and serve up many opportunities to be better. Better means new products, services and markets. Better means access to specialized top talent, processes and technology. Better means less risk.

Unfortunately, risk is everywhere and even though technology is advancing in leaps and bounds, operational ecosystems are growing more complex every day. Consequently, risk events, cyber attacks, fraud, data corruption and privacy breaches are becoming commonplace, and are too often the fault of a careless third party. The proliferation of third-party relationships and new technologies means that it’s hard for companies to stay on top of third-party risks, and even harder to implement effective controls, monitoring and oversight.

A New Discipline

Management of third-party risk is a relatively new discipline – involving a new set of skills, rigorous methodologies, well-crafted tools and advanced technologies. But proactive professionals need to learn the language of risk and learn it quickly because everyone is now a risk manager and everyone is responsible for effective and efficient risk management, particularly for critical third parties.

My experience as an advisor, educator, author and former Chief Procurement Officer in a highly regulated industry sparked my interest and opened my mind to the intricacies of third-party risk management, which is incredibly interesting and wide-ranging in scope. Third-party risk management starts with understanding the strategic goals of the organization and how the risk culture established by senior management and the board, known as the “tone at the top,” aligns with strategy. Then you need to translate the risk culture, business imperative, threat landscape and legal/regulatory landscape into repeatable practices that add value. To do this well you must have a strong working knowledge of every driver of operational risk and a flexible but pragmatic approach.

Whether it’s cyber risk, privacy and information security risk, technology risk, business continuity risk, fraud or financial risk; or the tools and techniques you need to master to identify, assess, manage and control costs, risk, performance and value; there are many things to learn! And rest assured that the knowledge is essential. Understanding third-party risk adds value to your business partner relationships. You need to be able to apply your knowledge and expertise to the “who,” “what,” “why,” “when” and “how” of third-party risk.

Research, expertise and experience converge in my book “Third Party Risk Management: Driving Enterprise Value, ” (published by Risk Management Association). The book dives into a into a wide range of emerging practices based on my expertise and experience as a “serial” Chief Procurement Officer accountable for third-party risk management, and as an advisor to companies implementing, strengthening or streamlining their third-party risk management capabilities.

A Proactive Approach to Control for Risk

Complex operational ecosystems and the third parties that power them present substantial risk. Investing in qualified training is the best and only way to successfully control those risks. These investments arm procurement, risk professionals and third-party managers with the tools they need to do their jobs and be valued by their business partners.

The real value proposition for you is acquiring the applied expertise for detecting, reducing or eliminating third-party risks. This equips your business partners with the right information so they can make the best possible decisions for the business and the company. Adding value also means taking a leadership role so you can accelerate the response, remediation and resolution when a serious risk event occurs.  The value proposition is very real: it helps to protect your company’s operations, reputation and the bottom line. 

If you’d like to “speak” the language of third-party risk management, I'll be holding a workshop on the fundamentals and frameworks of third-party risk management in Toronto in November, or you can join me in the virtual classroom through SIG University. Designed for practitioners, relationship managers, risk specialists and managers, it takes the content in my book to the next level.


Visit SIG's website to learn more about joining the Northeastern Regional SIGnature Event and the details of what we'll cover in the workshop or to register for the Certified Third Party Risk Management Professional program through SIG University.

 
Linda Tuck Chapman, Third Party Management advisor, author, popular speaker & President, Ontala

Linda Tuck Chapman: Advisor. Educator. Author. Expert. Linda is a recognized subject-matter expert, trusted advisor, published author and popular speaker. As former Chief Procurement Officer in three major banks, her clients benefit from her experience, expertise and pragmatic approach.

Linda is creator/professor of the “Certified Third Party Risk Management Professional” (C3PRMP) for SIG University, based on her book “Third Party Risk Management: Driving Enterprise Value”, available on Amazon. Her expertise is frequently profiled in industry-leading publications such as The RMA Journal, Wall Street Risk Journal and Future of Sourcing, strengthened by her extensive network, professional associations and SIG University.