Across many organizations, there is an outstanding need to baseline what, if any, activities are taking place to manage third-party due diligence proactively. From my specific experience, Procurement's role is only sometimes well established and often has limited involvement in third-party risk management. The lack of engagement with the Procurement team introduces unnecessary risk and exposure for an organization.
Incorporating Procurement in third-party risk management and analysis will increase visibility, broaden awareness, and reduce risk by ensuring consistent sourcing, contracting controls, management, and monitoring processes. The standard practice for most Procurement teams includes evaluating new third parties, facilitating the sourcing and contract negotiations, and primarily being responsible for ensuring appropriate terms are in place. However, without a clearly defined path of communication and standardized processes, there's still potential for the organization to be exposed to unknown risks when bringing on a new critical third.
Anna Sgro, Procurement Category Manager of IT, Maxar
Large fast growing multinational companies involving multiple mergers & acquisitions will often have many disparate processes in place to manage Third-Party Risk. There may be programs developed by individual group companies or parts of the group to meet general procurement needs. Corporate functions such as Privacy, Information Security, Corporate Social Responsibility, or Anti-Corruption may have developed customized programs to meet regulatory requirements or address audit findings. Other programs may have been driven by the need to respond to vulnerabilities arising from macroeconomic events: systemic risks in the financial market; or the impact of Covid on the viability of cross-border supply lines. The multiple languages and cultures add a layer of complexity.
A root and branch review may enable the business to simplify processes, strip out unnecessary costs and duplication and ensure that the key risks are appropriately overseen proportionately. The approach must be focused on the return on investment to make it easier to justify and obtain necessary resourcing.
But where to start?
It is tempting to jump in and start solving the problem before it is well understood. But do not rush.
First - Remember to Reinvent the Wheel.
Nathan Coffey, Senior Vice President of Privacy & Compliance, Teleperformance
All companies rely on a third party, if not multiple. Therefore, it is critical to pick the right ones. Choosing a third party aligned with your company’s third-party risk framework and understanding your company’s overall objective will make your organization more robust and competitive in the long run. I will begin by defining what a third-party is and then shed light on these topics: the main drivers of third-party risk management, the steps of third-party lifecycle management, and why third-party risk is often overlooked.
A third party is a business relationship between your company and another entity that is not your customer, including an affiliate company. When we think about third parties, we are usually thinking about vendors. Other examples can be service providers or outsourcers. In this Global environment, corporations are engaging with countless third-party’s to complete their business needs. Unfortunately, with every third-party arrangement comes an ever-growing scope of risk. As more and more companies begin to rely on third-party relationships, effective risk management, due diligence, and continuous monitoring need to grow with it.
Mitchell Gustafson, Third Party Risk Analyst, NationsBenefits
Organizations increasingly depend on third-party service providers of varying sizes, including start-ups, to meet the digital age challenges of technological innovation and heightened competition. In a quest to succeed, organizations involved in digital transformation initiatives partner with more innovative start-ups, thereby increasing third-party risk. There is a progressive shift from a traditional 'cost' focus to a 'shared risk' and 'value-driven partnership.
This is also a growing reflection of organizational recognition that third parties can create strategic win-win opportunities. These new-age partnerships require a different approach to managing third-party risks. Organizations that can continuously monitor and take on calculated risks with their engagement with third parties are the ones that will be able to Stay Ahead. This article reflects on how technology can help support a new Integrated third-party governance and risk management approach.
Traditional Third-Party Risk Management Approach – the challenges
Traditionally, organizations had relied on total upfront due diligence for risk mitigation. This approach attempts to identify potential third-party risks upfront before contracting, resulting in longer onboarding time. Typically, this involves sharing due-diligence questionnaires and collating responses from third parties. This only provides a point-in-time assessment – a highly ineffective approach prone to failures.
Jai Chinnakonda, Co-founder of ENGAIZ, ENGAIZ Inc.