Risk Management: Third-party Considerations and Strategies
In this third and final part of our 2021 risk management strategies series, we hear from David Natoff who outlines the challenges, responses, and key strategies for effectively managing third-party risk.
Third party risk management (TPRM)
A third party is a company or entity with whom you have an agreement to provide a product or service to you or to your customers on behalf of your organisation. A third party is not directly controlled by either the seller (first-party) nor the customer/buyer (second party) in a business transaction. Therefore, third parties are not just limited to suppliers but also subcontractors, partners, investors, affiliates, joint ventures, distributors, subsidiaries, resellers and more. This can make TPRM a challenge for Procurement as it does not solely focus on suppliers.
Risk considerations can include technology (cyber), operational, reputational, financial, people, legal and regulatory:
Companies may opt to use a distributed model, through which the business relationship manager coordinates inherent risk assessment activities. Alternatively, businesses may identify a centralised team that facilitates the inherent risk assessment on behalf of (and with input from) the business. In this model, the centralised team helps business relationship owners overcome challenges. The centralised team executes the risk assessment activities and provides the outputs to the business relationship managers, who finalise the decision to proceed with the third-party provider.
Many organisations struggle with managing TPRM consistently across their company because often they do not have a centralised model with a single business unit with responsibility or accountability for it. While some organisations may have a risk compliance function many do not and as such, functions such as Finance, Procurement, IT, Legal, Audit and other groups may have ownership or aspects of responsibility. While there are hybrids of centralised and distributed models, often there is a greater leaning toward a centralised model.
Some of the TPRM challenges and issues organisations face include:
- Not having a single leader of the programme and a reporting structure to senior management and the board of directors
- A lack of clear roles and responsibilities across the TPRM lifecycle and no inventory of policies/standards
- An ineffective technology architecture for efficient workflow, task automation, and reporting with a well-understood audit trail.
The Covid-19 pandemic has been a forcing function accelerating many organisations' third-party risk management programmes. Some of the responses to the pandemic include:
- Creating a response team, establishing cross-functional points of contact and an operating policy for responding to internal and external requirements and business continuity
- Expanding current risk governance, methodologies, protocols and tolerances
- Investing in technology to assist with identifying and prioritising risk such as using advanced analytics to assess disruption
- Identifying and implementing alternative suppliers to monitor and support high-risk suppliers
- Enhancing corporate social responsibility initiatives by supporting smaller, diverse and local suppliers through offering flexible payment options and developing stronger partnerships to spark innovation.
Key strategies Procurement should be thinking about in 2021 include:
- Using a Centre of Excellence to provide TRRM leadership and advisory services, best practices, research, support and training across the procurement function. This would include developing a company-wide strategy, developing risk methodology, operating models, policies and procedures.
- Third-party risk identification, assessment, management and control. This would include procurement partnering with business units to execute TPRM risk assessments and developing a risk register to identify and manage third party risk across the company. Procurement would also need to provide a centralised view of third-party controls, identify the owners and map to any regulatory requirements and legal frameworks.
CASME thanks its facilitators and analysts for contributing their expert procurement insights to this risk management series.