Third-party risk management (TPRM) involves the systematic identification, assessment and control of risks stemming from interactions with external parties. It continues to be a key challenge and top priority for Procurement, and the sharing of TPRM insights remains a focus for CASME members during interactive events. 

Recent benchmarking within the CASME community has revealed the highest priority risk factors in their risk management programmes as being cyber security vulnerabilities and data security breaches.  These risks are likely to be given higher importance than traditional factors such as bribery and corruption, non-compliance, supply chain disruption, and the financial status of critical and high-spend suppliers. 

 

Which risk factors are currently being given highest priority in your risk management programmes?

 

To mitigate these risks effectively, organisations must implement comprehensive TPRM programmes. 

The overarching objectives of TPRM are to ensure that third parties: 

• Comply with relevant regulations 
• Uphold ethical standards 
• Safeguard confidential information 
• Strengthen supply chain security 
• Maintain a safe working environment 
• Manage disruptions effectively 
• Deliver high performance and quality levels 
• Secure business continuity 
• Protect the reputation of the business 
• Build and maintain trust with stakeholders. 

 

Which three features are critical for a successful third-party risk management (TPRM) programme?  

 

Examples of Third-Party Risks 

Several risks are associated with third-party relationships; including the following, which may overlap: 

• Cybersecurity risk: Compromised third parties can lead to cyberattacks, resulting in data exposure or loss. Risk can be mitigated by performing due diligence before onboarding and by continuously monitoring the supplier lifecycle
• Operational risks: Third parties may disrupt business operations, necessitating measures such as service level agreements (SLAs) and back-up supply arrangements.
• Compliance risks: Third parties can impact an organisation's compliance with regulations, agreements, or legislation, such as GDPR.
• Reputational risks: Third parties may introduce risks that negatively impact public opinion. Poor controls in third parties can damage an organisation's reputation.
• Financial risks: Third parties can negatively affect an organisation's financial success; for instance, reduced sales from poor supply chain management.
• Strategic risks: Third-party risks may hinder organizations from meeting their business objectives.

 

What Does an Effective Third-Party Risk Management Programme Encompass? 

The organisational approach to TPRM is also highlighted by David Natoff, a CASME analyst and former head of the Procure-to-Pay team at Google, in the recent article ‘Challenges and Priorities for Procurement in 2024’. He expands on the issues faced by Procurement and outlines various TPRM strategies being used by practitioners to address the challenges. 

Current TPRM issues include: 

• Absence of a centralised model (a single business unit with TPRM accountability or ownership), resulting in distributed ownership across departments; such as IT with cyber security/data protection, Human Resources with workforce management, Legal with contract management, etc. A decentralised approach can lead to unclear roles and responsibilities, inconsistent policies/governance and often prolonged contract management cycles 
• A significant increase of ‘as-a-service’ contracts across many categories, including HR, Facilities, Professional Services and Marketing, requiring non-IT category managers having to negotiate complex software contracts involving aspects such as data protection, cyber security and an unfamiliar level of indemnity 
• Difficulty in identifying all potential risk scenarios, determining the most likely disabling circumstances and events to cause the most costly interruptions to the organisation’s supply chain. External threats include geopolitical risks, financial market risks and natural disasters 
• Lack of a robust TPRM strategy which covers all aspects such as planning, strategic sourcing, due diligence, supplier selection, contract negotiations and monitoring. 

Strategies that Procurement is using to better manage third-party risks include: 

• Taking on a coordinating role, establishing cross-functional points of contact and an operating policy for responding to internal and external requirements to ensure business continuity 
• Providing leadership and advisory services into the other business units with TPRM responsibility. This includes implementing a company-wide TPRM strategy, by developing risk methodology, operating models, global contracts policies and procedures. Establishing financial policies and specific terms and conditions (T&Cs), and focusing on sensitive issues such as intellectual property (IP) and data privacy requirements 
• Ownership of TPRM identification, assessment, management and control, partnering with Legal and the business units to undertake supplier risk assessments and developing a risk register to identify and manage risk across the company with a focus on personally identifiable information (PII) and/or data privacy 
• Implementing risk tiering by categorising suppliers based on their risk levels and prioritising risk management efforts accordingly 
• Mandating the use of contractual agreements for high-risk items that involve compliance, data security, or business continuity risks 
• Investing in new technology particularly in the areas of contract management, supplier management and environmental and social governance (ESG).  

 

TPRM Best Practices 

A robust TPRM programme should align with an organisation’s overall risk management strategy and create an essential inventory of third-party relationships. For Procurement, a TPRM programme should include the following components: 

• Supplier evaluation: Assessing the risks posed by third-party suppliers before onboarding them and determining the level of due diligence required. 
• Supplier engagement: Obtaining additional information on a supplier's internal security measures if their external security meets the organisation's minimum requirements. 
• Risk remediation: Addressing issues identified during the assessment process, either by the supplier or through remediation tools. 
• Decision-making: Deciding whether to approve or reject a supplier based on their risk appetite, risk remediation efforts, and the buying organisation's risk tolerance. 
• Continuous monitoring: Continuously monitoring third-party suppliers' risk appetite to promptly detect and address any changes or vulnerabilities. 

Taking this further, a fourth-party risk management programme should encompass functions such as conducting supplier audits, facilitating evaluations of third-party suppliers by their own suppliers, and implementing development improvement plans as needed. 

 

In conclusion 

Effective TPRM is crucial for businesses to mitigate the risks associated with external relationships. Procurement professionals who effectively manage third-party risks while enhancing their partnerships are on the right path to safeguarding their organisation’s operations, reputation, and sensitive information.