In an earlier post, we reflected on how COVID-19 might reinforce the evolution of third-party risk management (TPRM) practices from a compliance exercise to a strategic business imperative. Our concept of “business as usual” is changing, and our understanding of risk must evolve with it. We frequently see TPRM programs focus heavily on information risk, but fail to fully consider financial, reputational, and operational risks that diminish your organization’s ability to build a strong and resilient network of vendors. As operational leaders take a greater interest in mitigating risk and building resilience, third-party risk managers must reassess whether TPRM programs are tailored for your unique practices and support collaboration and efficiency. To do this, a thorough understanding of broader business requirements will be needed to consolidate siloed practices into a shared services model. Below are two methods that Myna thinks you can consider to begin thinking beyond compliance and identifying other risks that could impede the achievement of your unique business objectives.
Understand and Assess Your Operating Model
Out-of-the-box risk assessments will no longer be sufficient without careful consideration and adjustment. An understanding of your operating model is critical for effective risk management and must be demonstrated by the controls you assess at your third parties and how you prioritize identified risks. Risk managers should have a deep understanding of how the business operates and how it relies on third parties to achieve objectives. It is not hard to understand how the risk prioritization of a pharmaceutical manufacturer would differ from a bank. Both face regulatory compliance challenges, but there are vast differences in regulations and how third parties are required to support compliance. A pharma company must manage a highly specialized supply chain in order to bring products to market, with many intermediary touch points along the way while a bank may lack a complex supply chain, but availability of services may be a higher priority. Data security is paramount for both, but a catchall solution may not protect against the different threat actors that each face. As a result, the way risk managers scope the third-party services and the controls they assess at the two organizations should look vastly different.
Simple illustrations can be a powerful tool in understanding the complex structure your organization uses, and where third parties support different business units. There are several other sources of information that you can draw from to better understand how your enterprise operates and prioritizes risk, including BCP/DR plans, public filings, enterprise risk management (ERM) exercises, etc. This exercise should not happen in a vacuum but should prepare the TPRM team find the right collaborators.
Identify and Engage Diverse Risk Management Stakeholders
In order to provide operational teams with useful risk insights, TPRM practitioners must understand their requirements. The creation of a TPRM program should be a collaborative effort between the TPRM practitioners and the stakeholders that require risk insights. TPRM teams should understand the information that is critical for business users so that the results of both your scoping and risk assessments becomes a single point of reference for risk-based decision making. Requirements gathering may help you better understand how to design your scoping activities, and detailed controls assessment. The types of information demanded will vary greatly, but could include:
- Are there particular security considerations that should be prioritized: strict confidentiality vs. high availability, etc.?
- Should vendor scoping efforts seek to understand how a supplier fits into our ecosystem of third parties and impacts supply chain resilience?
- What information can be gathered for financial due diligence during the initial vendor scoping efforts?
- Are there specific priorities beyond regulatory and information risk that support our mission, for example, environmental ethics, zero tolerance for conflict minerals, and anti-bribery?
These objectives and risk priorities will help define the key risk indicators (KRIs) that TPRM programs will assess and monitor on an ongoing basis. This also creates an opportunity for dialogue between TPRM professionals and operational leaders during which strategies can be developed for how risks can be monitored or mitigated going forward. Optimized TPRM programs will not replace the need for diverse stakeholder involvement, but by understanding how those stakeholders can lean on the TPRM team for insights and information, organizations can streamline their decision-making processes.
Conclusion
Data risks will continue to be a top priority for all organizations, especially those that are supported by a network of third-party service providers. However, many organizations have disparate and inconsistent activities to assess other financial, reputational, compliance, and operational risks which does not support a holistic view of risk. TPRM practitioners are uniquely positioned to consolidate siloed risk management activities into a shared service model that drives operational efficiency. Doing so will require a thorough understanding of your operating model and demands collaboration among impacted stakeholders. By incorporating broader concepts under the umbrella of TPRM, organizations can begin to rely on a single source of truth for assessing and understanding changes in risk.
Are you looking for assistance building, managing, or optimizing your TPRM program? Let’s talk!