In prior articles we’ve explored why third-party risk management (TPRM) is an essential part of comprehensive risk management, and what steps need to be taken to assemble and execute an effective TPRM process. In this article, we’ll explore approaches to make those steps scalable and efficient without sacrificing quality, all while managing overall associated costs. At the onset let’s be clear, to do this we need to explore the application of automation to the basic operating requirements of a TPRM program. Along the way, we’ll see where features of embedded functionality and seamless integration provide real value. As stated before, the basic steps to manage third party risk, at a minimum need to address:
- Proposing a Vendor
- Comparing Profile Data
- Data Review
- Risk Determination
- Action/Remedial Item Management
- Cycle Management and Sustaining Currency
One of the perceived large hurdles for vendor management in general is the anticipation of time-consuming bureaucracy in the face of widely disparate resources and the ability to participate in vendor vetting procedures. Many vendors simply balk at manually burdensome practices, and many potential partners shy away from seeking useful relationships that might encumber them with oversight, or do too little and pray unforeseen risks do not yield damaging exposures. This issue surfaces right at the onset of any vendor onboarding process when a new vendor is proposed.
Proposing A Vendor
Proposing or identifying a new vendor candidate is a basic data gathering process. The preliminary data is quite basic, including what need is being satisfied, why it’s important, the level of service capability, and more. Some specific corporate procurement policies may specify other requirements around or beyond the needs defined by a requesting area. These may include information on the vendor’s financial stability, security provisions, performance capabilities or more. Additionally, there will be some preliminary categorizations of the vendor regarding service criticality, extent of required access to company data, and whether they are to be a primary or backup supplier, to name a few. This establishes a basic profile of the vendor.
There are some real opportunities here for software to perform several tasks for the user. First, any information required by internal policy can be required upon initial entry. This prevents unusable fragments of data clogging any system. Also, if the vendor has already served another area, they may be searched for and discovered, simplifying the process, preventing duplicate data requests, and avoiding duplicate entries. If the system has some embedded functionality, such as reaching into a research database like D&B for basic financial data, those details would automatically populate needed fields, gathering and presenting vetted financial information without additional effort by procurement, risk management staff, or by anyone from the vendor. This is important for several reasons. First, it reduces work needed to acquire this information. Second, it eliminates manual data entry, reducing opportunity for error. Third, it can automatically refresh upon initiation of annual review. Fourth, automation is readily scalable without increasing labor costs.
Comparing Profile Data
Once this basic setup is complete, the data gathering specified by the vendor’s profile can be completed. Here, a TPRM system can match the details noted in the profile to documents and other evidence automatically, build an evidence list and deliver it to the vendor for fulfillment. This kind of automation allows policy consistency to be fostered without exhaustive oversight. It supports timely advance through a process that can lead to compressed and more efficient review cycles. This requirements to evidence mapping is straightforward to establish upon implementation, and doesn’t require sophisticated artificial intelligence programming to achieve. It can also be supplemented, in exceptional cases, with follow-up requests.
Automation at this point can also track evidence submission. This automated “housekeeping” is otherwise a time consuming and error prone process that chews up important and expensive process management resources. TPRM solutions alleviate that, making evidence tracking, reminder requests, and completion notifications routine and easy to review. Seeing the state of a vendor “in process” becomes simple to track and simple to represent. When there are multiple vendors under review at any time, this enables a manager to identify congestion in one step, as well as its root cause so appropriate actions can be taken to move reviews along.
So, now you have a vendor, a profile, and it’s time to review requested evidence submissions. Of course, this presumes you’ve received everything requested. If not, here’s another opportunity for automation to reduce the housekeeping chores associated with follow-up. Integration with your email system is an important asset. When the profile is established the documents required and any associated questionnaires can be identified and automatically prepare emails directed to the vendor. Upon receipt, they can automatically check off so any review of outstanding is current and free of incidental human error. Follow-up emails to collected outstanding materials may similarly be automatically generated. Once received, the data review process may seem more like a mail sorting and distribution task than not. There are several steps. First, getting the right documents to the right subject matter experts (SME’s), then gathering those reviews, distributing any additional information requests, and finally, managing workload distributions across your pool of designated SME’s to account for demand, availability, timeliness, etc. It’s a lot to keep track of for a few vendors, and if you have many the process scales quickly to a considerable task, one requiring a lot of attention to detail and meticulous tracking.
Attention to detail can be expensive to scale, unless you have automation tools to help. TPRM software offers a number of features that reduce the labor burdens of this step, support efficiency, and enable economic scaling. Receipt, logging, dating, and aging of outstanding documentation is all automated. Further, follow-up reminder emails can be set to generate automatically. Viewing the review queues of SME’s can be displayed, along with highlights of those items beyond a set standard for turnaround. In some cases, automated escalations to secondary SME reviewers can relieve bottlenecks in the process and assure timely review completion. And all of this can be set to happen through pre-determined workflows without active attention by managers. Reports can easily be pulled to help explain the status of the program to executives without lengthy effort. Queries by in-process vendors on their review status are easily answered with accuracy and specificity.
Evaluation of all that’s been gathered is a human process requiring knowledge and judgement. Recording, scoring and assigning meaningful risk ratings and values are areas where automation contributes standardization, consistency, and speed. This process step incorporates occasions where additional, clarifying details are required. Again, the tracking of those against receipt may be an automated activity. Aggregation of the findings of multiple SME’s into a comprehensive risk assessment is best done through an automated tool incorporating uniform standards, language, and methods of scoring. Automated aggregation also affords easy tracking of outlying assessment input by any one or more SME’s.
Once completed, risk assessments can be posted and shared back to vendors, requesting areas, and further incorporated into a company’s comprehensive risk management processes. This is an important consideration. Risk programs that operate in functional silos; operational risk, IT risk, financial risk, etc., often fail to realize and address the interactions fostered by risk in one area upon others. As a result, threats may go undetected, or may be mis-categorized as weak when their impact may be far larger in scope and effect. Integration, through the automated use of standardized risk data across the enterprise, is a great advantage to effective risk management that’s particularly well supported through risk management software, like offerings for TPRM. An output of this process is the determination of particularly troublesome areas requiring some remediation. Determination of what outcomes are needed happens here, and creates the input to our next step, remediation project tracking.
Action/Remedial Item Management
This is not full blow project management, but a state/status snapshot. Leave detailed project management functionality for its own software and discipline (but an integrated feed to a TPRM solution is nice if offered). This process focuses on status and responsibility tracking. The details of a remediation project, such as resource allocation, staffing, development tasks, and such are left to responsible project managers and their own devices. Here you want to know what risk is being addressed, what outcome is to be achieved by the project, if it’s on time, when it’s completed, and who it’s key contacts are if there are questions. If more data is available, it may be useful, but these are the essentials. Tracking which remediations against critical risks, critical vendors, or both becomes straightforward without tedious manual effort. Having an automated process for this again supports standardized input with room for commentary detail, and affords aggregation to a complete vendor risk status “scorecard” summary. And summating all these allows a view of the overall risk status across the entire corporate portfolio of third parties.
Cycle Management and Sustaining Currency, (aka Assess, Complete, Repeat)
All we’ve discussed to this point is about getting through a single cycle of TPRM. We leveraged embedded functionality and seamless integration characteristics of risk management software designed to provide automation to simplify and speed process steps and assure high data fidelity and quality. We’ve seen how reporting can be generated to simplify status communication around a vendor, a program process, or the state of vendor risk management. This reporting may also be used to support compliance obligations in reviews or audits by regulators. And it’s helped standardized risk data to support integration with other risk areas to enable a more comprehensive understanding of risk footprint, remediation, and residual management across the enterprise… once. But programs and businesses are ongoing. Risk management needs to operate in a continuous cycle whose starting points and review frequencies may be different for each vendor. You may have only a few third parties to track, or you may have hundreds, or more. Automation is clearly critical in all but the most modest of circumstances. It’s like keeping hundreds of calendars in sync at once, each with its own schedule and expectations.
In addition to managing review cycles, there’s a need to manage the currency of evidence. Some reports, financial information feeds, and other data may grow “stale” in a year, while others would be subject to shorter refresh cycles. Keeping track of those “calendars’ within the context of vendor review calendars is an example of attention to detail best afforded through automation, that can identify close expirations and generate requests for updates. You would not want to approach that manually unless you had substantial resources to apply; expensive resources to manage all these details. That doesn’t scale and often leads to expenses out of line with capabilities. And manual processes, no matter how well intended, are very dependent upon knowledgeable staff dedicated to process support. For small scale needs this may suffice. But as cycle follows cycle, and vendor portfolios grow with businesses, manual process management can become a drain upon important resources whose primary roles apply expertise to serving customers, clients, and enabling business growth.
Manual management of TPRM might seem like a good place to start. Small distributed teams doing bits of additional work may conceal their burdens and deliver useful results. Over time, as these teams grow in size and demand service, they can be subject to operating efficiency and timeliness decay. They are also fairly expensive, since they rely upon knowledgeable staff with primary duties in other areas. They are hard to scale with growth. The choices then are either to dilute your TPRM risk program, a dicey choice in today’s environment, or automate to manage the resources and expenses associated with thorough vendor risk management. Automation, through software designed and dedicated to addressing the most important aspects of TPRM, is a strategic as well as a tactical advantage for all firms relying upon the collaboration and support of suppliers, partners and vendors of all manner today. Its implementation offers cost effectiveness and enhanced data integrity while supporting easy scalability as demand increases.
TPRM software solutions offer greater opportunity to integrate their data with other risk data sources to enrich comprehensive risk management data pools, compliance obligations, and reporting. It is an essential component to professional, complete, enterprise risk management for today’s successful businesses.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.