Managing third party risk is a primary component of any comprehensive risk management program. Without it, you ignore important external processes, resources, commitments and opportunities that may have specific, critical impacts upon your operating performance, regulatory and legal compliance, and brand reputation. In past discussions, we’ve explored what functions need to be performed to effectively manage third party risk, and why these are important. Those were summarized as:
- Evaluate vendors based on a set of defined criteria
- Determine and gather information needed to assess performance
- Manage subject matter expert review and scoring results
- Deliver actionable information in reports and dashboards
- Govern the first four to assure response to change and continuity year over year
In this article, we’ll look at some specifics about the “how” associated with these steps to offer some practical advice on shaping the processes necessary to deliver an effective and efficient TPRM program.
Let’s start with a list of these steps, then walk through them to explore each in some detail.
Propose A Vendor
While every firm’s process will vary a bit, depending upon the extent that vendor selection is centralized or decentralized to operating units, the basics will remain the same. Someone with a need for an external resource, material or service, will identify candidates. They will identify what is needed, why, a level of service capability, and more. These may be geographically anywhere according to the specific requirements set by the requestor. There may be some specific corporate procurement policies that specify other requirements around or beyond the needs defined by a requesting area. These may likely include considerations for financial stability, security provisions, performance capabilities or more. Beginning the relationship will require identification of primary contact means and persons in both organizations. This will be essential to managing the forthcoming exchanges of information. There will also be some early categorizations of the vendor regarding how critical their service might be, how much access to company data might be needed, and whether they are to be a primary or backup supplier, to name a few. This establishes a basic profile of the vendor.
Compare Profile Data
Gathering the preliminary data about the proposed vendor is the beginning of the due diligence process. The information gathered will often include financial performance and credit worthiness data, perhaps some information on security practices, operations, resilience, data requirements or other information relevant to establishing a supplier relationship. Vetting this information can be a challenge to perform manually, particularly if your vendor population is significant and left to the resources within the procurement functions alone. One of the frequent complaints about TPRM is that it can become labor and resource intensive. One solution is to engage online, automated services to perform as much of the rote aspect of processes wherever it’s feasible. In this case, validation of credit, and other financial information might be done by a service, such as Dunn & Bradstreet, and the results matched to submissions by a prospective supplier. If you are using an automated tool this may be seamless integration with this part of the workflow. Knowing this will be done also helps promote vendor accuracy in their initial information submissions. It helps to set the tone for the level of diligence expected in the vendor review and proposal process, leading to the establishment of a relationship between firms.
A nominated third party supplier has completed a basic profile and submitted it to your company’s designated contact for third party management for review. Now someone assigned the responsibility to evaluate risk needs to review the completed profile and determine what documents, details, and other evidence are needed to complete the risk assessment. Normally this may be a fairly routine task that can be automated based upon specific criteria. For example, if a vendor will need access to your company’s network, then theirs can become an extension of yours. Your normal security practices and regulatory compliance needs might make requesting a SOC2 document appropriate in addition to the results of a recent risk assessment. You may want a copy of the vendor’s security policy. Subject matter experts (SME’s) from the areas that would evaluate submitted evidence can guide in the creation of the document list and map them to whichever profile responses would require which specific evidence components. This evidence request list then passes to the vendor who, in reply forwards them back to third party risk managers for review.
There are two parts to this process. The first tracks, manages, and reports the status of requested evidence. The second manages the distribution, evaluation, and results of its review by SMEs. The number of documents and other evidence a vendor submits may be distributed across any number of SMEs. This first phase manages who has been asked for what, when the request was made, to whom, when it’s due, and what’s been received. It may seem basic, but without some automation, it’s a process that does not scale manually without expanding the labor resources needed to execute the process effectively. Once evidence is received, tracking who needs to review what, who has what, who is waiting for what, when each of these events is scheduled, when it has happened, and remains to happen would be next up to be performed. “Automating” this phase using a spreadsheet offers only small gain.
Then there is the matter of requests for more or better documentation where the response has been incomplete or containing insufficient detail. That adds a whole additional layer to the tracking process. This second phase also includes being able to report to management which vendors have completed submissions, which are late, incomplete, awaiting review, and the status of that review. There’s also the matter of staying aware of SMEs with excessive backlog or who have missed review targets and are holding up acceptance of critical or otherwise important vendors. And finally, identifying the risk level associated with the evidence reviews in context of the requirements noted in the vendor profile and your own risk management policies and practices. Quality TPRM software modules will offer embedded functionality to address all these process features, through straightforward user interfaces to support rapid learning curves.
Managing Action Items
There will be times when the approval of a vendor will be conditional upon completing some specific remedial action to address a noted weakness in some risk related area. It’s important to track specific timelines and expectations of the remediation to be performed, the current status of the project, targeted completion dates, evidence of remediation effectiveness, and responsible parties to contact for any additional details when required. Tracking these activities assures completeness in the TPRM process. Conditional vendors are often granted specific timeframes to complete remediation or they lose contracts. Operating managers, dependent upon these suppliers, need warning that needed remediation may miss targets and alternatives may need to be engaged.
Managing third party risk is a cyclical process. Most vendors, partners, and suppliers will fall into an annual review schedule. Some, more critical, or evaluated to represent a greater risk profile, may require more frequent scrutiny. Each will have negotiated its review cycle as part of their contractual agreement with your firm. In some cases, there may be extended regulatory and compliance matters that will specify timing or other requirements. And, of course, each of these external resources will have initiated service on a unique start date, translating into their own timing for their cyclical review, regardless of its frequency. Keeping track of which parties are due to begin their review process, where each is along its process timeline, balancing the evidence review loads placed upon SME’s while tracking any required remedial projects or activities rapidly becomes a complex undertaking if it’s all done manually. Having automated support to help organize, maintain visibility to all the moving parts, and actively manage all of the actions cited in this article is critical to achieving effective risk management.
Automation Promotes Efficiency And Economy
As you can see, if your TPRM program encompasses more than a small handful of third parties, it will rapidly scale beyond the capacity of a single person. One of the frequent concerns and complaints about implementing a comprehensive program is its inclination to consume expensive, valuable resources. This is why many firms look to automation of these processes. Automation enables a flexible program that’s neither resource intensive nor sensitive to expansion. Key features of quality TPRM programs, often found as stand-alone modules or integrated parts of GRC platforms include:
- Guided, automated workflows throughout risk management process
- Assessment directed identification and collection of necessary documents
- Integration with supporting third party date sources to assist risk scoring
- Managed reviews by appropriate Subject Matter Experts
- Auto-generated action items to manage necessary improvements
- Rich reports and dashboards options for clear communications with executives and staff.
- An authoritative database to consolidate and archive evidence supporting risk management, compliance and regulatory obligations
- Clear aging and status tracking on existing or requested TP documentation
- Opportunity to integrate TPRM with IT security and risk management
The advantages of automation for TPRM are clear. The quality solutions available are also scalable in feature and scope to address the immediate needs of smaller firms, offering expandability into richer feature sets as the need develops without wasteful “throw away” implementation, training, and expense. TPRM is an important component of a comprehensive enterprise risk management program. It impacts IT security, operating risk, reputation, and can help prevent revenue and reputation losses that weak vendor and partner oversight might allow. It is no longer a luxury of large firms but an imperative for everyone working in collaboration with outside services to deliver client and customer value in today’s ever-changing economy.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.