In the previous blog post, we discussed the different drivers and the organisational impact of third-party collaborations as both the amount of third-parties and the level of dependence has grown.
In this new blog post, we will further discuss this topic and specifically, how COVID-19 made it clear to most organisations that it is important to start prioritising third-party risk management (TPRM).
The structure of this blog post is as follows, feel free to jump right into one of these sections:
What went wrong
How to improve your TPRM efforts
COVID-19 is an external factor that has hit our society unexpectedly hard and although some authorities already warned us years in advance, most of the organisations were nonetheless unprepared to manage this large scale disruptive event. The impact it currently has on our global economy ranges from a shortage of supplies, logistical issues, to a sudden drop in revenue. Although we are now still in the middle of the storm, we know that next to a global health crisis also the economic damages will be massive with a lot of bankruptcies, employee layoffs and debts. I do not want to focus too much on this negative side; you will have other news outlets that are better in covering this side of the crisis. Let's focus on what went wrong from a TPRM perspective and how we can learn from it.
This header sounds pessimistic but based on the latest research by McKinsey, KPMG, PwC, EY and Deloitte we have the following observations:
According to Deloitte:
Only 50% of the organisations had a basic understanding of the nature and criticality of third-party relationships.
43% had a good understanding of the related contractual terms.
To adequately perform core risk & compliance activities during a crisis like COVID-19, you need to know your involvement with, and dependence on, your third-parties. This also means that you should be able to analyse contextual information like their geographical presence efficiently. We have seen this from a semi-product perspective, whereby organisations relied on Chinese suppliers that were unable to produce due to a strict lockdown. But also from a more political angle, whereby Trump used the Defense Production Act to compel companies to manufacture items in short supply exclusively for the USA.
Third-party risk management is by most organisations still approached from different disciplines and angles. Whereby every discipline is using its own approach, technology and is maintaining a local risk register.
This fragmented approach makes it almost impossible for organisations to cope with a type of rare and complex risk, like COVID-19.
Most organisations are primarily focussing on ensuring regulatory compliance within the domain of third-party risk, with GDPR as the dominant driver. In contrast, most organisations neglected risks, such as business resilience and continuity. The right risk resilience strategies could have reduced the potential impact and recovery time in a crisis like COVID-19.
The trend that organisations started to leverage more third-parties in their daily operations is also applicable for your third-parties. Almost all organisations do have some sort of dependence on subcontractors. Most of them are unaware of this level of involvement and do not even know on which parties their business operations indirectly rely. During the COVID-19 crisis, we have seen examples whereby organisations had to find out the hard way that they were unknowingly depending on a subcontractor that was not able to deliver.
Only 28% of the respondents of the Deloitte survey were satisfied with their current technology solutions. Most of the organisations are still working with spreadsheets or another low-tech risk tooling, whereby they are unable to:
Having a central overview of all their third-parties, agreements and different applicable compliance requirements.
Using management dashboards that provide real-time intelligence and visualise risk data.
Making informed business decisions about their third-parties.
During the COVID-19 crisis, we have seen that most organisations are still missing a mature third-party risk management approach. Risk & compliance teams are still too much internally focussed. Which is, like as described in my previous post, also easier as they can directly identify and manage evolving risks.
But never waste a good crisis, so let's use COVID-19 to improve your TPRM efforts. This remote working period is also a perfect moment to start; you now have the time to think things through and (hopefully) experience less daily distractions. Besides, the third-party risk was rarely on your CEO's radar; now, it is, according to McKinsey, at the top of their agenda. So it is also a perfect moment to have it internally prioritised.
To provide you with a high-level approach on how to start:
In the vast majority of the organisations, it is unclear who the actual owner of the TPRM capability is. It is often somewhere between procurement, risk management, privacy and security. It's perfectly fine to approach it from a multi-disciplinary or distributed angle, but someone needs to be overarching end-responsible for this capability. My first advice is to assign the TPRM responsibility to a business leader that has an overarching view and responsibility. This leader can bring alignment and integration between different risk & compliance disciplines.
When you have assigned ownership, the second advice is to start working on getting an accurate overview of your third-parties and the agreements that you have with them.
To perform core risk & compliance activities within your business ecosystem, it is essential to work with a complete and accurate data set.
Due to the number of third-parties and to mitigate the highest risks and non-compliance deficiencies first, it is advised to segment your third-parties and contracts. Start easy with 3-4 classification levels (low, medium, high, critical) and define upfront some high-level criteria per level that are applicable for your organisation.
The next step is to segment the different agreements that you have with your third-parties. You can do this by combining internal knowledge, use standardised third-party questionnaires and leverage external sources (e.g. Refinitiv WorldCheck, BitSight).
Have a hands-on and pragmatic approach towards your most critical third-parties. Discuss their current situation, important subcontractor dependencies and risks that you see. Based on these conversations, you can immediately start with risk mitigation (e.g. decrease payment period terms, explore in- or nearshoring, or replace them - do not forget to follow a proper exit strategy -) and monitoring strategies.
What a decent TPRM solution is for a risk professional, is like the hammer for a carpenter; you need the right tools to perform your work accurately and smarter. Invest in an advanced TPRM technology solution that can:
Help you with automating low-level activities.
Maintaining one centralised single source of truth (at least with all your third-parties, contracts, assigned risk profiles, compliance requirements, incidents, risks and assessments).
Provides you with the right insights at the right time to make better-informed business decisions.
You can already do this early on in the proces as it will speed up the previous steps.
We are currently experiencing a negative sentiment as most of us felt overwhelmed and powerless due to the COVID-19 crisis. But let's use it a lesson learned and a new starting point. We all know that this is not our last pandemic, global crisis or complex risk that will hit us, so let's prepare ourselves. We need to recover, so let's recover in an improved state.
I do not know your profile, but:
If you are a business owner or executive member: Initiate TPRM to showcase your recovery and future robustness to your internal & external stakeholders.
As a manager: Increase operational resilience by taking internal ownership and allocating resources.
As a second-line professional: Start using this capability to improve your posture and control environment.
As a procurement professional: involve more teams with managing your third-party relationships.
Feel free to reach out to me if you have any questions, comments or want to discuss this subject further. You can e-mail me Bram@3rdRisk.com, and we can easily set up a Teams or Zoom call.
In the upcoming weeks, we will start with a new series of blog posts that will cover more in-depth the different steps of a successful TPRM implementation. Follow our LinkedIn page to stay up-to-date with our latest content and platform updates.