The past few years, we have seen that organisations are increasingly adopting more collaborations with third-parties. There are different business drivers for this, to name a few:
Specialised knowledge and expertise
Business agility and scalability
Those drivers caused the following significant changes:
The last decade we have seen continuous and enormous growth in the number of third-parties. Where an average organisation used to work with a couple of hundred third-parties, we see that most public listed companies work these days with thousands of different third-parties.
The result is that an organisation has more interconnections and dependencies on externals than ever before. This makes it more complicated for internal risk & compliance teams to be in control.
Organisations have long relied on third parties for speciality services, operational efficiency, competitive advantage, and cost-savings.
The last few years, a significant shift has taken place as third-parties are becoming more and more responsible for executing core activities that are critical to operations, business models, and value propositions of organisations.
The result is that the potential impact of an incident at one of the third-parties will result in a more significant exposure to the organisation than it used to be.
While in the meantime:
The average organisation has a lot of risk & compliance professionals that have a primary focus on the internal organisation with a strong emphasis on activities with a direct risk reduction, e.g. vulnerability scans, pen tests, security awareness, compliance assessments. These are all activities whereby a risk team can directly identify & measure the risk and is able to act on the remediation. With third-party risks, it is an entirely different ball game as organisations have to rely on third-parties for most of the identification and remediation part.
Current processes and technology to manage third-party risks and compliance are often ad-hoc, stand-alone, labour-intensive and primarily driven by spreadsheets or isolated and Governance, Risk & Compliance (GRC) solutions. The GRC trend was an excellent maturity step for managing an internal risk & control landscape. It was beneficial for most risk & compliance teams. Nonetheless, when we look at the current situation whereby some organisations are spending up to 80% of their operational costs to third-parties, the practical question should come to mind whether a stand-alone point solution is an answer for such a scattered control environment.
Most risk teams start implementing a GRC solution when they have about a dozen or more risk professionals. One of the reasons is the yearly costs, but merely it is to complex for smaller risk teams and organisation to work with a GRC suite.
We should also have a look at the financial costs of the currently available technology. According to Blue Hill Research the average price of a GRC implementation is roughly $458.000 and yearly licence fees can add up to $160.000 and more per year. Over three years it will cost you $480.000 on licence fees and about $458.000 on implementation.
These are not particularly acceptable costs for the smaller organisations in an ecosystem that works with the most modest margins in their core business.
The internal risk & compliance teams should shift their focus from solely internal to the extended enterprise. Third-party risk management should be part of the operating model, whereby different risk professionals are hired or current staff is trained as you need a different kind of capabilities to manage a third-party lifecycle.
Also, risk teams are currently differentiated based on their expertise or domain. So you have a privacy team who has a strong focus on privacy risks, a cyber team who is dealing with cyber risks. But in the area of third-party risk, there is not always a clear distinction between the different types of threats, especially since they can also evolve to a different kind. E.g. a small cyber incident in the supply chain, can lead to a continuity risk, which can eventually end up as a significant financial and reputation exposure. Especially within supply chains, risk teams should work with a more integrated approach, collaborate or even better: break down silo's and work as one integrated risk & compliance team.
There is a lack of standardisation within ecosystems. Everyone is currently using their own spreadsheets, custom questionnaire templates and have their unique way of assessing. To streamline activities we must standardise our approaches, techniques and start creating best-practices.
The existing market solutions are staggering, but these are primarily driven from a technology stack and are not fit for current organisations:
The average organisation is nowadays a distributed environment that is working and depending on multiple third-parties to deliver their market propositions.
In contrast, the most dominant market players are promoting a stand-alone (on-premise) GRC solution or they are pushing a vendor risk management (VRM) SaaS solution to create your own advanced survey tool. Imagine that most of your third-parties will drop their error-prone spreadsheets and all select their own standalone GRC solution or one of the dozens VRM SaaS solutions? Although they can look fancy and are backed by major VC's, they are simply not providing a future-proof solution. The primary and solely reason is that they are driven by technology but do not have a full understanding of where we are heading.
In addition, their autonomous approach and foundational technology decisions will never enable them to create a solution that is fit-for-the-new-purpose. Creating a CRM or ITSM platform is something completely different than a risk & compliance solution.
As we did not find a player in the market that had this understanding and strategy, while we do see an increasing market need, we decided to pick up the glove and started to built 3rdRisk.com.
To create this solution, we first defined the following core principles to meet the fit-for-purpose:
To effectively manage supply chains risks and compliance requirements in an ecosystem, all the different parties should have access to the same technology stack, content and work with the latest available information. This is the only way for all parties to be actually in control.
Collaboration is the primary answer to stay on top of the different risk- and compliance requirements in an ecosystem. Both third-parties and internal risk disciplines should (eventually, you do not need to do this by day 1) break down the walls and start working together to stay on top of these.
Tailor the technology stack to the needs and requirements that are driven by content and expertise. Not the other way around.
Supply chains are complex global structures with a massive societal impact. That is why our clients and we should be able to work with universities, big4 companies, NGO's and other stakeholders to improve the current content and technology to make the biggest impact.
As we want to support organisations of all sizes all over the world, whereby not everyone has access to implementation consultants, it is required to ship the platform with best-practice blueprints and an implementation that is intuitive and self-explaining.
Within our pricing portfolio, we offer Community-tier and Ecosystem packages. The Community-tier is available for everyone and allows you to use our platform at no further costs.
The ecosystem package is an extended Community-tier licence that a large corporation can hand-out to its smaller third-parties so they can use our platform at no costs.
These packages include ALL platform functionalities and content like questionnaire templates, requirements and configuration blueprints that also come with the premium packages.
We will provide all organisations on this planet with the same technology and content no matter if you have an HQ in the business district or if you are running a small fish operation in Turkey that works for a major global corporation.
To accommodate the Community-tier and Ecosystem packages approach from a cost perspective, we are providing commercial packages that are specifically designed for the corporates which are on top of the business ecosystems. We offer them the option to roll-out our technology throughout their complete supply chain. We ask them a premium fee (which is btw far cheaper than an average GRC licence) while we provide them with the unique feature to standardise their risk & compliance approaches throughout their supply chain and enable collaboration on a global scale. From a risk perspective, this is the only effective way to manage risks as you early identify an evolving threat and give everyone the tools to manage/remediate these adequately. From a compliance perspective, you are now finally able to implement integrated reporting throughout your complete ecosystem.
Our platform is designed in such a way that all different internal risk disciplines, from sustainability to privacy or continuity, can (eventually) work together in the same platform. They can integrate different assessment templates, message each other and use one integrated single source of truth for all their third-parties, risks and incidents. So no more stand-alone solutions, different approaches and distributed (spreadsheet) risk registers.
Organisations can use our platform as a stand-alone risk instance but they also have the option to connect and collaborate with third-parties on our platform. They can exchange questionnaires, compliance requirements and showcase their profile.
Our platform is designed and built from the ground and is based on professional big4 and hands-on third-party risk experience. We are not an ITSM provider that is leveraging their underlying architecture to create a risk solution or have to wait for generic architectural platform updates to accommodate your new reporting needs.
Since day one, we also introduced Feedback.3rdRisk.com, whereby we enable clients to provide feedback and feature suggestions. We just released the first version of our platform but we are currently also adding our initial ideas, whereby any user on the platform, can vote for a specific idea or add their own.
The customer voice and feedback is driving our roadmap not the underlying platform.
Our roadmap is really transparent as it is publicly available for everyone; unlike the GRC providers, you don't need to sign an NDA to get an insight. Just contact me (Bram@3rdRisk.com).
Together we can reshape & rethink the current third-party risk management approaches, that is why we are looking for individuals and organisations (profit and non-profit) to work with us on:
With the expertise and experience of our community, we want to standardise and open-source assessment questionnaires.
Community members can take an active role in the design and prioritisation of new platform functionalities.
Complementary to the technology we would also like to standardise and create best-practices for third-party risk approaches.
During the design and creation of our platform, we had several discussions with NGO's, BIG4's and academics about our approach. It is entirely new, but we also got an understanding of the potential impact that we can make with our technology. Whereby we first had a strong focus on security, privacy and continuity in the supply chain, we also started to realise the potential impact that we could make in the areas of humanity and sustainability. That is why we are currently working on different sustainability initiatives within the platform. If you are in this area of expertise, please do contact me (Bram@3rdRisk.com).
Since the start of creating the 3rdRisk platform, we have worked closely with designers and UX-professionals to ensure that we create an intuitive and visually attractive B2B application that can be easily implemented and adopted.
As we also want to support those who cannot afford to hire implementation consultants and we want to be transparent and open, we created an extensive documentation portal. This documentation is publically available and can be found at docs.3rdRisk.com. It contains all implemented concepts explained, how-to tutorials and best practices.
Thanks for reading the complete post. Feel free to reach out to us for more information about our platform, strategy and the 3rdRisk community. We are a small tech-startup and are always interesting in setting up new connections and exploring new ideas.
Book a short introduction and platform demo
E-mail Bram@3rdRisk.com for a (virtual) coffee.