The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is the Extended Enterprise of third-party and nth-party relationships. The suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, partners, and more . . . they are part of your organization. There is no black-and-white border to the organization it is shades of grey.
Third-party risk management strategy, processes, and particularly technology (including intelligence/content solutions) are a major part of my overall GRC market research. I have advised organizations around the world on RFPs, directed them to solutions and services to consider, and teach my Third-Party GRC/Risk Management workshops around the world (just taught one in London last week with over 40 that attended. I have seen successes, unfortunately I have seen a lot of failures and often engaged to come in and tell organizations where they went wrong and what they should consider, particularly with third-party risk technology.
Here are the top things I see in my research where organizations fail in third-party risk management . . .
- No concept of third-party governance. Personally, I prefer the term third-party GRC over third-party risk management. Risk does not happen in a vacuum. Risk management, and in this context third-party risk assessment requires context. Every relationship is established for a purpose, what are the objectives of the relationship and its components? According to ISO 31000, “risk is the effect of uncertainty on objectives.” Too often organizations fail to manage risk in the context of the delivery, performance, objectives, and value of each third-party relationship. Too often technology being adopted in this space completely lacks an understanding of third-party governance to objectives and performance. I am speaking on this in the upcoming webinar: Transform Your Third Party GRC Strategy to Focus on Agility, Resilience, & Integrity.
- Third-party risk or Extended Enterprise? I personally do not like the term third-party; the reality is that the modern organization is the extended enterprise. The term third-party builds a stigma of something being a commodity, expendable, and changing. The strongest third-party risk (GRC) management programs are focused on the extended enterprise and treat their third parties as critical players and partners to their strategy, operations, and processes.
- ESG. ESG is going to rock your third-party risk world. You need to be leveraging technology that fully integrates complete situational awareness of ESG – environmental, social, governance – across your extended enterprise. Too often organizations fail to see the scope of ESG and the scope of its impact on third-party relationships. The tsunami of ESG regulations impacting supply-chain and third-party relationships is building and it is monstrous. I am speaking on this in the upcoming webinar: ESG Teeth & Supplier Risk: Analyst Advice for Mid-Sized Companies
- Silos of third-party risk oversight. Organizations fail because they too often lack a full view of third-party risk. IT security is doing its thing for vendor risk. Procurement is doing something else. Continuity/resiliency has their program involving third parties. Compliance and ethics are going down a different road as well. So is ESG now. And more. Organizations fail to see the aggregate and complete risk exposure across all these silos in a relationship. Just looking at one aspect of risk does not give you a full picture of risk and may give you a false or misleading picture of risk.
- Not managing the details of a relationship. Too often technology in this space is built to manage risk at the relationship level and not the components of a relationship. I sat on the social accountability advisory board for a major Fortune company for their supply chain code of conduct. They have 5,000 suppliers with 50,000 facilities across those suppliers. One supplier might have one facility, another might have 20 facilities. This organization manages social accountability risk (e.g., child labor, forced labor, working hours, health and safety) at the facility level and not just the supplier relationship level. A North American bank that came to my workshop has 4 data centers they outsource to one outsourcer. They measure risk and different risks at each data center not just the relationship level. A global bank in Europe told me they need to manage risk to the service-level agreement (SLA) or specific contract. One relationship might have a hundred contracts or SLAs. They were frustrated as their platform they chose only manages relationships and not the components.
- Lack of a good source of third-party risk intelligence/content. Organizations fail as this is not just a technology and process problem. To manage third-party risk, and particularly ESG risk, requires a full spectrum of third-party risk content/intelligence across sanctions, politically exposed persons, financial/viability ratings, security ratings and scorecards, ESG ratings, negative news/adverse media, geo-political risks, reputation and brand lists, and more. Organizations need technology platforms that integrate into the new generation of third-party content/intelligence providers to provide 360° contextual awareness of what is happening.
- Resiliency is not understood. There is so much focus on operational resilience today, but you cannot be a resilient organization without looking at the extended enterprise of third-party relationships. Third parties are critical to the organization’s services and operations. And this is much more than digital resilience and security, it requires a full spectrum of third-party risks and the relationships of the organization, and particularly in a geo-political risk context.
- Thinking third-party risk assessments are going away. However, those using broader third-party risk intelligence/content too often buy into a fiction that they do not need the assessment questionnaires. Those are still needed and will NOT go away. At basic level third-party assessment questionnaires are a CYA (cover your behind) legal and compliance exercise that is necessary. At a more mature level it is ensuring a common understanding of risk management and shared values/ESG.
- Offboarding is missing. Many companies have processes and technology in place to do due diligence during on-boarding. When it comes to ongoing monitoring there are often structured processes in place. However, most organizations fail in having defined processes with structured workflow and tasks to off-board (say good-bye) to a third-party.
- No process to exercise right to audit clauses. I am frustrated in the number of programs I see that have no methodology and structure to how and when they conduct right to audit clauses and inspections. Too often technology in this space does not help as it does not manage these interactions. The best practice I have seen is with a large global food retailer with thousands of relationships and tens of thousands of facilities within those relationships. They score every facility at a red (high), yellow (medium), green (low) level for risk that drives audits/inspections. Red level facilities must have an onsite inspection every year, yellow risk facilities every two years, and green risk facilities are randomly sampled for onsite inspections/audits.
- Selecting the wrong vendor. This happens time and time again. Two years back I was working on one RFP. The global organization had deep and complex requirements. They had a few vendors in play in silos of third-party risk oversight and one they particularly liked. They selected that one, even when I told them not to that it will not meet their complex needs. They went down that road and later came back to me stating they wish they would have listened. They must dumb-down their third-party risk program (particularly down to the relationship level and not component/SLA/contract level) or go back to RFP. You need to make sure you select the vendor that delivers on the vision for what you are trying to achieve.
- Documents, spreadsheets, and emails. Then there are the programs, or fragments of programs, that think they can manage third-party risk on documents, spreadsheets, and emails. These manual processes have huge issues in cost as well defensibility. Documents, spreadsheets, and emails do not provide a robust and defensible audit trail and system of record – the organization has no record of what fiction may have created in these electronic paper trails to cover up something. Regulators and law enforcement are wising up to this. Further, I have seen programs that state 80% of their staff time is chasing and managing hundreds to thousands of documents, spreadsheets, and emails and only 20% of staff time (or less) is productively managing and improving third-party risk management in relationships. Some organizations I have talked to went from 20 hours to onboard a third-party on average down to 3 hours by replacing manual processes. Ongoing annual risk assessments went from 10 hours down to 1 and a ½ hours of time per third party because of automation.
As you can see, there is a lot of pitfalls to not properly addressing third-party risk management strategy, process, and technology. These programs are essential and needed to be designed with care and the right technology and content used that delivers value.
Third-party risk management also varies by industry as to focus. Recently there have been a quite a few of RFPs over the past few years in life sciences/pharmaceuticals. They all have very similar requirements, but are also very different from financial services, and others. To see the scope and complexity of third-party risk, here is the common elements in the life sciences industries in a third-party risk management program:
- Animal Welfare
- Anti-Bribery and Corruption
- Compliance in Suppliers
- Promotional Practices
- Global Security/Physical Security
- Health & Safety
- Information Security
- Information Systems Quality
- Intellectual Property Risks
- Geo-Political Risk
- Performance, Contractual, SLAs
- Product Quality and Safety
- Clinical Trials
- Human Biological Sample Management
- Resiliency & Business Continuity
- Concentration Risk of Suppliers
- Material Risk of Suppliers
- Social Accountability
- Child Labor
- Forced/Prison Labor
- Strategic Sourcing
- 4th/Nth Party Risk Across All These Domains
That is just one industry example . . . then there is healthcare, banking, insurance, retail, hospitality, oil/gas, and more examples.
Next week we will look at where risk management strategies and technologies fail . . . stay tuned.