Challenges in Third-Party Risk Management
The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees, including suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more.
In an increasingly interconnected world, third-party risk management (TPRM) is becoming an imperative aspect of organizations. Navigating the complex maze of challenges inherent to TPRM can seem daunting.
Yesterday, I held my Third Party Risk Management by Design workshop in London. We had 51 organizations registered, with over 40 attending. Below is a summary of the challenges the attendees expressed and interacted with throughout the day. The same Third Party Risk Management by Design workshop will be in Chicago on October 13th.
The third-party risk management challenges the attendees stated that were keeping them up at night are:
- Fragmented Requirements. Often, due diligence is mired in fragmented requirements from different third-party risk functions. These functions operate in silos, each wielding its own tools and lacking a unified source of truth.
- Siloed Risk Insight. Third-party risk information is scattered across multiple departments/functions, leading to inefficiencies and, at times, contradictory and risky actions.
- Regulatory Disparities. Local regulations can often conflict with the guidelines of the head office, leading to operational hiccups. Additionally, managing compliance across jurisdictions and handing data over to third parties can be perilous.
- ESG and Due Diligence. Environmental, Social, and Governance (ESG) considerations, especially those pertaining to climate change, harmful chemicals like PFAS, and social accountability, are increasingly becoming focal points. The attendees were concerned about addressing ESG in complying with Germany LkSG and the EU CSDDD.
- Managing Outcomes of Relationships. Evaluating the material outcomes of risks in relationships is critical, as these can significantly affect an organization’s bottom line and reputation.
- Data Challenges in Third-Party Risk Intelligence. Data plays a pivotal role. However, accessing disparate third-party risk data sources and ensuring its veracity is challenging.
- The Unknowns of the Supply Chain. Understanding who constitutes the supply chain, nested entities, and determining the real executor of the work is imperative to managing risks.
- Resilience. From supplier resilience, safety, and cybersecurity to continuity, organizations must focus on building robust systems. There are significant fines and penalties for not complying with resilience regulations.
- Big Picture of TPRM. Having a strategic outlook that encapsulates the full spectrum of third-party risks is crucial. Who’s ensuring a holistic view? Are contractual arrangements under scrutiny?
- Artificial Intelligence. Technology, especially AI, can be a game-changer. While AI can streamline processes, there’s also the inherent risk in not governing it use within third-party relationships.
- Continuous Due Diligence. Relying on traditional methods like documents, spreadsheets, and emails is passé. Continual due diligence is the need of the hour.
- Social Accountability. Risks of bribery, corruption, and lack of social responsibility in third-party relationships can’t be overlooked.
- The Business Case. Building a business case for TPRM involves showcasing its value proposition and garnering top-down senior sponsorship.
The term “Third-party risk governance” or “GRC” resonates more accurately than risk management. It’s about instilling a governance culture to reliably achieve objectives in the relationship, address uncertainty and risk, and act with integrity, with a culture that fosters oversight and continual improvement. Organizations can sail smoothly in the choppy waters of third-party risks by leveraging technology and ensuring top-down buy-in. Remember, in the age of the extended enterprise, mastering TPRM isn’t just a necessity; it’s a strategic imperative.