Canada’s moment: How shifting TPRM trends are opening new doors for business
As companies across the globe rely on increasingly extensive—and complex—business ecosystems, the benefits of a strong third-party risk management (TPRM) function are coming into sharper focus. Leading organizations now recognize the role that a risk-intelligent TPRM program can play in powering growth, innovation, and business performance—and they’re taking steps to enhance their maturity in this area, in part through a new approach to technological investment.
According to Focusing on the climb ahead: Third-party governance and risk management, a report based on Deloitte’s extended enterprise risk management global survey 2018, a growing number of organizations are re-evaluating their TPRM frameworks and abandoning the traditional decentralized decision-making processes and complex bespoke solutions of the past. Centres of Excellence and shared service models are becoming more commonplace—leading to greater centralization of TPRM technologies and making a tiered technology architecture the solution of choice.
But while this shift signals a more strategic approach to TPRM, progress remains slow—particularly in Canada. Building an efficient TPRM program is both complex and expensive, and without regulatory requirements forcing their hand, like their global counterparts, non-regulated Canadian companies are lagging in TPRM maturity. Even regulated organizations are struggling to keep pace, particularly if they approach TPRM as merely a compliance exercise.
That said, given the dramatic changes occurring in this space, this lack of prior infrastructure investment might actually be an advantage—uniquely positioning Canadian companies to fast-track the adoption of new TPRM models. For this to happen, however, Canadian businesses need to expand their view of third-party risk, explore new technologies, and consider the benefits of a TPRM utility model.
While Canadian organizations understand the significance of TPRM, many continue to fall short in how they address it from a technology perspective. To fully assess third-party risk, there are numerous risk domains to consider—such as cybercrime, contract risk, physical security, financial viability, sanctions screening and export controls, brand and reputation risk, anti-bribery and anti-corruption, environmental/sustainability, subcontractor risk, geopolitical risk, business continuity, human rights, and health and safety. A robust technology solution must have the flexibility to address them all.
As it stands, most Canadian companies often focus their TPRM technology efforts on security—and typically only consider one or two domains when building their TPRM solutions. In a similar vein, many Canadian organizations limit their TPRM focus to the risks presented by suppliers, when they should be taking a more holistic approach. This means assessing risks across their entire third-party ecosystem—from suppliers and contractors to distributors, resellers, and beyond.
By taking a sufficiently broad scope when establishing their TPRM technology strategy, organizations can do more than simply mitigate third-party risk. They can also improve organizational efficiencies, reduce costs, enhance their brands, and make more informed technology investment decisions.
A new take on tech
When it comes to technology investments, our 2018 survey shows many organizations moving towards a three-tier architecture, which typically includes:
- ERP systems or other backbone applications for procurement;
- Generic GRC software or TPRM-specific risk management packages tailored to the organization; and
- Other niche packages for specific TPRM processes or risks, with feeds from specialized risk domains.
This third tier may be a challenge for some Canadian companies, as it involves investing in advanced technologies—such as natural language processing and machine learning—to collect and analyze data across multiple sources at previously unthinkable scales and accuracy levels. However, as the Canadian market matures in the years to come, these technologies are bound to become more prevalent. In the interim, organizations can begin reaping the benefits of reduced costs and improved efficiencies by exploring a TPRM utility model.
A group effort
A utility model is a community-centric approach to managing risk. Rather than individual organizations each conducting their own risk assessments of the same suppliers, this model relies on a centralized utility to share risk assessments across a community of interest.
Take Canada’s financial services sector as a case in point. Currently, most FSIs rely on the same types of suppliers to provide the same types of services. In fact, they often use the same suppliers. However, because they operate in a risk management silo, each bank must devote considerable resources to conduct internal risk assessments for each supplier they use. Not only is this costly and time consuming, but it’s resulting in unnecessary duplication of effort.
With a utility model, a central utility assumes the responsibility for risk assessing all suppliers, validating the information provided, and developing risk scores—which are shared with all member banks. This frees up the banks to simply ensure the reported risks align with their risk thresholds, and select suppliers accordingly.
Notably, this type of model need not be confined to financial services. This means Canadian businesses in almost every sector have the opportunity to bypass the expense of setting up expensive internal systems, while simultaneously maturing their TPRM programs.
No time like the present
While Canadian businesses currently lag their global counterparts in TPRM maturity, they aren’t beholden to this trajectory—one only has to look to the evolution of the telephone for evidence of this. Only a few decades ago, developing countries were significantly behind their developed counterparts in communication technology—unable to establish an extensive telephonic infrastructure. Thanks to advances in technology, however, many of these nations fast-tracked the adoption of the cell phone—and rapidly caught up with the times.
Canadian businesses may be in a similar position with TPRM. Today’s emerging technologies and new TPRM models offer a unique opportunity to play catch-up—and transform TPRM from a compliance-focused function into a tool to power performance.
Financial services: A whole new ballgame for TPRM
In recent years, OSFI has been heightening enforcement around regulation B-10—which requires financial services institutions (FSIs) to adopt minimum standards when outsourcing business activities, functions, and processes. With the spotlight on their TPRM functions, FSIs are under growing pressure to roll out more mature, fully operational third-party risk management frameworks.
To fully benefit from this mandate, however, FSIs will need to approach TPRM as more than merely a compliance exercise. One way to do this is by exploring a utility model, an approach that enables the sharing of resources to establish a more mature TPRM program—one that not only meets OSFI’s requirements, but that reduces organizational costs, and helps minimize systemic risk across the broader DSIB ecosystem in the process.