The organizational imperatives of TPRM
With companies across the world searching for new ways to get ahead—either through enriched customer experiences, the expansion of market share, or sustainable growth—it’s becoming increasingly clear that the benefits of a robust third-party risk management (TPRM) function aren’t limited to regulated industries.
A safe and strong extended enterprise helps all organizations boost their bottom line and accelerate growth. It allows them to collaborate with service providers across their ecosystem to provide innovative, seamless customer experiences, identify and mitigate risk, and accelerate performance.
To realize these benefits, it’s necessary to build capabilities that drive TPRM consistency across the organization. By looking beyond a potential supplier’s value or performance—and building a pragmatic TPRM model that equally balances strategic goals, performance, and risk—organizations can leverage external risk sensing to enrich their supplier intelligence and, ultimately, power performance.
In Focusing on the climb ahead: Third-party governance and risk management, a report based on Deloitte’s extended enterprise risk management global survey 2018, there is evidence that an increasing number of organizations are starting to see TPRM through this lens—78 percent of respondents said ownership and accountability of TPRM is well-established in the C-suite, with either the CEO, CFO, CPO, CRO, or a member of the board ultimately accountable for it. This strong tone from the top is a significant starting point in extracting more value from the TPRM function.
That said, the survey reveals there is definitely room for improvement in coordinating TPRM efforts throughout organizations, both in Canada and beyond. According to respondents, only 16 percent of risk domain owners had a high level of engagement and understanding of TPRM. These results indicate that—to realize the true business value of TPRM—companies must synergize the TPRM efforts of all their organizational stakeholders and clarify accountabilities across the enterprise.
The power of synergy
In both regulated and unregulated industries, most organizations typically have multiple stakeholders responsible for managing third-party relationships, and their responsibilities often overlap. For instance, the information security function is often charged with oversight of vendor security—it’s responsible for understanding the cybersecurity posture of various vendors and determining if these vendors expose the supply chain to new forms of risk that could ultimately compromise the organization.
The trouble is, vendor security is also often part of the procurement and vendor governance functions—but in addition to looking at technology risk, these functions also explore whether third-party vendors present such things as “going concern” and geopolitical risk. To complicate matters further, individual business units also play a role in managing their vendor relationships, and they have their own systems and processes for doing so.
In addition to resulting in countless inefficiencies and redundancies, this framework makes life incredibly difficult for senior stakeholders, which are often presented with uncoordinated and inconsistent information from multiple stakeholder groups, making it challenging to decipher the organization’s overall TPRM stance and maturity.
Without the right information in hand, it becomes impossible to make the educated decisions necessary to realize the business benefits of TPRM. The first step in establishing a robust TPRM model, therefore, is to clearly break down and define each department’s roles and responsibilities, so as to establish one common supplier view across the organization.
Many businesses continue to suffer from the duplication of TPRM efforts and poorly-defined responsibilities—but there are signs things are beginning to change. In regulated industries, such as financial services, new compliance requirements have provided businesses with a sound starting point toward TPRM synchronization. Today, most companies know which risks need to be managed and they are assigning specific senior executives to guide TPRM efforts, bring stakeholders together, and establish standard operating procedures. These TPRM groups are creating common frameworks and taxonomies to aggregate information and provide a single, unified view of risk management to the board and management.
In non-regulated industries, things are beginning to move as well—albeit more slowly. Many companies in the energy and resource sector, for example, now have a centralized supply chain function accountable for third-party relationships—but this tends to be something that works better on paper than in practice. In cases involving contract performance, such as performance of services or delivery of services on-site for example, the operations group often ends up assuming accountability—largely because this group is still responsible for supplier budgets.
To overcome these challenges, it’s essential to increase engagement among risk domain owners—and one proven way to do this is by creating Risk Management Committees (RMCs). The RMC is a committee of the board charged with keeping abreast of what’s happening from a risk management perspective. It tracks risk management programs across the entire organization and, using dashboards, can swiftly identify when specific risks may merit the attention of the full board. Given that the board doesn’t have time to add TPRM to the agenda at every meeting, this approach allows the board to sufficiently review emerging TPRM risks and proactively mitigate them.
In today’s fast-paced business climate, a streamlined and efficient TPRM program can be a tremendous asset—affording businesses a unique opportunity to swiftly respond to market factors, and accelerate such processes as vendor onboarding, in a risk intelligent way. For this to happen, however, regulated and non-regulated businesses alike must be open to revolutionizing risk—and adopting a synergized framework to harness its performance-powering capabilities.