“A smooth sea never made a skilled sailor.” – Franklin Roosevelt.
As a consultant in the risk and compliance arena, I am familiar with the difficult waters that compliance professionals navigate. Whether it’s a new cyberattack, a natural disaster, or a worldwide pandemic, compliance professionals must be prepared to handle the tidal waves that could potentially ‘rock the boat.’
More often than not, technology is at the forefront of successful compliance programs, especially third-party risk management (TPRM) programs. Over my seasons in the compliance technology industry, I have gleaned various commonalities when discussing future state risk and compliance programs with professionals. It is always clear that everyone has the need to mature and the ability to scale into something measurable and impactful.
This idea of maturing/scaling isn’t a foreign topic. The dream of growth, being better, blossoming into something of value, makes all people similar regardless of whether we are talking about TPRM programs or doing sudokus. The unfortunate truth is that creating and maturing a TPRM program isn’t an easy endeavor. The broader GRC industry has accumulated so many buzzwords, market leader trends, influencers with opinions, experts with advice, that the whole idea of “growth” is getting harder to define.
My appeal with this article is to focus on five questions that, when considered, can help in evaluating TPRM technologies.
The idea of starting a contractual relationship with a third party is just like any relationship. Each party must learn each other’s antics, how each other functions, and most importantly, be comfortable with each other. The way to create comfort with third parties starts with showing ‘ownership’ of processes. TPRM programs require interactions with third-party contacts in which technology can act as a helpful medium to collect and gather needed details through online portal websites, digital questionnaires, and email communications.
As a third-party contact prepares to provide an organization with sensitive information like business structure details, banking information, diversity statuses, tax information, and potentially risk-specific data (e.g., infosec, data privacy, ESG, ABAC, etc.), doubt and concern about the legitimacy of the submission portal, emails, and/or questionnaires requested for completion shouldn’t come up in the process.
A fully-branded submission portal with an organization’s name in the URL, background imagery reflective of the organization’s culture, color schemes aligned with the organization’s palette, and up-to-date logos/icons speak volumes about program ownership and reduces doubt and concern about providing sensitive information to the organization.
When assessing TPRM technologies, make sure you understand what it means to “brand” the environment accordingly, if branding can be updated by the organization, or if the technology provider must get involved for branding updates. First impressions are important, so work with a provider that offers the means to create confidence in the program and avoid delays in getting important information about third parties.
The information you need to collect from third parties is critical and technology must conform to an organization’s data, not the other way around. TPRM programs grow, change, and shift constantly. The technology that supports your TPRM functions should have the flexibility to have custom attributes unique to the organization’s risk domains as well as the ability to configure/organize your third parties’ data in ways that make sense to the organization’s users.
When evaluating product functionality, let curiosity take center stage and ask the representatives how specific, real-world, organizational use cases could look during product demonstrations. It is primarily the organization’s TPRM experts who will know how effective (or confusing) the technology will be once implemented. Having a strong pulse on the data model capabilities will add comfort to any current/future TPRM needs that come up.
The organization may have a mature TPRM program with developed, domain-specific questionnaires, role-oriented processes, and risk-scoring evaluation models. Or, the organization is in the beginning phases of its TPRM journey. Either way, there is value in considering prebuilt content.
Due to the volatile nature of our world, it is important to have a review cadence in place for the questionnaires and emails sent to third parties. The need for new information from a third party or simple adjustments in wording helps questionnaires and emails from appearing dated and lacking oversight.
Similar to the branding question above, the impression a third party receives from a questionnaire and/or email is important and the feeling of organizational ownership of the information can help to avoid delays and additional questions during the data collection process. So, be curious about the TPRM provider’s content and ask questions like:
As a professional demonstrator, nothing excites me more than demonstrating analytics. The different colored pie charts, illustrative maps with third parties positioned all over the world, scatter plots, and line charts that force your eyes to navigate up and down are the best part of a demonstration because analytics bring life to all of the data, activities, questionnaires, and people involved in making a TPRM program tick. Therefore, it is important to be curious about what types of analytics are provided by the TPRM provider and does the solution offer the ability to configure company-specific visualizations.
Every organization buys TPRM technology to help accomplish a goal. The goal could be a broad goal like the ability to automate TPRM processes in a single solution. Or, it may be a very specific goal like the need to create and evaluate a custom-built questionnaire because a new compliance requirement came to fruition.
Regardless of the goal(s), an organization should feel that the TPRM provider is curious about the goal(s), asking a multitude of questions about the challenges, collaborating with the contacts to identify future roadblocks in implementing the technology, and most importantly, being boldly vocal and consultative about reaching the goal(s).
The best way to discover how the TPRM provider will partner with an organization after the technology is purchased is to get definitive clarity around how a TPRM provider partners with clients. At Aravo, we take our clients’ goals seriously and will not hesitate to discuss our formal Strategic Alignment Framework™ with our prospects and clients to ensure that any formal relationship with Aravo is a collaborative effort that requires conversations around effective big thinking, starting with realistic goals, and growing fast.
In conclusion, approach the journey of TPRM programmatic maturity with child-like curiosity. Think about what your TPRM program means to your organization, ask lots of questions, and work with a provider that shares that same curiosity about the success of the program. At Aravo, we’ve experienced over 20 years of partnering with clients to create impressionable TPRM programs that reflect relevant content, flexible data models, and the tools TPRM professionals rely on to help visualize the value of third-party risk management.
Share with Your Friends:
