If your journey to third-party risk management (TPRM) maturity includes an RFP in the coming months, you might be feeling a little unsure about the right direction to move forward in the vendor selection process. That’s why Aravo asked Michael Rasmussen of GRC 20/20 to provide Best Practices for Third-Party Management RFPs in a recent webinar.
During the presentation, Michael outlined the key capabilities you need to look for if you’re planning a technology purchase to help you to achieve your organization’s third-party management objectives, address the uncertainty that comes with risk, and act with integrity. To bring this to life he used the analogy of the forest. If you compare your individual third parties to trees, he said, the forest is the interconnectedness of relationships on the organization. To achieve the highest level of TPRM maturity (as illustrated in the chart below), you need to make sure your RFP is designed to identify tools that deliver a deep understanding of both the individual third parties (the relationship level), their engagements (the contract level), and the ecosystem they are a part of.
All TPRM Tools are not the Same
Some TPRM tools can show you the tree is there, but they are kind of blurry. What kind of trees are they? How many branches do they have? Each vendor carries its own inherent risk profile both at the entity level, but also according to the types of engagements that they are being used for. Agile TPRM has to be able to drill down into every branch of the third-party relationship to closely manage and monitor individual contracts and SLAs in detail and as well as assessments for multiple risks. For example, depending on the relationship, a third party may have to complete complementary assessments for anti-bribery and corruption (ABAC), GDPR, and InfoSec.
Conversely, other tools are examples of not being able to see the forest for the trees. They track individual third parties in great detail, but they can’t easily show the big picture you need to understand the overall risk across the third party portfolio. During the webinar, Michael outlined the four major kinds of vendor offerings TPRM buyers encounter and some of their deficiencies in blazing a path to TPRM maturity.
Critical Capabilities to Include in Your RFP
Clearly, Michael recommended a dedicated TPRM platform for those organizations genuinely looking to achieve the highest level of maturity (Agility) in their programs. Agility is especially important for third-party risk management as it involves an environment of constant regulatory and business change as well as rapidly evolving risks, such as cyber-risks. If you already have an ERP or GRC solution that offers a TPRM module at your organization, you may find yourself under additional pressure to select one of those options, especially if your organization is trying to rationalize suppliers. Michael encouraged attendees to understand not only the deficiencies of these alternatives, but also recognize and evaluate the critical features and capabilities a focused enterprise solution should deliver.
One of the most important features is an integrated information architecture that can create the 360-degree view of both a third party and the third-party portfolio. That means that a TPRM tool can collect content needed to analyze risk (contracts, transactions, documentation, assessments, data from external sources, etc.) More importantly, an integrated information architecture creates contextual intelligence by connecting content to your organization’s objectives, risks, controls, issues, roles, policies, and obligations.
But it isn’t enough to just have an integrated repository of content. It has to be able to put to use to increase efficiency and accountability. Automated workflow and task assignments enforcing policies for reviewing, collaborating, and taking action when needed. These activities can then be tracked to create an audit trail and facilitate management reporting, through both reports and dashboards.
Michael also shared this specific list of critical capabilities that represent must-haves that should be reflected in any TPRM vendor RFP:
No matter where your starting point as you put together a TPRM RFP – whether you’re juggling multiple documents and spreadsheets or consolidating departmental solutions into an enterprise strategy – you need to find a tool that will put you on a path to defensible, auditable risk management and accelerate your journey to TPRM maturity. For additional insight into Best Practices for Third Party Management RFPs, view the webinar, which includes Michael’s advice for RFP creation as well as a complementary view from Aravo’s Dave Rusher to test these capabilities first-hand with a proof-of-concept.
Share with Your Friends: