If your journey to third-party risk management (TPRM) maturity includes an RFP in the coming months, you might be feeling a little unsure about the right direction to move forward in the vendor selection process. That’s why Aravo asked Michael Rasmussen of GRC 20/20 to provide Best Practices for Third-Party Management RFPs in a recent webinar.
During the presentation, Michael outlined the key capabilities you need to look for if you’re planning a technology purchase to help you to achieve your organization’s third-party management objectives, address the uncertainty that comes with risk, and act with integrity. To bring this to life he used the analogy of the forest. If you compare your individual third parties to trees, he said, the forest is the interconnectedness of relationships on the organization. To achieve the highest level of TPRM maturity (as illustrated in the chart below), you need to make sure your RFP is designed to identify tools that deliver a deep understanding of both the individual third parties (the relationship level), their engagements (the contract level), and the ecosystem they are a part of.
All TPRM Tools are not the Same
Some TPRM tools can show you the tree is there, but they are kind of blurry. What kind of trees are they? How many branches do they have? Each vendor carries its own inherent risk profile both at the entity level, but also according to the types of engagements that they are being used for. Agile TPRM has to be able to drill down into every branch of the third-party relationship to closely manage and monitor individual contracts and SLAs in detail and as well as assessments for multiple risks. For example, depending on the relationship, a third party may have to complete complementary assessments for anti-bribery and corruption (ABAC), GDPR, and InfoSec.
Conversely, other tools are examples of not being able to see the forest for the trees. They track individual third parties in great detail, but they can’t easily show the big picture you need to understand the overall risk across the third party portfolio. During the webinar, Michael outlined the four major kinds of vendor offerings TPRM buyers encounter and some of their deficiencies in blazing a path to TPRM maturity.
- Traditional procurement and ERP solutions – Because they are often associated with sourcing and contract management, these systems focus on the trees, evaluating and managing third-party performance according to contracts and SLAs. However, they often have little risk and compliance functionality and lack the view of the forest to help an organization understand inherent risk areas, such as reporting on or validating which third parties need to go through GDPR assessments, for example.
- Governance, risk, and compliance platforms – These applications generally offer a module for TPRM as part of a broad offering. Michael observes that these solutions can provide a view of the forest because they are primarily focused on the relationship with the third party and can show third-party risk in context with other areas. Their focus on the risk and compliance, however, overlooks some of the details about the trees, such as monitoring and performance of individual contracts and SLAs, needed to achieve true agility.
- Issue-specific third-party solutions – Offering deep content and capabilities for the context, such as a specific risk-domain they were built for (e.g., anti-bribery or information security), these solutions only look at certain kinds of trees, and because they are highly specialized, they can’t provide an overall risk assessment of either the individual third party or the broader third-party ecosystem.
- Dedicated TPRM platform – Specializing in TPRM, these solutions have a broad focus across departments that delivers an accurate picture of the entire forest as well as the ability to update that view as additional information is obtained/updated through content integrations. At the same time, a dedicated TPRM platform can monitor all risks associated with an individual third party while monitoring the performance according to contracts or SLAs.
Critical Capabilities to Include in Your RFP
Clearly, Michael recommended a dedicated TPRM platform for those organizations genuinely looking to achieve the highest level of maturity (Agility) in their programs. Agility is especially important for third-party risk management as it involves an environment of constant regulatory and business change as well as rapidly evolving risks, such as cyber-risks. If you already have an ERP or GRC solution that offers a TPRM module at your organization, you may find yourself under additional pressure to select one of those options, especially if your organization is trying to rationalize suppliers. Michael encouraged attendees to understand not only the deficiencies of these alternatives, but also recognize and evaluate the critical features and capabilities a focused enterprise solution should deliver.
One of the most important features is an integrated information architecture that can create the 360-degree view of both a third party and the third-party portfolio. That means that a TPRM tool can collect content needed to analyze risk (contracts, transactions, documentation, assessments, data from external sources, etc.) More importantly, an integrated information architecture creates contextual intelligence by connecting content to your organization’s objectives, risks, controls, issues, roles, policies, and obligations.
But it isn’t enough to just have an integrated repository of content. It has to be able to put to use to increase efficiency and accountability. Automated workflow and task assignments enforcing policies for reviewing, collaborating, and taking action when needed. These activities can then be tracked to create an audit trail and facilitate management reporting, through both reports and dashboards.
Michael also shared this specific list of critical capabilities that represent must-haves that should be reflected in any TPRM vendor RFP:
- An onboarding process for registering suppliers that allows them to submit necessary documentation
- A due diligence process that is conducted at onboarding as well as periodically or continually thereafter depending on the nature of the relationship
- A risk assessment and analysis of third-party relationships on both an individual and portfolio level
- Policy communication and attestation to third parties to ensure that they understand what is expected of them
- Training and awareness of third parties to make sure that their employees are prepared to operate according to your organization’s policies and avoid issues
- Compliance assessments and analysis of third-party relationships
- Issue management through issue reporting/identification, response/investigation, and resolution
- Forms and disclosure management that allows third parties to fill out forms and submit information, reducing the burden on relationship managers to collect information
- Audit and inspection management of third parties in the context of right-to-audit clauses
No matter where your starting point as you put together a TPRM RFP – whether you’re juggling multiple documents and spreadsheets or consolidating departmental solutions into an enterprise strategy – you need to find a tool that will put you on a path to defensible, auditable risk management and accelerate your journey to TPRM maturity. For additional insight into Best Practices for Third Party Management RFPs, view the webinar, which includes Michael’s advice for RFP creation as well as a complementary view from Aravo’s Dave Rusher to test these capabilities first-hand with a proof-of-concept.