In third-party risk, issues around data – data security and data privacy – often hold center court. In the wake of the recent onslaught of cyber attacks and data breaches, as well as the enhanced and new regulatory efforts to contain them, third party risk managers can often find themselves spending a lot of time talking about data.
But are they focusing on one aspect of the businesses’ data, at the expense of improving their own? Today, third-party risk management (TPRM) executives are being asked to help shape their corporate data strategies, while their approach to their own risk data can be painfully out-of-date.
Two recent surveys show that while vendor risk issues may be a high priority for organizations’ finance teams, the way data is used within the risk management discipline falls considerably behind how other parts of the business may be using data to help deliver on the firm’s strategic goals.
Survey says: Vendor risk the top issue
Third party risk is now a top concern in companies. A Dun & Bradstreet report, The (R)evolution of Risk Management, released in August 2018, surveyed finance team leaders at North American and UK companies. The survey found that monitoring risks within the customer, supplier, or partner base ranked as the #1 risk facing finance leaders today.
According to the survey, 38% of finance leaders believe this a “high” risk. For context, the second highest issue was forecasting or predicting risk, while the third was growing profitability. The fact that third-party risk has surpassed these other, very deep concerns demonstrates just how far the topic of TPRM has come over the past few years.
This message was reinforced by a second D&B survey result. The top two industry external threat risks cited by survey participants were a decline in customer viability and supply chain disruption. More than 65% of finance leaders rating these as “moderate” or “high” risks.
Data silos not helping risk management
However, the other major finding of the D&B survey was that the way organizations manage their risk data is sub-optimal. According to the results, more than 60% of data used in risk management is siloed. In addition, only 20% of finance leaders reported that they had the ability to share data in an integrated fashion to manage enterprise risk.
The survey concludes, “There may be a relationship between the industry-wide concerns of customer viability and supplier viability with the top risks facing finance leaders internally, such as monitoring and forecasting risk. These results indicate that understanding risks and opportunities is a primary barrier to effective risk management within most companies, whereas scaling and adapting to the risks themselves are of lesser concern. Ineffective or inadequate use of data, analytics, or emerging technologies is a possible indication for the high level of risk associated with generating insights on risks and opportunities.”
In short, risk management teams – including those in the TPRM discipline – are failing to make use of technology – either at a basic or a more advanced level – to help detect both risk and opportunity.
Going deeper into the data problem
The results of the Dun & Bradstreet survey are echoed in the recent survey by Aravo, which looked specifically at TPRM maturity in organizations. The results reveal that TPRM data practices have a good deal of evolving to do – it is little wonder that vendor risk is such a concern for organizations. For example:
- 75% of respondents said that they did not have all of their third parties (and associated third party data) in a single database
- 66% still use spreadsheets for at least some of their TPRM data
- 44% continue to use SharePoint for managing TPRM documents and data
- 73% had not conducted due diligence on all of their third parties, and so do not have a complete data set
- The top technology challenge for respondents was the limitations on their current TPRM technology approaches.
- Tied for second place, for top technology challenge, were the related issues of disparate systems and a lack of technology integration for TPRM data.
Survey respondents said these issues hampered their ability to gain a full picture of their organization’s third-party risks, to work with TPRM data effectively, and to deliver insights to key stakeholders such as the board and business unit leadership.
Yet, TPRM managers see the opportunity that data – harnessed within the right technology approach – can create. When respondents were asked “What do you think will be the greatest opportunities ahead for third party risk management in your organization in the next 12 months,” the most popular response was gaining insight and intelligence. Many indicated that it would be a marriage of technology and data that would deliver this – for example, through better data management, the running of the data through analytics, and advanced reporting of the data.
Improving the data picture
The good news is that path to overcoming the data challenges that TPRM teams face is clear and well-trodden. There is no need to reinvent the wheel. And the value that the development of a consistent approach to managing TPRM data will bring to an organization is enormous. Key practices in managing TPRM program data include:
- Having a single, golden source of data – It’s critical that a TPRM program has a single source of data for the entire organization to work with. As the Aravo survey shows, today many organizations do not even have all of their vendors on a single database. Once such a database is in place, it’s then important that all the TPRM work that involves this data occurs within the same, central solution to create complete institutional alignment. This can include activities such as risk assessments, due diligence, and issue management and remediation. Failure to do this, by having different pools of vendor data or program approaches means the various parts of the organization will be effectively speaking different TPRM languages, and it will be nearly impossible to deliver insightful analysis in a timely fashion, or to have an enterprise view of risk exposure across all your third parties and their engagements.
- Automating data quality checks – Keeping the TPRM database clean means performing data quality checks. A good TPRM solution will have automated many of these checks – for example, to eliminate data duplication as well as the proliferation of unnecessary third parties within the database. Being able to configure the matching engine that performs those data quality checks enables the TPRM team to bring the technology into alignment with the organization’s operating environment.
- Monitoring third-party risk and compliance data automatically – Generally, the fewer human ‘fingers’ that touch data, the better. Data is available faster for use, and is subject to fewer errors. So, when it comes to incorporating data from across the organization’s systems into the TPRM solution, it’s best to automate both the collection of that data, and the monitoring of it. Best practice includes the automation of alerts based on data thresholds.
- Scoring of risk data automatically – The problems created by spreadsheet risk are legendary. Having a scoring engine that structures the way that the TPRM team assigns scoring rules to data, aggregates those scores, and calculates overall risk and performance is important. Using weight risk factors, which can then be rolled up into different scores, can take the insight the TPRM data delivers to a whole new level.
- Incorporating expert data quickly and easily – Today, TPRM thought leaders are making it clear that the internal data an organization has about a vendor is only part of the story. A much fuller picture can be gained through the use of a variety of external expert data sources. These offer a wide range of data types, from more traditional financial crime checks, to cyber-security scores, to ethical performance ratings and new sources of “alt data” that can be useful for TPRM analysis. It’s best if this data can be directly fed into a TPRM solution, with changes that impact a compliance or risk profile automatically flagged.
- Internal audit and regulatory review of data – In the modern data environment, internal auditors and regulators want to know that what they are looking at is correct and has not been accidentally or inappropriately altered. Having an audit trail for data is an essential practice.
- Data security – Last but hardly least. TPRM solutions hold sensitive data about vendors and the work those vendors are doing. It’s important to be sure that the TPRM solution being used protects data privacy, and includes access controls based on user, role, and location.
These practices are essential fundamental approaches to managing TPRM data correctly. It’s highly likely that other areas of the organization, working with business-facing data, have already implemented these methodologies. Given the high level of concern that organizations have about the threat posed by vendors, to the ability of the business to achieve its strategic goals, there has never been a better time to press the case for investment in improving the way TPRM data is managed internally. The benefits – improved risk insights, as well as greater awareness of potential opportunities – hold not only operational, but considerable strategic value as well.