How To Build a Business Case for Better Third-Party Risk Management
October 2nd, 2020
posted by Aravo
Third-party risk management (TPRM) teams are often challenged by the business to come up with the ROI for program improvements, such as additional resources, tools, and technology.
Often ROI may be presented in the framework of overall efficiencies gained (for instance using an automated platform like Aravo can reduce onboarding time by more than 81% or accelerate assessment cycles by more than 70%). But that’s not the complete picture. And if your senior management and boards are focused on efficiencies and ‘cost-cutting’ alone, they are missing one of the most important and compelling value-cases for TPRM – which is the protection and resilience it delivers to the business.
And here’s the case: recent researchhas suggested that TPRM program maturity appears to play an important role in protecting the organization against the damage associated with incidents caused by third parties. Markedly so.
Incidents are more likely to result in business and/or reputational damage in immature programs
While third-party related incidents are fairly equally spread across mature and immature programs, the impact (or consequences) of incidents are not.
Third-party related incidents that could damage the business and/or its reputation are common. More than half (59%) of respondents who had insight said that they had experienced incidents associated with a third party that caused, or had the potential to cause, business disruption and/or reputational damage in the prior 12 months.
This differentiation between ‘caused’ and ‘had the potential to cause’ is important.
The research showed that a much larger proportion of incidents that caused damage among those with immature programs. Incidents were more likely to cause significant business disruption or reputational damage in immature (Ad-hoc – Fragmented) programs. 71% of responses that noted that they had experienced an incident that caused significant damage were from respondees who reported that their programs were immature, compared to just 18% occurring in mature (Integrated – Agile) programs
Incidents were also more likely to cause some business disruption or reputational damage in less mature programs (63%) than in mature programs (15%).
This suggests that mature programs help protect the business against incidents actually translating into damage. This could be through recognizing the incident sooner together with a faster ability to action remediation plans.
Now let’s take a look at the types of events. The most common forms of third-party incidents were related to performance (45%), data breaches (22%), regulatory compliance (21%), and cybersecurity incidents (18%), such as hacking or malware.
This is also interesting in that there is a wide range of incidents in which third party failures have impacted the business – not just those that tend to catch the headlines like data breaches.
These are all important data points for third-party risk managers looking to build an internal business case for the value of a robust and mature program. Considering the average cost of a data breach is $3.92 million and the average size of a FCPA enforcement action in 2019 was $208 million (just in fines alone), this should provide companies with an incentive to invest in maturing their programs.
But it’s not just the ability to respond to incidents and remediate them in a more effective manner internally that’s important. There’s also the view of the regulators to take into account. Regulators are going to look at your programs, their effectiveness, and the measures you have taken to respond to and manage risk. If you have an ad-hoc approach and poor controls in place, they are going to take a much more punitive approach than if you have done everything within your control to ensure you and your third parties were compliant.
Third-party risk management is like a good insurance policy
So, with this in mind, it is useful to think about third party risk management as a good insurance policy.
It’s insurance against damaging third-party incidents happening to your company and proof that you’ve got coverage to prevent those incidents escalating.
Because after all, incidents still happen.
But companies that have focused on maturing and improving third-party risk management in their organizations (and implemented technology such as Aravo) have proof of their commitment to doing business the right way. And this evidence of compliance with their commitments goes a long way in mitigating business and reputational damage whenever incidents happen. Examples:
Incidents themselves are less likely to result in business or reputational damage when you have a mature program.
Fines are likely to be much less for companies that can prove that they’re doing everything within their control to adhere to regulatory requirements and industry best-practices.
Disgorgements may be reduced, because there will be mechanisms in place to identify inappropriate relationships and proactively take actions to stop them – before they result in significant ill-gotten gains.
The company, itself, is protected – so this can reduce the reputational damage. It places personal responsibilities on their leaders to enforce the program, but provides a framework that empowers them to take this responsibility on with confidence.
Companies that operate their businesses without proper third-party risk management and compliance practices are held to account by the regulators, and you need only to read the DOJ FCPA enforcement press releases to see the evidence of this. Those organizations that do not have proof of any program can expect regulators to come down harder and apply a greater magnitude of fine. These organizations are held up as public examples of what not to do. This is embarrassing and financially brutal to these businesses and their executives.
So, efficiency improvements are great and, yes, they are measurable. However, the real benefits lie in the avoidance of the damaging impact of third-party incidents and the far-reaching consequences that are associated with companies that don’t have holistic programs in place to effectively identify, manage, and mitigate their risk.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.