When it comes to purchasing a new third-party risk management (TPRM) software solution for your organization, it’s not (and should not be) a quick and easy decision. Due to increased accountability on third parties’ activities, increased regulatory focus, emerging risks, and a necessity for centralization, a lot is dependent on this decision.
Prior to purchasing any software, and even before you begin to meet vendors you need to understand your organization’s needs, your current maturity level, and where you want to take your TPRM program in the future. When it comes to meeting with vendors you can’t go in blind and you need to be prepared to evaluate their offerings and be able to analyze if it fits your needs or not.
This year we are launching new content to help organizations navigate the TPRM software selection voyage and determine how to choose the best program. We will explore topics such as how to use research like analyst reports and buyer’s guides, common pitfalls when evaluating software vendors, how to make the important buying decision, and how to manage integrating your new software into your program.
Keep in mind that the solution voyage is fluid, and some steps can overlap. In this post, however, we have presented our own voyage map which we believe will help guide companies through this process.
Phase 1: Laying Your Groundwork
This is your first step in the TPRM solution voyage and involves exploring your current program, its pain points, and what you need to improve upon it. During this phase you will need to lay your groundwork for your program’s needs by determining the maturity level of your program, and how a TPRM GRC software program will help, without biting off too much than you can chew.
Charting Your TPRM Maturity:
Before beginning to look into TPRM GRC software, it’s necessary to understand how mature your current TPRM program is. Determining where the gaps are in your current TPRM framework, and how it should evolve over time is a critical early step in the selection voyage. There may be gaps that can be closed through the purchase of the right technology, while other gaps may require a different solution, or a combination of process, organizational, and technological changes.
Tools to Help Gauge Your Program:
A maturity calculator, such as one that Aravo hosts, is a great way to determine where your TPRM program currently stands. Whether your program is ad-hoc, fragmented, defined, integrated, or agile each stage has its own unique results and needs for improvement. With this information (and the custom report that’s included) you can then find out what first steps to take, where to prioritize resources and time, and how to move forward towards vendor risk management (VRM) resiliency.
Phase 2: Planning Your Journey
Research is your guiding light when it comes to planning your journey. During this step, you should take time to explore relevant analyst reports and the software vendors they’re rating. This gives trusted insights into vendors that are staying up-to-date in TPRM needs and offers solutions that could be beneficial to your organization. This is also the phase where you will begin to reach out to vendors and sit in on software demonstrations. It is important to know the right questions to ask during these meetings, how to determine which vendors can go on to the next step with you, and which ones can be eliminated from the consideration process.
Navigating Analyst Reports:
When planning your third-party solution voyage, taking a holistic view is important. There are lots of cracks that risks can hide in, and the complex nature of supply chains adds to the wide range of risks a company needs to be able to manage effectively. Expert analyst reports are designed to provide unbiased perspectives into your vendor options, and there are a number of recommended analyst reports to help you in choosing TPRM software. These reports provide insights into the market trends analysts are observing, how to sort through vendors in a crowded market, and key capabilities to consider.
When reading through analyst reports, it’s important to consider points such as:
Who published the analyst report? Is it a trusted, well-accepted source?
When was the analyst report published? Is it recent, or is it already out of date?
What is the scope of the analyst report? Is the software they’re examining the same type of software I need for my organization?
Would the vendor fit the maturity level of my program?
What criteria is the analyst using to assess the software? Are they applying the same consideration that is relevant to my organization’s requirements?
Approaching Vendors and Software Demos:
Once you’ve done research on which vendors to interview, it is important to approach vendor meetings and software demos with care. It’s critical to understand what capabilities you should be looking for and what questions you should be asking when you are assessing providers. This process can be further complicated if why the organization needs to purchase a TPRM solution is lost amongst the lists of tactical questions from various internal stakeholders. At the end of the day, you need to know- is the solution scalable, agile, and adaptable?
Questions to ask vendors during meetings and software demos should be centered around their capabilities such as:
Usability and ease
Third-party engagement and portal options
Approval processes and alert capabilities
Transparency and oversight capabilities
Technical capabilities and details
How AI can support your decision-making
We will be exploring each of these points in more detail in a later blog post, so stay tuned.
Phase 3: Setting Sail
Setting sail on your decision is when you narrow down your software vendor options and determine which is the right fit for your organization. During this stage, you should look into what similar companies have chosen, as well as make sure all internal stakeholders are on the same page when it comes to choosing the best fit.
What Other Companies Have Found Success In:
Success stories and case studies are a great way to evaluate how a specific software provider has helped another company in your industry and (even better) maturity level. These specific insights can give you a hint on how the program could work for you and what the integration process will look like once the relationship begins.
Another important point of reference in any evaluation is how a provider’s current clients would rate them, what they particularly like about the solution, and how they can improve. Gartner Peer Insights is a trusted resource for evaluating software solutions, as they provide comprehensive reviews by practitioners utilizing these types of software. When looking at a review, pay attention to the star rating, and the percentage of reviewers that would recommend this vendor but also read the detailed comments about implementation and product support.
Getting Backing from Your Board:
According to Aravo research, more than 40% of organizations do not think their boards have a good handle on the third-party risks their companies are exposed to. This lack of understanding can create issues when evaluating TPRM programs, and lead to internal disconnect on where to prioritize time and resources.
Third-party risks may not always be obvious to board members, but boards still inherit these risks. Therefore, it is important as a TPR professional to be vocal and provide your own insights and opinions during the buying process. While keeping organizational priorities and strategies in mind, make sure boards understand the needs of the program, pain points you’re currently experiencing, and how the right software will drive efficiency and positive financial impacts.
Journeying with RFPs:
In addition to maturity calculators mentioned in an earlier phase, RFPs are another resource that helps companies make determinations on what solution is best for them. A ready-made RFP template provides a library of best-practice questions to draw from across a broad range of categories that help during the decision-making process, including:
Reporting and analytics
Workflow and communications
Architecture and technology
Services and support
Phase 4: Destination Implementation
The TPRM selection voyage doesn’t stop once you choose and sign the contract with your selected vendor. The next stage is navigating implementation and it is crucial to ensure that the software program provided is integrated into your program effectively and that processes are put in place to help improve your program.
Navigating Integrations Effectively:
It is important to have a flexible integration framework which means that the system can integrate with any number of business systems including ERP, P2P, AP, GRC, ERM, and in-house built systems.
It is also important to manage pre-built integrations and ensure they are designed to fit your existing configuration and needs without causing disruptions. Solutions such as Aravo integrate with a range of third-party risk intelligence providers that can help you manage your third-party risks. The data from these providers can validate existing data, contribute to scoring, and also trigger an action if certain risk conditions are flagged.
The key to managing integrations effectively is to ensure that the vendor integrations meet the needs of your program prior to purchasing. The integrations should make you work smarter and faster, not harder. Make sure that the system integrates with the programs you need, while also taking efficiency to the next level by eliminating unnecessary manual processes.
Sailing Your Program into the Future:
The relationship with your TPRM vendor doesn’t end once you purchase and implement the product. Just as you continuously monitor your own vendors, you should also monitor the performance of your TPRM program and make adjustments and improvements where needed. As new risk domains emerge you may need to expand your capabilities and add additional applications to the platform. Likewise, as the maturity of your program evolves, there may also be adjustments or add-ons needed to make sure you continue to manage your vendors effectively. Keep the lines of communication with your TPRM vendor open, and also look for ways to make improvements within your own function.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.