The Third-Party Risk Management (TPRM) space is dynamic and changing rapidly. What your parents’ TPRM implementation market looked like is very different from what yours looks like today and will in the future.
Managing risks is an inherent instinct. If you were wandering a savanna 10,000 years ago and saw tiger tracks, you would quickly make decisions on how to mitigate that risk. What do you do if you run into that tiger? Do you run or fight? Is there a way you can avoid the risk? If you were unable to manage the risk, you’d become dinner and no longer contribute to the gene pool.
Business has always had some degree of risk management with the first patents designed to protect an invention from theft being created 600 years ago. Beginning around 80 years ago we started building and applying repeatable risk management practices with comparative assessments, categorization, and controls. A methodology was created to score, surface, and prioritize risks- to allow for the juggling of multiple risks at the same time, to apply controls and mitigation, and to avoid, accept, or adapt to risk. The entire discipline of risk management, as well as risk ownership and operational resiliency strategies, was born and refined over time.
In the last 20 years, we saw many incidents where organizations were being held accountable for behaviors and activities of their third parties. Historical events, like the 2012 Bangladesh garment factory fire, and the 2013 Target customer account breach, revealed to many businesses and risk leadership that understanding who you were doing business with (and implementing third-party risk management) is essential to modern businesses.
In fact, most Foreign Corrupt Practices Act (FCPA) investigations and enforcement actions have been associated with compliance and risks at third parties. Stanford University has been tracking FCPA enforcement since its inception in the 70’s. It has shown that third-party intermediaries are the subject of FCPA enforcement activities in more than 90% of FCPA actions.
In the US, the Department of Justice (DOJ) began publishing its Evaluation of Corporate Compliance Programs in 2019. This asset is a great tool for businesses to design and execute strong, adaptable, and complete GRC programs, including TPRM. It goes into detail about how US prosecutors should evaluate programs, and therefore is a good guide for how responsible businesses should build their programs for effectiveness, value, and defensibility.
At the same time, there are similar anti-bribery and business ethics regulations – the UK Bribery Act, GDPR, LkSG (German Supply Chain Due Diligence Act), etc. – in other parts of the world that often apply to any organization doing business within their jurisdictions. The Thomson Reuters Regulatory Intelligence service reported that an average of 200 global regulations and/or updates took place daily in 2015 and beyond. These regulatory changes have driven more businesses to invest in and commit to better, more effective GRC and TPRM programs.
At the same time, we see the public stepping up pressure on businesses to report their risks and efforts to mitigate them with more transparency, and on governments to demand increasing scrutiny and enforcement actions. These expectations for businesses to align to regulations is paired with improvements in risk and TPRM program criteria, including defining risk-based, balanced, and action-oriented approaches that rely on systems, data, software, and programs for optimizing performance.
In the last few years, there has been a shift in which risk management leadership is performing more oversight over all types of risks across an enterprise, which could include third-party risk, fourth-party risks, and Nth-party risks. It is no longer just an issue for procurement to manage vendors. The expansion of what TPRM can cover and what you’re expected to deliver on in terms of strategic value to a company is escalating. Program transparency and reporting are now often in the minds of organizational leadership and is making its way up to the Board. This is an evolution of third-party risk, moving more into the full realm of risk management orientations and into executive offices.
Where we used to be able to juggle risks and define each by defined swim lanes, what we’re seeing now is that those arbitrary swim lanes are misaligned to where and how risks actually behave. This requires a new approach to manage a diversity of risks at increasing scale, velocity, and severity. The swim lanes that used to allow for pointed management are gone. So, how we perceive, assess, and manage risks has to quickly evolve as well.
In the recent past, there are new expectations and new capabilities quickly being added to the purview of TPRM, while blurring what it means to do TPRM work. ESG, resiliency strategies, new demands for SLAs and performance assurances, and digging deeper into Nth parties is changing the dynamics of this industry. Your companies want to better assess concentration risks, technology risks (including AI applications in the supply chain), information technology and cyber risks, and performance risks across their third parties.
This is not your parents’ TPRM; this is part of the evolution. It’s more dynamic, it’s more demanding. It requires new skills, new awareness, agility and resiliency. It’s expanding all the time. It’s covering more ground; there’s more urgency for your business, there’s more responsibility to get it right. You must define how the business will position third-party risk and how they will build it to their advantage and integrate it into their strategies.
Today’s TPRM leader is aware of and anticipating financial, economic, social, environmental, governance, and other possible risks. They’re aware of how geopolitical challenges in Eastern Europe may affect suppliers in India. It’s knowing who the Nth supplier is in the supply chain and whether they’re using acceptable labor practices. It’s running a good program that adapts and shifts, with built-in resiliency strategies.
In this new way of managing risks, there are more demands for transparency and revelations on how systems are run and who your third parties are. There are more emerging technologies and more threats related to them. You need to be able to demonstrate auditable records and not just a checklist. You need a purpose-built solution for the objectives and desired outcomes of your business. You need to gain alignment across all the key stakeholders in your business, to share and escalate data and understand its implications for the business, its strategies, and its reputation.
The evolving TPRM is defined by new challenges, new technologies, new approaches, and creative thinking. It’s action-oriented, it’s relationship oriented, it’s focused on trust and engagement, it’s measurable, predictable, and always dynamic. And it’s a really exciting market to be part of.
Share with Your Friends:
