In this blog series, we’ve put into perspective the pressures that modern-day practitioners face. Reputation risk was explored as one of the key kinds of risk focuses these days, especially with Nth parties and the culpability of your supply chains. But not only is it reputational risk from your customers, but there’s also your employees. They really care about what organizations are doing.
All of these stakeholders and their expectations put a lot of pressure on the practitioners to make sure that they’re doing what they need to do and that they’re working in good faith to get their programs to a place where they really need to be.
If you are feeling pressure, you’re not alone. We recently sponsored a market survey with CeFPro. The findings were really, really interesting.
We polled people on how they felt that their programs were supported by their organization in terms of budget and personnel. Only roughly a third of participants felt that their organization had both the budget and personnel to do what they needed in terms of keeping their programs up and running, adapting to regulatory changes, and ensuring that they were auditable.
So, the vast majority, 66% of respondents, felt like they don’t have what they need in order to make sure that their programs are running. If only 36% of organizations think that they are well defended from an audit then the vast majority out there is lacking in the sense that their infrastructure isn’t in place for them to properly report on how their programs are running, what they’re doing with their third parties, and what they’re doing with their fourth parties.
You’re not alone if you feel like you’re behind the ball a little bit, it’s tough to keep up with the shifting landscape. It’s tough to keep out with regulations out of Europe and North America. The changes are frequent and rapid. So I would say that as long as you’re building your programs and scaling them as best as you can, that’s definitely a step in the right direction.
Also polled within the survey were respondents who felt that their programs had gaps. The largest, highest-frequency response was fourth parties. And I don’t think that’s a surprise. The requirements that force you to manage those fourth parties are new. But it’s also extremely difficult.
I use the four Cs when I talk about fourth parties. You have no choice in who your fourth parties are. You have no direct contact with those fourth parties. You have no contract with those fourth parties, and you have no direct influence over fourth party controls, which makes it extremely challenging.
Continuous monitoring of both your third parties and your critical fourth parties is crucial in order to catch hidden risks. Resources are another big one. Who thinks that they have the budget and headcount in order to do what they need to do? That’ll always be a challenge that people face, but I think this is very indicative of the areas that people are concerned about.
And I do think that TPRM technology and the solutions out there are mature enough to help you get to a place where you’ll feel comfortable managing not only your third parties but your fourth and Nth parties as well.
So, what are the main things that we should focus on to ensure a strong foundation for your program? I think it’s table stakes to know your third parties at this point, and to add to that, long gone should have been the days of using spreadsheets to track complex vendor ecosystems. Unfortunately, that is still the case for many large and “mature” organizations. Many of the organizations we polled were still using disparate systems and Microsoft Suite for managing third parties. That can be challenging, and there’s little automation that you can do with those kinds of processes. In terms of cataloging your third parties, there’s a lot more that we can do with technology to make sure that the data is properly centralized and is well maintained and controlled.
Not only do you need to know your third parties, but it is crucial at this point to start building alignment across your organizations on how you define material outsourcing and to catalog the critical products and services that your third parties provide to your organization. This will set you up for success when it comes down to efficiently assessing your ecosystem for risk and reporting for compliance purposes.
This is crucial because we don’t want to boil the ocean. We don’t want to have a scope which requires you to have direct relationships with all your fourth and Nth parties. That’s very unsustainable, and it’d be a very large mountain to climb. What really matters is tracking critical fourth parties, their critical fifth parties, and so on. We want to segment your third parties into buckets that help us define a repeatable scope of due diligence risk treatment and the proper cadence of assessment is appropriate.
In summary, not only do you need to know your third parties, but you also need to segment them based on materiality. For those third-party engagements that you have defined as material, or critical, it is key to identify the fourth parties that support them in a material, or critical, manner. You should be capturing their firmographics, who are they, where are they? How do they materially contribute to your supply chain? And then, your risk exposure. What types of risks, based on the characteristics of these engagements, are apparent. What types of risks am I exposed to?
We talked about reputational risk and concentration risk in earlier blog posts. These are all vital when it comes to fourth and Nth parties. The market cares about what impact you have on the world through your suppliers.
Concentration risks come into play with fourth parties really quickly. I wouldn’t be surprised if over half of the people reading this have the same cloud service providers such as Amazon Web Services or Azure. Your third parties might overlap with your fourth parties, and that’s something that you should be tracking, monitoring, and mapping out in a holistic way. What do you do with all this information? Make sure you’re doing objective risk measurement and treatment for any providers that have an outsized presence in your supply chain.
Regarding data centralization, industry benchmarking proves it is extremely difficult to do, but it’s crucial for a mature program to implement. If you think you’ve got a program that is well-defined, well-managed, and communicated, you need to have centralized data.
It’s great to have those aspirations. You need to build the systems that’ll help you ensure that even on your worst week or month, you’re still relying on your systems to ensure that the job is getting done in an audible fashion, getting done well, and having that defensible program.
And let’s talk about systems; here, integrated data is hypercritical. We need to create clarity and transparency into what we’re doing with our third and fourth parties and how we’re doing that; having those relationships mapped out. Your controls need to be on point. You need to be looking at regulation as it comes out, as it’s published, as it’s drafted even, and start to think about how you want to adjust your control policies and your control assessment frameworks.
Mapping those frameworks to compliance is critical. Of course, I want to highlight capturing the burden of proof contracts here since you don’t have that leverage with those fourth parties.
Contracts are really where you can start to build infrastructure in terms of how to influence your fourth parties. It’s critical to have a right to audit your critical fourth parties in the sense that you want to know who they are, what kind of controls are being assessed against those fourth parties, and then ensure that they have that supplier code of conduct in place and that their fourth parties are following ethical business expectations. That’s where you can create leverage.
In addition to contracts, the people, processes, and technology are how you define your systems. Do you have enough people in place? Do you have the right processes to support modern mature programs? And do you have the technology that’ll help make this all a lot easier than it sounds? And while technology providers are another third party to monitor in, I definitely think that it’s worth it in terms of the time, effort, and energy saved. With this large and growing scope of compliance, making that more manageable and making it more bite-sized and objective is crucial.
When it comes down to Nth parties, you need to know who’s the most critical. Your critical fourth and Nth parties are key links in your supply chain, and it’s very important to understand who they are, what they are, and how they contribute. Once that’s done, you can build those contracts, build the SLA-based enforcement of those programs, put in the right guardrails for monitoring those fourth parties, and really make sure that you have a proper holistic approach to your whole supply chain.
Share with Your Friends:
