In our newest Risk Hotseat LinkedIn Live, we put our Global Vice President of Sales, Carey Davidson under the spotlight.
Carey Davidson is Aravo’s Global VP, responsible for growth and delivery of our third-party management strategy. In the hotseat, Carey explores the evolving market of third-party risk management (TPRM).
The main one that comes to mind is supplier sustainability and responsibility. It really started out as a procurement and financial discipline, which then evolved into more of a security, ethics and privacy area of focus. But now, with 21st century risks, you really associate sustainability with environmental, social, and governance (ESG).
Those are separate pillars that organizations need to manage their third-party ecosystem against. And when we think about environmental in terms of their Scope 2 and Scope 3 emissions, different organizations have to understand and manage that through due diligence.
As they move over to social in terms of social or human code of conduct, risks like modern slavery and child labor should be considered within programs. The G, governance pillar is very similar to what a lot of organizations are doing around what they’re already doing across their security, privacy, ethics, and procurement functions.
So, ESG is definitely an area to focus on. And then, related to the governance component, forward thinking organizations are keeping an eye out for upcoming legislation like DORA. And, of course, there are European acts like the LkSG, which includes a lot of ESG requirements across supplier sustainability and responsibility.
That’s a two-part answer. The conversation around breaking down these silos is happening. Laws have expanded enough (to my last point) where many of these regulations are all inclusive. Especially when you look across into EMEA and implications across LkSG; there’s a lot of overlapping requirements across multiple disciplines across financial, procurement, onboarding, adverse media, etc.
In terms of privacy and GDPR, there’s also overlap with cybersecurity which has already been an area of focus, even now as more breaches occur around third-party activities. And then ethics and ESG, again, they’re all overlapping. And so, a lot of those conversations exist because of the regulations. It’s forcing a lot of those silos to come down.
In the US in particular, where I really see it needing to head is that if you look across different organizations, most of their priorities are to secure their third-party ecosystem. And then, they’re also looking to understand where they can reduce overlapping work. What’s important to the business should be the thing tying everything together. What’s important to each business is brand, reputation, and as well as risk priorities like privacy, security, and ethics.
And so really what needs to happen is all those different silos need to understand how that plays up to the global organization view and their priorities. Everyone should be working towards those global plans and execute them on behalf of the company, not just based on the individual silos of ethics, or security, or privacy, or procurement.
All those siloed departments need to be focused on how their functions best serve the company brand and reputation and risk appetite.
I think this is very important. Today, organizations are onboarding or have onboarded hundreds of thousands of vendors depending on the organization. But, we can’t treat all of those vendors equally. We have to align it to what’s our risk appetite, what’s the company brand and overall perception of how we want to engage with our third-party ecosystem.
When we’re assessing or onboarding vendors we should be leveraging risk intelligence to understand how much assessment do we need to do on this vendor based on the criticality of them to our business. And that data and criticality goes across spend and then it goes across privacy and security, etc.
And so, being able to monitor and assess those vendors properly, given the sheer volume of vendors, you need some sort of help to understand where to focus time and effort. Even when you’re onboarding, reassessing, or even if a major breach happens, you do these assessments to understand where they fall in terms of criticality. Leveraging data helps you understand how to react.
Using risk intelligence to help guide us in our decisions absolutely helps streamline that process, helps with accelerating onboarding processes, and helps when an incident occurs. It accelerates all of that. Everybody’s goal is to accelerate these processes and ultimately bring more vendors on, make more money for the company, and be successful and profitable.
I would say the number one, related to my last point, is ongoing and continuous monitoring. How do we use intelligence? How do we use monitoring capabilities to help guide us in our decision-making processes across all of these different disciplines?
There’s a lot of risk intelligence out there across different risk disciplines like sourcing and procurement, ethics, privacy, ESG, cybersecurity, and more. But resources, time, and budgets are tight. We have to be able to leverage a lot of the risk intelligence that’s out there to be able to make those risk management decisions quicker and keep our business protected and afloat.
And so, ongoing monitoring is probably the number one. And then focusing on performance management: how are we performing against expectations of this ecosystem?
Share with Your Friends:
