Risk Hotseat with Loren Johnson: Putting TPRM in the Spotlight

December 15th, 2023 Loren Johnson Reading Time: 4 minutes
Hotseat chair on fire

Aravo’s Loren Johnson sits down for the first edition of Risk Hotseat, a new LinkedIn Live series, for a short interview answering questions on third-party risk management (TPRM). Loren leads Aravo’s marketing team as the Senior Director of Product Marketing.

What are two of the top third-party risks facing pharma companies today?

Pharma companies have a very interesting duality when it comes to third-party risks. One side is their providers, the people who provide the raw materials from around the world, that have to get on time and delivered with a certain level of quality. With these providers there are assurances of delivery that is really important to pharma, and they have to maintain those channels, those networks, no matter what the challenges are. So, there is always a risk of third-party failure of not being able to deliver on time.

There is also a risk of concentration or logistics risks. These risks come in terms of situations such as making ships go through the Panama Canal or ensuring that the supplier can get their shipment through a channel somewhere that is not readily available.

If you think about the other side, you have to consider the providers who do testing and complete clinical trials. These are the third parties that are sometimes completely linked in with the pharma company, but are separate companies. They legally have to be separate, but they also are very important because they have to reliably check on the effectiveness of drugs that are coming to market.

This is, again, a duality of third parties within pharma, where they’re right in the middle. They tend to not have a very transparent supply chain, but there’s a lot of pressure out there for them to be more visible. They have to be able to show what’s happening in their supply chains and secure them better where there’s a lot more risk to them now than there used to be.

Who does the LkSG (German Supply Chain Act) apply to and how do you see it shaping other supply chain regulations?

It applies to companies, along the entire supply chain, that work with a company that does business in Germany. This means that the German Supply Chain Due Diligence act applies to you, therefore, it has very broad reach. Similar to some US laws like the FCPA, it has almost global reach. If you do business in Germany or have a branch office in Germany, then this law applies to you if you have more than 3,000 (soon to be 1,000) people in the industry itself. It requires due diligence in the supply chain, assessment of risks, implementation of policies, procedures, and to mitigate those risks.

This act is attempting to put some transparency and legal frameworks around supply chains that need to have a more upfront understanding of where risks are and who you’re doing business with. It’s also trying to stop environmental issues and issues with social governance, such as child labor and slavery. It includes a lot of rules that apply across the world.

This is a trend that is happening most often in Europe and it moves across the world. We’re seeing similar laws in countries like Canada and Norway as well. So, this is a big change for the market, and it’s a good positive change for both third-party risk management and ESG.

What are two metrics for measuring vendor performance?

This is a complicated question. Probably more than it should be, as it should be simple. If you have a definition of what your deliverables should be, what your quality should be, your timeliness, and agreed upon SLAs and KPIs, then that’s a pretty good measure. You can see if people are actually delivering as they agree to in your contracts.

If there’s some performance measure you can take advantage of to understand where your relationship is with that third party, then you can better manage it. You can better collaborate with them and make better, well-run engagements with that relationship. That main metric about vendor performance is very important.

The other one would be the risk score. Risk scores are fluid. You have your own risk profile as an organization. Your third parties have a risk profile as well. You mix those together and you understand what the risk is for doing business with that third party, which changes all the time. If there is potentially a drought in the Panama Canal, that changes your risk equation for that third party that’s using the Panama Canal to deliver to your business. So, you have to keep an eye on that risk score. You have to continually update it and monitor your third parties, and make adjustments in your own strategies as needed to better provide services.

Our latest survey showed 90% of businesses did, and that’s not all that surprising. This is something we see all the time in surveys from us and other people in the marketplace. Third-party risk is a very real thing and it can shut down supply chains. It can be very disruptive to a business if things go wrong, and that doesn’t mean necessarily productivity. It can mean a risk, it can mean adverse media, it can mean a sanctions violation. It can be a number of things, and it can really affect how your business runs.

90% is a lot, but you still see people who are denying that this is a major topic for the market. It’s simple math. If you’re doing business in the world and you have suppliers anywhere, there’s a risk there for things to break down. It’s time to be more serious about this and to take it on to better understand your risks across your third parties and to take advantage of programs like Aravo to get the insights and visibility you need to run good programs.

Learn more about how Aravo can help your organization’s TPRM program and stay tuned for the next edition of Risk Hotseat!


Loren Johnson

Senior Director, Product Marketing

Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success. Loren is a long-term TPRM advocate with an MBA in International Management from Thunderbird, and more than 30 years working in the technology sector. With eight years in the GRC market, Loren brings enthusiasm and an informed perspective to his work with Aravo.

Senior Director, Product Marketing

Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management