With the strategic importance of engaging third parties in today’s business landscape, coupled with the level of risk that they can bring to the enterprise, it should not be surprising that third-party risk management is attracting greater focus from the C-suite and the Board of Directors.
According to the Institute of Collaborative Working, up to 80% of direct and indirect operating costs of a business can come from third parties, while up to 100% of revenue can come from alliance partners, franchisees and sales agents.
With third parties now becoming part of the DNA of the extended enterprise, regulators globally have made it quite clear that while organizations can outsource a task, they cannot outsource the responsibility. Increased regulatory scrutiny, however, is just a symptom of the underlying issue – the way organizations do business is evolving dramatically and rapidly. And with this, the way they manage risk and govern the extended enterprise needs to evolve quickly too.
This evolution is challenging – third-party risk management is a relatively new discipline and companies are at radically different stages of maturity depending on their industry, size and culture. From a discipline that has evolved largely from siloed and ad-hoc processes, there’s a growing recognition that a more joined-up, standardized and enterprise-wide view of risk is required.
Aravo’s eBook Meeting the Expectations of the Board: Accelerating vendor and third party program maturity to enhance governance and oversight is a useful tool for boards AND for third-party risk professionals seeking to educate their boards about why TPRM is so critical for the organization, and why investment in it is important.
The eBook provides a very useful benchmarking maturity model, and covers:
- Why are boards prioritizing third-party risk management?
- Why is third-party risk such a unique challenge for boards and their organizations?
- What does a good governance framework look like?
- What are third-party governance best practices?
- Comprehensive governance structure
- Clearly defined roles and responsibilities
- Regular third-party review meetings
- Cohesion across three lines of defense
- Third party risk appetite and thresholds well defined and understood
- Segmentation reviewed annually
- Issue escalation rarely needed
- Issues resolved quickly/effectively
- Integrated enterprise TPRM IT solutions in place
- Third-party relationship review maximized
- Industry best practices embraced
- Utilities and standardization
- Enterprise view of risk, performance and compliance
- What can the board do to help embed third-party risk governance?