Time to Get Serious: Best Practices for TPRM Improvements
February 6th, 2024 •Loren Johnson• Reading Time: 5minutes
It’s time for organizational readiness: time to shift thinking to better manage third-party risks, with a platform that can handle the scale, scope, pace, and diversity of risks today.
The third-party risk management (TPRM) market has reached a turning point, with events and actions in the market that are increasing TPRM’s profile and driving awareness of its importance within businesses.
Businesses that have good TPRM programs in place are seeing advantages in their supply chain agility, resiliency, and sustainability, and practitioners are seeing the value of their expertise rise. Current market trends in critical markets increasingly demand advanced TPRM approaches and software, and it’s time to get serious about making this happen.
What it Means to Get Serious About TPRM
In the last few years, various factors have been pushing this need for more serious TPRM solutions, including a more dynamic risk landscape, where risk events are larger, move faster, cross barriers, and impact businesses more than previously understood.
Why Your TPRM Needs Improvement
In March 2021, a major supply chain disruption occurred when the container ship, Ever Given, got stuck in the Suez Canal, obstructing all traffic through the waterway for six days.
Estimated to have cost $400 million an hour in global commerce, and combined with the already strained supply and shipping demands from to the Covid-19 pandemic, the effects of the blockage impacted supply chains worldwide. This event showed just how unpredictable the risk landscape can be and how one incident can have a ripple effect lasting months.
5 Reasons to Get Serious About TPRM
Increasing global regulations, frameworks, and standards focused on practices that overlap with TPRM – including anti-bribery and corruption, ethics and compliance accountability, supply chain resiliency and sustainability, ESG, and cyber security:
The DOJ’s enforcement on corporate compliance programs underlines the importance of a comprehensive compliance strategy and showing commitment to a proactive, risk-based approach to your organization’s third-party relationships.
Expansion of risks under the third-party risk umbrella, including contract, performance, concentration, assurance, financial, cybersecurity, sustainability, resiliency/business continuity risks.
Government agencies stepping up investigations, enforcement, and penalties, as well as clarifying expectations for compliance, accountability, and influence across an organization’s third-party engagements.
Pressures from internal and external stakeholders, and the public, especially when it comes to third-party sustainability and ESG activities.
Financial pressure to optimize TPRM programs for efficiency, effectiveness, and resiliency:
3 Key Areas to Take TPRM Seriously
With all these factors pressuring organizations to optimize their TPRM programs, it’s difficult to know where to start. Aravo recommends prioritizing these three areas:
Awareness and alignment with legal requirements
TPRM program maturity
People, processes, & technology
Awareness and Alignment with Legal Requirements
An effective TPRM program must be aligned with the regulatory requirements that have jurisdiction over the business and its third parties. Regulations such as the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act apply almost universally around the world, but there are new rules and regulations emerging and evolving worldwide.
A good Governance, Risk, and Compliance (GRC) or TPRM program is not defined just by being tightly aligned to the letter of the law, but instead by how it goes beyond the bare minimum. In many cases, the best programs are ahead of the law, implementing practices that align with their culture and desire to do better because they want to, not because they legally have to.
A company’s character, culture, ethics, and commitment to do what is right are often very publicly displayed, which is a crucial part of taking GRC and TPRM seriously for all stakeholders.
The US Department of Justice emphasizes that GRC programs should be well-designed, well-executed, and adaptable to change. An active, engaged program is attentive to risks, highly communicative, and evolves as necessary to ensure compliance.
When taking TPRM programs seriously, organizations should ensure that each third party aligns with the company’s code of ethics, compliance rules and expectations, is included in training and policies, and confirms alignment with those expectations.
TPRM Program Maturity
Program maturity is just one of many indicators of whether and how an organization may perceive its TPRM program and its importance to the business.
On the surface, a company can check the boxes required for meeting each maturity stage, it takes more to be committed to a serious approach.
A lower program maturity level does not necessarily signify that a business is not taking TPRM seriously. Instead, this could indicate that a company has been unable to invest in its program maturity to the point where it delivers the desired value and benefits.
Alternatively, some organizations may have mature TPRM programs with the proper tools at their disposal, but they are not yet taking TPRM as seriously as they should.
Using software and systems not built to help your organization effectively and efficiently manage its third-party risks is no longer defensible. One of the first steps during this process is to wrap your arms around who owns what functions within TPRM and related programs, and how they work together.
From there, analyze processes that perform well, perform poorly, need to be updated, or thrown out altogether.
Getting serious about TPRM means understanding the value and impact of using the correct software for the job, and the ability to scale it, design it, and execute without limits. It means understanding how insufficient TPRM systems can leave your organization vulnerable to third-party threats and disruptions and create delays in your response and recovery.
The inability to properly identify, evaluate, and predict third-party risks can lead to significant operational, financial, and reputational damage to an organization. Understanding this and ensuring your company has the correct people, processes, and technology in place is just one step in getting serious about TPRM.
What Does This Mean for Your Organization?
There are many external and internal pressures when improving TPRM programs, which influence a business’s productivity, strategies, and efficiencies. TPRM has expanded to include contract management, performance management, ESG, resiliency strategies, and more.
Doing it right can transform your organization and give it a strategic and competitive advantage.
Increasing pressures from shareholders, communities, and governments are urging better third-party information security protections, improved transparency, and better program reporting. Supply chain pressure is also growing regarding sustainable practices, compliance and human rights violations, and ESG challenges.
What Your TPRM Software Should Cover
The sense of urgency to do better and to ensure third parties (and Nth parties) are reputable is growing. Especially as shareholders and legislators increasingly scrutinize third-party engagement practices, businesses are expected to know more and do more to protect themselves against third-party risks.
Aravo’s TPRM solutions provide capabilities that help organizations take key steps to improve their programs, and begin to get really serious about managing third-party risks. Capabilities include:
Third-party intake and scoping
Qualification and association assessments of each third party
Third-party evaluation and risk scoring
Assessments and monitoring across key risk domains
Initial screening and continuous monitoring of third-party engagements
Due diligence of third-party relationships
TPRM functions that are well-designed, well-executed, and adaptable to change
For businesses to implement a strong, effective TPRM program, it has to be taken seriously. The Aravo solution, including our software, applications, services, and risk experts allow organizations to take the steps they need to grow their maturity, evolve their processes, and gain competitive advantage.
Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success. Loren is a long-term TPRM advocate with an MBA in International Management from Thunderbird, and more than 30 years working in the technology sector. With eight years in the GRC market, Loren brings enthusiasm and an informed perspective to his work with Aravo.
Senior Director, Product Marketing
Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success.