The broad array of risk-related challenges that businesses face today makes it clear that an uncoordinated or case-by-case approach to third-party risk management is no longer adequate. At a practical level, a successful third-party risk management program is typically implemented in three steps, as follows:
1. Establish
ownership and buy-in.
Planning
for change is critical to successful third-party risk management in organisations
where the ownership of such risk is dispersed among multiple stakeholders and
owners. This planning requires cross-functional coordination, executive
leadership and oversight, and clear goals and objectives. The mission of most
organisations often includes a focus on strengthening the overall relationship
with the third party.
Success
factors:
·
Clearly
establish risk ownership
·
Obtain
cross-functional input from various stakeholders
· Develop a third-party risk management road map
2. Evaluate risks
Understanding
the risk profile of the entire organisation helps focus efforts on the areas of
highest risk, which allows the assignment of adequate resources to address
specific clauses in an agreement or specific types of relationships or
categories of risk. Developing a comprehensive risk landscape is often a
helpful first step in evaluating the various risks in a relationship. This step
helps avoid taking a one-size-fits-all approach and instead drives focus on the
areas of risk and reward to the organisation.
Success
factors:
·
Identify
the high risks inherent in the third-party relationships
·
Quantify
identified risks
· Establish a plan for moving forward
3. Audit, monitor,
and assess
The
risk landscape spurs initiatives to audit, inspect, benchmark performance and
costs, verify, and gain assurance or attestation. A successful third-party risk
management program has an appropriate level of:
·
risk
measurement and monitoring
·
performance
measurement and monitoring
·
incident
tracking
·
evaluation
of the value received from the relationship
These
activities are important for determining when or whether to renegotiate the
terms of an agreement. The companies that are most successful in this auditing
and monitoring function are those that work to enhance the data they have about
their relationships so that they can predict areas of risk more accurately and
automate relationship monitoring more effectively.
Success
factors:
·
Customise
the assessment to the relationship
·
Use
automation to streamline the process
·
Analyse
trends of incidents across relationships
The figure below details the process that should be followed for the effective management of supplier risk and compliance, using the same approach described above:
Engaging executive
management
As
already stated, third-party risk planning requires cross-functional
coordination, executive leadership and oversight.
The
following are some questions related to third-party risks that CPOs, executive
management and board members should consider:
·
Does
our company have a full inventory of its relationships and agreements?
·
Have
we performed an assessment of the risks to the business or the brand for each
of the relationships we have?
·
Who
owns the assessment of risks?
·
What
are the key relationship risks and processes in place to manage them? Who is
responsible for risk management and monitoring?
·
How
do we know that our relationships are complying with the agreements in place?
·
What
are the company policies related to auditing agreements for compliance?
·
How
do we know our relationships are complying with laws and regulations?
·
Which
of our key relationship agreements or statements of work have not been reviewed
by legal counsel in the past three to five years?
·
What
procedures do we follow to reassess the risks associated with a relationship
prior to the renewal of a contract?
·
What
types of risks are considered in the selection or renewal process?
·
Are
any significant risks not considered?
·
Do
our standard agreements address the key risks of most relationships?
·
How
do we know the reports we rely on from our third-party vendors are accurate?
·
Have
we tested our business continuity plans with our principal third-party
relationships?
·
How
dependent are our third parties on subcontractors and subservices?
·
What
risks are associated with these organisations?
Of course, not all supply chain failures can be avoided, but efforts need to be made to identify supply chain risks and recognise early indicators of failure so that their impact to the business can be mitigated.
The most effective and proven practices for managing supply chain risk is to pre-qualify suppliers properly, measure supplier performance and engage in effective evaluation and audit with suppliers to proactively address any supply chain risks.
Contributed by: Andrew
Hillman, Chief Executive Officer of Bespoke Group and Publishing Editor of
Bespoke Procurement Bulletin