An Integrated Third-Party Governance and Risk Management approach – A New Shift leveraging Artificial Intelligence.

Please read the first part of this article.

An Integrated Third-Party Governance and Risk Management approach – a new shift

Given the dynamic nature of the business ecosystem, a robust third-party risk management solution should provide near real-time visibility into your third-party ecosystem, enable collaboration and relationship building. It’s time to apply an Integrated Third-Party Governance, Relationship and Risk Management approach to efficiently and effectively manage third-parties.

Risk management is not just about completing assessment questionnaires and doing site visits. It is also about how much you understand your organizations business needs, the critical services being outsourced, the impact to your customers in case of disruption to those outsourced services and how well you manage relationships with your third-parties. An organization cannot fully succeed in managing and mitigating its third-party risk without having a robust governance and relationship framework.  

In today’s digital age, no organization can thrive on its own. To drive value from your vendor partner and help meet business objectives, your organization will need to build lasting relationship with vendor partners. With organizations strengthening their perimeter, hackers have found it easier to breach third-parties. While there is no fool-proof method to eliminate all risks, technology can help make the third-party risk management process more effective and efficient.
A report from Deloitte titled ‘Third party governance and risk management. The threats are real’ confirms that ‘Existing technology platforms for managing third-parties are considered inadequate’. Increased monitoring and assurance activity over third-parties is believed to significantly reduce third-party risk, says the report.
This increased monitoring and assurance activity is only possible through a technology platform that should at minimum focus on the following key components:
1. Third-Party Governance & Relationship Management – As dependence on third-parties become increasingly critical, organizations are being compelled to play ‘catch up’ in enhancing their governance processes. Periodic reviews are an important aspect of prudent governance process and is to be seen as a two-way relationship building process.
Setting-up regular cadence, business review meetings and centrally tracking issues and triggering timely alerts for reviews, missing key documents, contract non-compliance, SLA misses are all use cases.

2. Risk Management – Leveraging Intelligent Automation

Ability to auto-trigger risk assessments based on certain triggers (internal or external events concerning the third-party), centrally manage all assessments along with ability to smartly sense issues based on the third-party response.

Preliminary Assessment

Ability to determine the Criticality and Inherent Risk based on preliminary assessment based on customizable risk dimensions and the ability to auto-trigger re-assessment due to internal or external changes. Some key risk dimensions that must be covered:
  • Privacy Risk (Access to NPPI / PII data)
  • Reputation Risk
  • Strategic Risk
  • Regulatory / Compliance Risk
  • Operational Risk
  • Financial / Credit Risk
  • Country Risk – Geopolitical, Disaster, economy
  • Transaction Risk
  • Info Security / Cyber security / Infrastructure
  • Physical Access
  • n now … Epidemic Risk

Detailed Assessment based on Criticality and Risk - Information Gathering

  • The ability to initiate risk-adjusted assessments and track and evaluate responses automatically (and intelligently leveraging AI)
  • Periodically auto-initiate assessments based on any new events
  • Centrally manage it all. Also for third-parties, it should allow them to share results with multiple customers.

Controls Assessment

  • The ability to provide risk assessors a digitized way of assessing the effectiveness of controls
  • Track remediation items
3. Integrated AI-Driven Alerts & Continuous Monitoring – Ability to continuously monitor to receive smart alerts and trigger actions
Organizations can integrate the following to monitor third-parties on a near real-time basis.
  • Cyber Security ratings,
  • Financial / Credit checks,
  • Sanctions, PEP screening
  • Adverse Media and internet scanning for good & bad press
  • Country risk
4. Performance Measurement & Innovation – Ability to define, track and measure Service Levels, KPIs and KRIs including measuring the strategic value that your third-party is bringing to the table.
5. Predictive Analytics – Ability to sense leading and lagging indicators and take proactive actions.
More and more organizations are now taking a closer look at current technology platforms. Automation has been there for a while but AI-Driven digital and cognitive enablement are evolving and is likely to further redefine engagement experience involving third-parties. The challenge though has been with integrations with in-house upstream and downstream systems.

Conclusion

Third-Party risk is starting to feature consistently on board agendas with CEO/board-level responsibility in the more progressive organizations or those operating in highly regulated environments. This also means more and more organizations have begun investing in the right technology solutions to enable continuous risk monitoring. The industry as a whole however is still playing catch-up in enhancing the maturity of their third-party governance and risk management processes.
At the end, Third-Party Governance and Risk Management is all about the art and science of engaging your organizations third-parties. While emerging technologies such as AI and Machine Learning can sure assist in the ‘science’ of engagement, the ‘art’ of engagement will largely depend on human intuition.
Learn the Art and Science of Engagement to mitigate third-party risks at ENGAIZ. Talk to us today.

References:

Publicly available information from the below two sources are referred to in this article and the link to the source is included.
1. Stay Ahead of Growing Third-Party Risks – Why legal and compliance leaders must shift to an iterative approach. Gartner
2. Third party governance and risk management. The threats are real. Deloitte

About the Author

Jai Chinnakonda is the co-founder of ENGAIZ – a technology startup that firmly believes that effective Human-Led Engagement powered by AI-Driven digital and cognitive technologies can help build lasting and mutually beneficial relationships.
ENGAIZ has developed an AI-Driven SaaS platform to help Enterprises mitigate Third-Party Risks such as Cybersecurity, Data Privacy, Regulatory plus several other risks through an effective Governance and Engagement framework. We help organizations gain increased value from their third-party vendors by way of effective governance, mitigating third-party risks, controlling costs, driving service excellence and innovation.

Jai is a Certified Third-Party Risk Management Professional and advises organizations on third-party governance and risk management. He has over two decades of experience in the technology and business process outsourcing industry. Jai is a member of the Harvard Business Review Advisory Council, an opt-in research community of business professionals. He was also a contributing member to the first draft of The Standard for Program Management released by the Project Management Institute (PMI).

Leave a Reply

Your email address will not be published. Required fields are marked *