Why organizations need to adopt an Integrated Third-Party Governance and Risk Management approach?
Integrated Third-Party Governance and Risk Management
Organizations increasingly depend on third-party service providers of varying size including start-ups to meet the digital age challenges of technological innovation and heightened competition. In a quest to succeed, organizations involved in digital transformation initiatives, are partnering with more innovative start-ups thereby increasing third-party risk.
There is a progressive shift from traditional ‘cost’ focus to a ‘shared risk’ and ‘value’ driven partnerships which is also a growing reflection of organizational recognition that third-parties can in-fact create strategic win-win opportunities.
These new age partnerships require a different approach to managing third-party risks. Organizations that are able to continuously monitor and take on calculated risks with their engagement with third-parties are the ones that will be able to Stay Ahead.
This article reflects on how technology can help support a new Integrated third-party governance and risk management approach.
Traditional Third-Party Risk Management Approach — the challenges
Traditionally, organizations had relied on exhaustive upfront due-diligence for risk mitigation. This approach attempts to identify potential third-party risks upfront before contracting, resulting in longer on-boarding time. Typically, this involves sharing due-diligence questionnaires and collating responses from third-parties. This only provides a point in time assessment — a highly ineffective approach prone to failures.
Survey conducted by Gartner, suggests that this approach is largely ineffective as it fails to capture any risk that may arise during the course of the relationship. Among organizations that engage third parties to provide business services, 83% identified third-party risks after conducting due diligence and before re-certification, according to Gartner.
So, where does the problem lie?
The race to attain digital supremacy within their industry segment has forced many organizations to look at new-age start-ups and innovators whose business environments are changing almost every day. This requires closely engaging with the third-parties and adopting an ongoing risk identification, control and monitoring mechanism. At many organizations, an ongoing iterative risk assessment means more investment and resource requirements. Additionally, this also strains your relationship with third-parties as they equally need to spend time responding to due-diligence questionnaires.
How can organizations make this process efficient, effective and most importantly palatable to their third-parties?
An Integrated Third-Party Governance and Risk Management approach — a new shift
Given the dynamic nature of the business ecosystem, a robust third-party risk management solution should provide near real-time visibility into your third-party ecosystem, enable collaboration and relationship building. It’s time to apply an Integrated Third-Party Governance, Relationship and Risk Management approach to efficiently and effectively manage third-parties.
Risk management is not just about completing assessment questionnaires and doing site visits. It is also about how much you understand your organizations business needs, the critical services being outsourced, the impact to your customers in case of disruption to those outsourced services and how well you manage relationships with your third-parties. An organization cannot fully succeed in managing and mitigating its third-party risk without having a robust governance and relationship framework.
In today’s digital age, no organization can thrive on its own. To drive value from your vendor partner and help meet business objectives, your organization will need to build lasting relationship with vendor partners. With organizations strengthening their perimeter, hackers have found it easier to breach third-parties. While there is no fool-proof method to eliminate all risks, technology can help make the third-party risk management process more effective and efficient.
A report from Deloitte titled ‘Third party governance and risk management. The threats are real’ confirms that ‘Existing technology platforms for managing third-parties are considered inadequate’. Increased monitoring and assurance activity over third-parties is believed to significantly reduce third-party risk, says the report.
This increased monitoring and assurance activity is only possible through a technology platform that should at minimum focus on the following key components:
As dependence on third-parties become increasingly critical, organizations are being compelled to play ‘catch up’ in enhancing their governance processes. Periodic reviews are an important aspect of prudent governance process and is to be seen as a two-way relationship building process.
Setting-up regular cadence, business review meetings and centrally tracking issues and triggering timely alerts for reviews, missing key documents, contract non-compliance, SLA misses are all use cases.
Ability to auto-trigger risk assessments based on certain triggers (internal or external events concerning the third-party), centrally manage all assessments along with ability to smartly sense issues based on the third-party response.
Ability to determine the Criticality and Inherent Risk based on preliminary assessment based on customizable risk dimensions and the ability to auto-trigger re-assessment due to internal or external changes. Some key risk dimensions that must be covered:
Privacy Risk (Access to NPPI / PII data)
Financial / Credit Risk
Infrastructure / Physical Access
Detailed Assessment based on Criticality and Risk — Information Gathering
The ability to initiate risk-adjusted assessments and track and evaluate responses automatically
Periodically auto-initiate assessments based on any new events
Centrally manage it all. Also for third-parties, it should allow them to share results with multiple customers.
The ability to provide risk assessors a digitized way of assessing the effectiveness of controls
Ability to continuously monitor to receive smart alerts and trigger actions.
Organizations can integrate the following to monitor third-parties on a near real-time basis.
Cyber Security ratings,
Financial / Credit checks,
AML, PEP screening
Adverse Media and internet scanning for good & bad press
4. Performance Measurement & Innovation
Ability to define, track and measure KPIs and KRIs including measuring the strategic value that your third-party is bringing to the table.
5. Predictive Analytics
Ability to sense leading and lagging indicators and take proactive actions.
More and more organizations are now taking a closer look at current technology platforms. Automation has been there for a while but AI-Driven digital and cognitive enablement are evolving and is likely to further redefine engagement experience involving third-parties. The challenge though has been with integrations with in-house upstream and downstream systems.
Third-Party risk is starting to feature consistently on-board agendas with CEO/board-level responsibility in the more progressive organizations or those operating in highly regulated environments. This also means more and more organizations have begun investing in the right technology solutions to enable continuous risk monitoring. The industry as a whole however is still playing catch-up in enhancing the maturity of their third-party governance and risk management processes.
At the end, Third-Party Governance and Risk Management is all about the art and science of engaging your organizations third-parties. While emerging technologies such as AI and Machine Learning can sure assist in the ‘science’ of engagement, the ‘art’ of engagement will largely depend on human intuition.
Only publicly available information from the below two sources are referred to in this article and the link to the source is included.
1. Stay Ahead of Growing Third-Party Risks — Why legal and compliance leaders must shift to an iterative approach. Gartner
2. Third party governance and risk management. The threats are real. Deloitte