Ten good practices for implementing third-party risk management
- Published: Thursday, 03 February 2022 09:16
Jelle Groenendaal and Bram Ketting provide advice for implementing and improving third-party risk management, presenting a six step implementation approach and a checklist of ten good practices.
In its latest Global Risk Report (2022), the World Economic Forum highlighted the increased risk of supply chain disruptions as businesses increasingly outsource critical processes to third parties and continue to digitize physical supply chains. As stated in the report: “The digitalization of physical supply chains creates new vulnerabilities because those supply chains rely on technology providers and other third parties, which are also exposed to similar, potentially contagious, threats. Therefore, managing third-party risk is becoming more important than ever. In this article we will outline 10 good practices for implementing third-party risk management (TPRM).
Six-step implementation approach
TPRM is defined as the management process of managing risks introduced to your organization by your organization’s vendors, suppliers, contractors, business partners, alliances, agents, and other external stakeholders that provide products or services.
In a nutshell, the following six steps can be used to implement and start TPRM within any organization, regardless of its sector or size:
- Establish foundation: the first step towards the implementation of third-party risk management includes assigning a senior leader who will be responsible for the implementation of TPRM, formulating a business-aligned vision and strategy (e.g. what are the objectives of TPRM?), defining scope (e.g. what risk domains will be in scope?), assigning ownership (who will be accountable and responsible for TPRM?), developing an operating model (e.g. do you want to execute TPRM locally or centrally?), establishing a policy and corresponding procedures (what governance changes are needed?) and implementing a tool (e.g. how to make sure that TPRM is conducted efficiently and effectively?).
- Define requirements: the second step involves defining the requirements that third-party risk management should take into account. Two types of requirements can be distinguished: internal requirements (e.g. internal policies, business decisions) and external requirements (e.g. regulatory, industry, sustainability and compliance attestations).
- Create an inventory of third parties; the third step is about creating an overview of all third parties and contracts. Some organizations might be able to leverage existing inventories from procurement or strategic buying. Other organizations do not have a single source of truth and need to build this from scratch. You should make sure that you assign business owners and contact persons per third-party and per contract.
- Prioritise third parties: the fourth step includes the prioritization of third parties by assigning a risk profile to your third-party engagements. Defining a risk profile per third-party and contracts helps you to determine (a) what third parties will be in scope for the due diligence assessments and (b) in what order the third-parties or contracts need to be assessed.
- Perform due diligence assessments: the fifth step consists of performing the due diligence assessments. You can use various assessment types, ranging from self-assessments, audits, or third-party data providers. From a content perspective, there are several options. You can rely on best practice assessment questionnaires, request compliance statements, or develop your own questionnaire (preferably based upon a recognized framework such as ISO or NIST). Due diligence assessments can be conducted pre-contract, during contract renewal, after an external event (e.g. incident, regulatory change), periodic, risk-based, or continuous.
- Monitor and follow-up: the sixth and final step involves ensuring that all assessments are completed, analysed and reported to the identified stakeholders. A follow-up is initiated for risks that are considered out of tolerance.
Ten good practices for implementing third-party risk management
- Formulate a clear and compelling vision. A vision will guide you in the setup and is key for the management buy-in.
- Involve internal stakeholders such as risk and compliance, security, procurement, and business actors from the start of the third-party risk management design and implementation process. TPRM is a major project and therefore buy-in from all parties is necessary.
- Consider a centralised third-party risk management model that facilitates the risk assessment on behalf of and with input from the business. A centralised model drives standardization and is usually more cost-effective.
- Ensure that the mandate for third-party risk management is well documented in policy and corresponding procedures. New or updated policy documents that reflect the target TPRM operating model are conditional for an effective TPRM capability.
- Use dedicated third-party risk management tooling. Specialist software is completely built for managing third-party risks; and eliminates the spreadsheet headache!
- Differentiate between third-parties and contracts. As you can consume totally different services from one supplier, it is recommended to create an inventory with third-parties (i.e. third-party catalogue) as well as contracts (i.e. contract catalogue).
- Assign a risk profile to your third parties and contracts. By prioritizing between your third-parties and contracts, you can determine what to assess and in what order. This is particularly helpful if you have a large number of suppliers.
- Make your due diligence assessment dependent on the risk profile, type of service, contract value and other indicators. You do not want to ask the 200+ questions to a small supplier that you ask to a multinational.
- Adjust assessment timing to the risk profile of your third parties and contracts. Simply put, you might want to assess critical suppliers more often than non-critical ones.
- Start thinking about the data collection, analysing, and follow-up process before sending out the first due diligence assessments. Again, specialist tooling can be beneficial to safely process the assessment results, perform an initial analysis on the provided answers and allow you to initiate a follow-up.