Advice on Third-Party Risk Management
Last week I had the good fortune to moderate a webinar on third-party risk management. We had outstanding guests who raised excellent points, and as usual, I ended up taking plenty of notes so that I could pass them along here.
Let’s begin with an appreciation of just how tricky a problem third-party risk management can be today. Corporations now routinely have thousands of third parties, each one posing a unique set of risks — corruption, certainly; but also fraud, privacy, sanctions, cybersecurity, human trafficking, and more. That’s a huge range of risk that compliance teams need to assess.
At the same time, modern technology has made it easier than ever for employees across your enterprise to strike business relationships without first following proper due diligence procedures. You, the compliance or risk team, are in a constant battle to convince employees to work with you on third-party risk, while the actual work becomes ever more complex.
How can we make all that succeed? That’s the question I put to our webinar guests.
One point raised by both guests was the importance of structure for your third-party risk management (TPRM) program. You need structured, repeatable processes that guide employees through that program. Otherwise those employees might sidestep the program entirely and end up saddling the company with all sorts of risks — risks that you in the Second Line of Defense might never be aware of.
What might all that structure look like in practice? One speaker said she had created an “Office of Third-Party Risk Management” to get the program running correctly and sustainably. That office built the processes for business units to engage with the Second Line of Defense when those units wanted to contract with a third party. Once the office had the program humming along, the risk and compliance team handed off its long-term operation to the procurement team. That strikes me as a wise approach.
Ideally, that TPRM office would serve as a one-stop-shopping experience for the business team looking to “sponsor” (that was the word both our speakers used) a third-party relationship. The office could exist as a portal where all business sponsors go to submit their request.
The portal could use questionnaires to ask the sponsor about the type of third party he or she wants to use. It could then return something like, “OK, if you want a third-party to handle this task for us, then we’ll need to collect the following types of data.” Then walk the sponsor through how that data will be collected, risks the sponsor will need to monitor, what attestations about the third party the sponsor might need to make, and so forth.
Even if you don’t establish a formal Office of TPRM, I still like the emphasis on governance and infrastructure. It gives you, the compliance officer, a chance to set the tone about third-party relationships — and to emphasize that the business sponsor is responsible for these risks, not you.
The Role of SMEs
OK, so you’ve built your office or infrastructure or whatever works for you to bring the business sponsor into the process. The business sponsor went to your portal and you’ve identified the major risks that the proposed third-party relationship will generate. Now people in the Second Line of Defense still need to evaluate those risks. This brings subject matter experts, or SMEs, into the picture.
In a perfect world, you’ll have one SME for each risk you’ve identified. Sometimes that’s a straightforward exercise. If the third-party poses cybersecurity risk, your IT security team can evaluate the extent of that risk. If the party poses financial risk (say, agreeing to a long-term, fixed-price contract for a commodity good), maybe the financial department can weigh in. If we’re talking about corruption risk, the SME might be you.
Still, we’re back to that first point about infrastructure. Do you have all the SMEs you need? What’s the process to “activate” them, when a proposed third-party relationship triggers a risk in their field? What information will they need about the proposed third party, and how quickly will you be able to get it into their hands? How quickly will they be able to give you an answer back?
Working out all those logistical kinks is crucial because otherwise your TPRM effort might take longer, and those business sponsors will be tempted to circumvent your TPRM process. Indeed, one webinar speaker even recommended allowing some transparency into the process, so the business sponsor can see exactly where delays might be happening. That’s another good idea.
I also wonder about the recommendation these SMEs give to you. One route might be to boil their evaluations down to a go/no-go decision, but the wiser path might be to have them recommend a set of controls or performance criteria that the third party would need to meet. Then you can go back to the business sponsor and say, “These are the conditions under which our company can work with the third party — are you prepared to enforce them?”
A Word on Risk Scoring
I went into this webinar assuming that the ultimate goal for TPRM these days is to collect comprehensive data about each third party and then convert that information into some sort of consolidated risk score. When a party’s score crosses some pre-determined threshold, it’s too risky and you don’t use it.
Both webinar guests said the single risk score idea is nice in theory, but might be more trouble than it’s worth in practice. First, even perfecting the data analytics to give you a single numerical score would be difficult. (Like, is it a number from 1 to 10, or a percentage? How do you weight the different risk factors correctly?) Second, you might lose valuable nuance in your risk analysis by reducing so many dimensions down to a single number.
The wiser course might be to create a matrix of risks for the third party under review, where each risk gets its own score. GRC tools can usually provide this level of analysis, displaying the various risks in a heat map, for example. That allows everyone to see the various risks the third party brings, and it helps the business sponsor to understand exactly what risks he or she is shouldering — which should always be a paramount goal for your TPRM program.
One Final Thought
We didn’t get to address this on our webinar, but one more thorny issue did occur to me. Sooner or later, some lucrative third party will come along with uncomfortably high risks, where your TPRM program recommends not using the party but the sponsor is still pushing hard to do so. Who makes that management override decision to use the party anyway?
We’ve seen this scenario go sideways countless times with customer risk in the anti-money laundering world: your AML or customer due diligence program flags the customer as unacceptable, and some doofus on the sales team ignores you and onboards the customer anyway. That same scenario can happen just as easily with vendor risks.
So what authority does the chief compliance or risk officer exercise in this process? What counsel can you give? How are your recommendations memorialized in case the third-party relationship does go sideways — and who bears responsibility when that override decision later proves to be incorrect?
Think about that, too. You still want your rear to be covered.