Tackling Third-Party Risk Management
This week I had the good fortune to moderate a webinar on third-party risk management, and the role that compliance officers should play in this critically important — but increasingly complicated — task. The conversation was excellent and I took plenty of notes; and now pass them along to the compliance community for whatever they’re worth.
Let’s start with why third-party risk drives so many companies so crazy: because it’s fragmented.
That is, at most companies no single executive “owns” third-party risk, and there is no such role as a “chief third-party risk management officer.” Instead, most organizations wander into a structure where numerous teams participate in third-party risk management, but each team only looks at the one particular slice of third-party risk that matters most to that team. So procurement looks at the availability of goods or services, IT security teams assess suppliers’ security or privacy risk, compliance teams assess corruption or sanctions risk, and so forth.
This piecemeal approach to risk assessment does nobody any favors. It’s how a company ends up with third parties in its supply chain that pose more risk than you understand, which will eventually bite your company in the rear end. Or it’s how a third-party almost gets on-boarded into your enterprise, and then at the last minute someone — often the compliance officer — ends up having to be the bad guy who says no.
So in our webinar, we talked a lot about the importance of defining your third-party risks early. Sit down with senior management and leaders of the operating units and ask yourselves: What are the risks from our third parties that we worry about most? What are the actions or traits that we will never accept from our third parties?
This is a great exercise for several reasons.
Getting Away From Department of No
First, it brings together all those fragments of third-party risk already happening in your enterprise and bundles them all together into a single, holistic understanding of third-party risk. Everyone — compliance, finance, IT security, procurement, operating teams — gets to see everyone else’s perspective on third-party risk. You get to hash out a hierarchy of concerns. You get to hold up the company’s ethical values and ask how well those concerns do or don’t align with the ethical values you supposedly cherish.
Second, this forces senior management (and ideally the board) to define what your organization’s tolerance for risk is. After all, defining that risk tolerance is their job. They run the company. They get to decide what the company’s objectives are, and how much risk they’re willing to stomach to achieve those objectives. Your job, as compliance officer or CISO or internal auditor or whomever, is simply to help management understand the possible consequences of their chosen risk tolerance level fully and clearly.
Third, if you have a predefined list of third-party risks, ranked in priority, it becomes much easier for the compliance team to say no to a problematic third party. You’re not so much the Department of No, issuing vetoes over third parties and getting dirty looks from the rest of the business; you’re the Department of We Will Never, helping everyone to define in advance what the company simply will not do.
Then your veto of a problematic third party is simply a demonstration of that commitment. You can tell unhappy operating units, “Hey, this is what we all agreed upon many moons ago.” Or if some executive out there insists on using that third party anyway, it becomes much easier for you to say, “Sure, but since you now own that risk, please fill out this approval form acknowledging that, or agree to these extra oversight steps,” or something like that.
Chief Third-Party Risk Officer?
My one practical concern here is that third-party risks are evolving so quickly. For example, who had tariffs on their risk management bingo card six months ago? Probably nobody, but today they cast a huge shadow over your supply chain, with significant implications for your compliance risk profile. Or consider cybersecurity, which in just a few years went from privacy breaches (expensive but not life-threatening to a company) to ransomware (potentially a business-ending event).
So it’s not enough to say that a day-long retreat to define third-party risks is the solution to your troubles. Your company will need some sort of mechanism to keep revisiting third-party risks on an ongoing basis, to understand how they are changing and how they do or don’t threaten your strategic objectives.
OK, nifty theoretical idea — but what does that mechanism look like in practice? Does that mean the company should designate a chief third-party risk officer? Would that person have his or her own department and resources; or be more like the chairman of a risk committee that debates third-party risks? And how would that committee go from endless debates to actual decisions that management will support?
Those are the next questions compliance and audit teams need to ask themselves as we try to find a sustainable way to manage third-party risk. If you’ve already developed some good answers, by all means let me know (even confidentially) at [email protected] and we can discuss in future posts.
What’s clear today, however, is that a fractured approach is no longer viable. Companies need to get ahead of third-party risk somehow.
That’s enough for today — and we’re still just on the structure and theory of third-party risk! Next week I’ll have a follow-up on more nuts-and-bolts tactics.