Fresh linking: TPRM across the supply chain
April 2023 | COVER STORY | RISK MANAGEMENT
Financier Worldwide Magazine
April 2023 Issue
A chain is no stronger than its weakest link is a well-known idiom. In the supply chain realm, this is certainly true, with vulnerabilities, inherent or acquired, at considerable risk of being exploited at any point along what may be a complex system of links.
Today, organisations are increasingly reliant on third-party suppliers to deliver business-critical products and services to their clients and customers. These third parties have the potential to expose their clients to risk and cause major disruptions. As a result, effectively identifying and mitigating supply chain risks is a demanding task.
“Modern organisations rely on outsourcing, as it helps save money and offers a simple way to take advantage of expertise that an organisation lacks internally,” says Matthew Moog, general manager of third party risk management (TPRM) business at OneTrust. “The level of risk an organisation is subject to is based on how dependent it is on its suppliers, how well it knows those suppliers and the concentration risk of working with each of those suppliers.”
According to OneTrust analysis, while many organisations immediately think of cyber security risks, a great many more risk scenarios need to be considered, including: (i) reputational risks; (ii) geographical risks; (iii) geopolitical risks; (iv) strategic risks; (v) financial risks; (vi) operational risks; (vii) privacy risks; (viii) compliance risks; (ix) ethical risks; (x) business continuity risks; (xi) performance risks; (xii) fourth-party risks; (xiii) credit risks; and (xiv) environmental risks.
“The global macroeconomic environment is creating risk scenarios in 2023 where organisations are going to be asked to do more with less,” adds Mr Moog. “This is likely to lead to an evolution in how leaders of organisations and their teams approach supply chain risk.”
Moreover, give the extent of these risks, even if a minor breach takes place along the supply chain – cyber-orientated or otherwise – and an organisation lacks the ability to deploy a satisfactory response, then substantial damage can ensue.
In its 2022 ‘Third-Party Risk Management Governance and Technology Investments’ report, Gartner sets out how third-party risks can have severe costs and consequences for affected companies. These include supply chain disruptions, vendor fraud, cyber incidents, data loss and multimillion-dollar regulatory fines that can exceed $500m under the US Foreign Corrupt Practices Act.
Add to these a loss of sensitive information, operational downtime, legal complications, compliance issues and a damaged reputation, and it becomes abundantly clear how many risk scenarios have resulted from an increased reliance on third parties and the extended enterprise.
“No organisation is an island,” says Linda Tuck Chapman, chief executive of the Third Party Risk Institute Ltd. “Every organisation, everywhere, has varying degrees of reliance on its vendors and other third parties to deliver products and services to clients and support internal operations, comply with regulations and laws, and meet client and shareholder expectations.”
In a world where threats are constantly evolving, managing third-party risk in the supply chain is a complex business. Circumstances can change rapidly, and ignorance is no excuse. If organisations do not monitor and address those changes, their exposure to risk could be damaging to the business and its clients.
Current effectiveness
So, with supply chain risks extensive, how effective is the third-party vetting currently undertaken by organisations? Not great, according to Gartner’s 2022 analysis.
In its report, Gartner states that organisations are in a “poor position” to manage critical third-party risks, revealing that only 16 percent of organisations questioned say they manage third-party risks effectively and only 28 percent continuously monitor third parties throughout engagement cycles.
“Currently, most third-party risk processes are manual and assessment-based, making it extremely difficult to run a programme at scale,” acknowledges Mr Moog. “Many teams are also relying on a ‘one size fits all’ approach, with the same assessments and similar monitoring and screening schedule for all suppliers.
“Additionally, a supplier may be given multiple assessments from teams across the vendor’s organisation, since they have different concerns,” he continues. “Teams can struggle to review this information, prioritise and determine where the real risk lies. A more sophisticated approach would tailor assessments to the supplier based on industry and dependence, as well as how frequently that vendor is screened.”
Another issue is that despite the risks, many organisations lose sight of their supply chains, with very few setting minimum security standards for their suppliers. “Programmes are commonly under resourced, disconnected from the wider business or tagged on at the end,” asserts Matt Gerry, a security consultant at Evalian. “Organisations must shift away from the mindset that security is for security professionals and take a much more holistic approach, building in consideration for security within their frontline functions such as procurement.
“Supply chain risks need to be owned through a chain of accountability leading to the top of the organisation,” he continues. “Risks are often siloed within a security or data protection team and forgotten about as soon as operational needs take precedence.”
The TPRM lifecycle
Understanding all relevant types of risk is imperative to building an effective TPRM programme – a programme that must extend the length and breadth of the TPRM lifecycle. Essentially, without a proper TPRM programme in place, relying on third parties makes an organisation more vulnerable.
Outlining an organisation’s typical relationship with a third party, the TPRM lifecycle – sometimes referred to as ‘third-party management’ – consists of several stages, as outlined by One Trust below.
First, third-party identification. There are many ways to identify the third parties an organisation is currently working with, as well as ways to identify new third parties an organisation wants to use. These include using existing information, integrating with existing technologies and conducting assessments or interviews.
Second, evaluation and selection. During the evaluation and selection phase, organisations go to market, which may include a request for proposal, and choose the vendor they want to use. This decision is made using a number of factors that are unique to the business and its specific needs.
Third, risk identification and assessment. Vendor risk assessments should focus on the risks the organisation faces by doing business with the vendor, and they take time and are resource intensive. This why many organisations may use a third party risk exchange to access pre-completed assessments. Other common methods include using spreadsheets or TPRM software that automates workflow and information gathering, increases the assessment process and automates risk rating processes.
Fourth, risk mitigation. After conducting an assessment, unmitigated risks are identified, and mitigation can begin. Common risk rating techniques include evaluating controls, flagging deficiencies, giving the third-party engagement a risk rating or score, and determining if the risk is acceptable within a defined risk appetite after evaluating required controls that reduce the risk to an acceptable level of residual risk.
Fifth, contracting and procurement. Sometimes done in parallel with risk mitigation, risk-informed contracting and procurement are critical from a third-party risk perspective. Contracts codify expectations, and help to maintain the level of residual risk the organisation is willing to accept. Contracts contain details about the goods or services that are being acquired, plus key provisions, clauses and terms that TPRM teams should look out for when reviewing vendor contracts.
Sixth, reporting and record keeping. Building a strong TPRM programme requires organisations to maintain compliance with policies, regulations and laws – a step that is often overlooked. Maintaining detailed records and actionable outcomes in spreadsheets is nearly impossible at scale, which is why many organisations implement TPRM software.
Seventh, risk oversight and ongoing monitoring. An assessment is a ‘moment in time’ look into a vendor’s risks; however, engagements with third parties do not end there – or even after risk mitigation. Ongoing vendor monitoring and risk oversight throughout the life of a third-party relationship are critical, as is adapting when new issues arise.
Finally, vendor offboarding. A thorough offboarding procedure is critical, both for security purposes and record-keeping requirements. Many organisations have developed an offboarding checklist for vendors, which can consist of both an assessment sent internally and externally to confirm that all appropriate measures were taken for an orderly exit.
“Organisations need to drive supply chain security as far left in their procurement process as possible,” adds Mr Gerry. “Adapting existing contracts to include additional security requirements or carrying out monitoring or auditing requires much more overhead after the contract has been signed.
“Building in security requirements has limited effectiveness if those suppliers are then not held to account,” he continues. “Effective monitoring, including baking in the right to audit, and exercising that right, is vital.”
TPRM implementation
Once satisfied that it is aware of all the third parties with which it does business, which ones are critical to operations and how much risk exposure they bring, an organisation needs to implement a TPRM programme which effectively monitors risk. This programme needs to integrate the oversight and maintenance of third-party relationships into an overall governance framework.
In the experience of Ashray Lavsi, principal at Efficio, organisations should take the following implementation steps. First, develop and deploy a risk and assurance framework that includes policies, processes, tools and templates, as well as resources required for risk management. Second, build active supplier risk management across the end-to-end procurement lifecycle. Third, deploy pre-contract and post-contract risk assessment tools. Fourth, deploy third-party risk dashboards. Finally, continuously monitor risks across all risk dimensions, such as reputational risk, financial risk, health and safety risk, cyber risk, and supply risk.
“It is crucial that these steps be customised for individual companies based on multiple factors, including risk appetite and risk exposure, as a ‘one size fits all’ approach just does not work in this space,” adds Mr Lavsi.
Helping organisations to avoid ‘one size fits all’ practices is the use of a good relationship segmentation framework, which informs all downstream work effort, allowing the organisation to focus on its most important and riskiest third parties.
“This is accomplished by determining the level of operational reliance, typically selecting one level on a four-level scale for engagements that will be subject to the TPRM programme, and a fifth level for those that are not,” explains Ms Tuck Chapman. “The second dimension is a series of risk screening questions that determine which risks the organisation will be exposed to, and the relative riskiness of each type of risk, typically expressed as high, moderate or low.
“Relationship segmentation makes an important contribution to efficiently calibrating the appropriate amount of work effort throughout the lifecycle of third-party relationships, and establishes sensible guard rails for risk monitoring and oversight,” she continues. “With a well-designed programme, there should be very few instances of customisation to address a wide range of third-party relationships.”
Others advocate for a collaborative, non-confrontational approach with existing vendors, many of which may be good suppliers, but immature with regard to security management processes. “Both sides will benefit from improvement, but it will not happen overnight,” concedes Mr Gerry. “An organisation should establish the foundation for effective monitoring when it has the most clout to do so – typically before contracting or at contract renewal.”
Understanding their supply chain gives organisations the data to implement and optimise their TPRM programme, so that across the board they may focus their resources on the most important third parties and the key risks they face.
First priority challenge
TPRM is still a relatively new discipline and is constantly evolving. A first priority challenge that should involve all business functions – risk specialists, procurement, compliance, legal, audit, finance, and so on – the need for TPRM is greater than ever, a need driven in recent years by the global pandemic and the war in Ukraine.
“These recent events have demonstrated that business resilience is critical when working with suppliers,” affirms Mr Moog. “There are massive implications for the supply chain. Where it may have been previously seen as ‘nice to have’ it is now an imperative. The extent to which TPRM is uplevelled to a top business priority is dependent on how heavily an organisation relies on its third parties.”
For many, while operational reliance and associated risks do not change, the world around us does – a world in which TPRM activities should never be viewed as ‘once and done’. “The extent and complexity of the third party products and services essential to the success of most organisations already dwarfs what happens internally,” says Ms Tuck Chapman. “There is no turning back the clock; already high operational reliance will increase over time.
“If an organisation has not invested in TPRM, what is it waiting for?” she concludes. “The cost of one serious risk event will far exceed the cost of an effective TPRM programme. An ounce of prevention or a pound of cure? Organisations must choose.”
© Financier Worldwide
BY
Fraser Tennant