PwC have some useful advice about third (fourth…) party risk. For a start, do you even know who your suppliers are?..:
It has been a hugely rewarding week (except for lack of sleep!) – working in the Bay area with some great minds, meeting friends, family and clients, enjoying fine weather (especially when it’s cold and miserable back in the UK) and getting to see the true disruptor of our lifetime – technology. Technology continues to revolutionise the way we live and I felt it first hand on a scenic drive around the Bay area in one of the valley’s finest innovations, a Tesla, while ordering my lunch through an app which sends messages to the delivery company to deliver my food at a time of asking.
This experience made me realise how interconnected things are, and how technologies need to coexist and adapt in an increasingly competitive world. The catering company cannot deliver hot food without the support of the delivery company and vice versa, and they both rely on a technology provider to deliver that service – interconnectivity is becoming the lifeblood of the world. These trends suggest that third-party collaboration is not only here to stay, it’s set to accelerate with the speed of technological revolution.
As the need for third-party relationships grows, so too do the risks. The boundary is blurred and the risks vary from geopolitical to more sophisticated cyber threats, privacy and operational resilience.
Addressing third party risk
Third party management isn’t new – it’s existed for a number of years but the pace of disruption calls for a more mature way to address associated risks which can result in breach of trust and reputational loss. As I ordered my food, I was thinking about the data I was sharing with the catering company and how, in turn, they may share that data with their third party suppliers and so on. It made me realise that I have to adapt and embrace the technology while at the same time, understanding the technology ecosystem that is using and sharing my personal data.
The result? A strong desire for me to discover how the catering company manages its third party relationships, and how transparent they are to me as a customer.
Organisations which do this well tend to have a mature third party risk framework (TPRF), helping them to identify, evaluate, monitor and manage third party risk. I started thinking of what that might look like and here is my take on it:
Six steps to emerge as a winner in an interconnected world
- Governance – We often hear the term “Tone at the top” – for a TPRF to be truly effective, organisations must have the right to have buy-in and support from the leadership of the company. TPRF governance should define the vision and provide direction for managing third party risk. The operating model for day-to-day functioning should include organisational structure, committees, and roles and responsibilities for managing third parties. In addition, the governance approach should consider how TPRF activities integrate with other risk management functions. Finally, organisations should identify critical stakeholders and engage them early to embed TPRF.
- Discovery – understand your third (and fourth) party – From experience, a large number of organisations do not have a full view of their third party inventory, let alone fourth party. To truly manage third party risk, a single source of truth is necessary. Organisations should first identify their third parties and the respective third-party owners, as well as fourth parties that support the third parties, potentially via technology tools, which creates a more holistic approach to ensure the inventory is complete and accurate. With interconnectivity on the rise, the third-party inventory should be a dynamic document and needs to be updated on a regular basis – this will serve as the foundation for creating a sustainable third-party risk management processes.
- Establish a risk framework – As organisations develop a clear view of their third-party landscape, it is important to differentiate those third parties based on risk and risk appetite, and the steps needed to remain safe. Mature organisations tend to establish a risk universe, which takes into account geopolitical, reputational, financial, regulatory compliance, cyber and privacy and operational resilience risks. This helps to identify which risks should be used to evaluate third-party relationships and their appetite to take that risk.
- Implement policies that work for you – Policies and standards establish clear roles, responsibilities and expectations for all stakeholders involved in an organisation’s TPRF initiatives, internally and externally. These need to be tailored to suit the needs of the organisation, as well as maintaining consistent compliance with the policies that are already in place.
- Embrace emerging technology to improve risk mitigation – In today’s technology-driven world, not using technology to support and automate processes and analyse data is a missed opportunity. Robotic process automation (RPA) is playing an increasingly significant role in TPRF,by allowing organisations to decrease processing time while increasing the volume of assessments. RPA can further help streamline operations by eliminating manual tasks, repetitive activities and process bottlenecks. Organisations can use real-time reporting to provide timely updates to the business, senior management and the board. The most successful organisations can break down their third-party inventory by reporting common risk themes within the third-party community and service type.
- The right assurance framework – Finally, it is necessary to include a right to audit clause in your contracts and enforce when required so that you have assurance over the services provided by the third party. There are a variety of certifications and assurance reports that can help organisations better understand how data is managed and secured by the third parties.
Organisations that meticulously identify, assess and respond to external risks that have the potential to impact their business strategy are better equipped to define risk responses that reduce impact, thus gaining a commercial advantage. The pace will mandate risk communities and ecosystem sharing to stay current and embrace disruption. Organisations which achieve elements of this will survive, but those which truly embrace third party risk will achieve competitive advantage in this disruptive market, and will emerge the ultimate winners.