By: Heather Kadavy, CERP, CBVM CFSSP (Ret.)
“Individuals who execute the Third Party Risk Management process for [Enter Your Company Name] are qualified and competent, have clearly defined responsibilities, and are accountable for their actions. They understand our risk culture and appetite. They have a robust understanding and oversight of our core and ancillary activities, third party relationships and the various ecosystems leveraged by our organization to address operational and technical capacities to ensure our TPRM Program is aligned with our strategies, to appropriately balance risk-taking and rewards.”
Every businesses board of directors, shareholder or executive team probably wants to hear some variation of this solid assurance statement regarding their TPRM Program’s effectiveness. In reality, it is increasingly more difficult to truly accomplish.
The Transitioning of the Workforce is Fast and Furious. Onboarding a new employee typically means they hit the ground running with limited time on the job necessary to acquire the depth and breadth of knowledge to fully understand the complexities of the critical process, services, and activities of the organization let alone the third party relationships, contractual obligations, and internal risk, control and gap decision alignments both internally and externally that each organization faces.
TPRM Teams are often physically, or through priorities, siloed in their view and actions. It takes a team of subject matter experts from each line of business, as well as the TPRM team, to fully understand risks associated with third parties and to do so effectively means articulating strategies and priorities; ultimately, everyone rowing in the same direction and everyone pulling their own weigh.
Employees are Re-prioritizing, Exhausted or Disengaged. Today’s workforce are either (a) focused on the immediate priorities of making or saving money (e.g. sales, processing and client satisfaction), (b) exhausted and taking short cuts; or (c) disengaged (aka “quiet quitting”). This can potentially lead to sub optional oversight of third party relationships; thereby, increasing the potential for damage to your businesses through reputation or operational loss.
Resources are earmarked for Client Facing solutions. TPRM teams are often asked to “get by one more year” with the resources at hand in a growing and complex ecosystem.
Third Party, 4th and Nth Parties All Face the Same Problems. Each has an ecosystem that has its own shifting workforce, cultural, operational and technical uniqueness to manage, so proving answers to our TPRM teams sometimes takes a back seat.
All of these complexities make it harder to achieve the utopia idea that each TPRM team will have an in-depth knowledge of each relationship, while also managing risks effectively. As a result, key TPRM processes become abstract concepts that our fast paced society with shortened attention spans have to balance.
Knowing this, how can TPRM programs operate effectively?
It Starts with the Right Team. Engagement and alignment across the three lines of defense is critical to your success.
Get Real! By acknowledging the reality of either your starting point or the areas of improvement that your TPRM Program still needs to address, you and your team will be more aligned on the direction and priorities to strategically roadmap your needs.
Take a long-term view of the opportunities to incrementally enhance your TPRM Program Effectiveness. It’s a marathon not a sprint. However, that does not mean your TPRM team shouldn't prioritize the areas of improvement needed to mature your program. Begin by breaking your strategic priorities down into incremental sprints. making the overall process less overwhelming.
Know Your Third Parties (KYTP) - Create opportunities to develop the relationship between your employees and third parties, building upon collaboration and mutual trust. Many times a third party will provide:
A due diligence packet or answers to inherent risk questionnaires. Implement a “If they provide it you need to review it” motto. Receiving and archiving information is NOT risk management. It is only through the review that you can understand, identify, assess and prepare to mitigate risks.
A number of interactive touch point meetings, leverage these meetings to incrementally address due diligence concerns and continue learning about the complex eco-systems of your third party. Be purposeful when engaging with them and remember that one size does not fit all. Schedule these discussions on a risk-based frequency and recognize your third party is an extension of your own security program.
A set number of free or discounted online working groups, customer forums, webinars, conferences, etc. This is a great way to network and build relationships with the third party’s personnel with the greatest organizational, operational, and technical knowledge regarding their products, services, and ecosystem.
When your organization is intentional about improving the effectiveness of the relationships with your third parties, it will indirectly drive better collaboration, allow for the sharing of more information, protect your assets and reputation, maintain compliance with regulations, improve your third party's overall experience, and ultimately better mitigate the impact third parties pose to your organization.