The worldwide crisis made us hyper-aware that trust-worthy relationships are vital. Effective third-party risk management is the best way to gain assurance that responses and decisions are risk-informed. Managing third-party relationships, calibrated for criticality and risks, has never been more critical. This is the most reliable path to strengthen business resilience, protect stakeholders and the bottom line.
Before the pandemic, supply chain risk management was talked about but not treated like the professional discipline it is. And the broader scope of third-party risk management was often thought of as either a “check-the-box” compliance exercise or something imposed on your business by someone in headquarters.
Did third-party risk management capabilities just catch fire?
The term supply chain typically refers to physical goods, either input materials or distribution of input materials and finished goods. The term “third-party” blankets every relationship in a firm’s extended enterprise, excluding their customer relationships. Third parties are part of supply chains, but every company has far more third-party relationships than supply chain relationships.
Third parties are vendors, suppliers, service providers, outsourcers, resellers, agents, channel, brand and joint venture partners, market utilities such as SWIFT and intermediaries such as credit card processors, utilities, charities, subscription services, contractors, affiliates, rating agencies, government agencies, trade associations. And the list goes on, according to the products or services you offer, and the industry sector and markets you’re in.
You may be asking, “why does the distinction between third party and supply chain risk matter?" By broadening your thinking and scope of risk management activities, you can address supply chain risk and all third-party relationships.
For example, with the ongoing pandemic, firms in every part of the world are dealing with exponential levels of third-party risk, including but not limited to supply chain risk. Just-in-time delivery practices mean that raw materials, parts and cleaning supplies are not readily available. And gone is predictability for the physical movement of goods.
Beyond supply chain risk, most firms find themselves wrestling third-party risks like cybersecurity and denial of service attacks that impair the third parties’ ability to perform. Standard third party physical security risk controls flew out the window when third-party employees transitioned to working from home.
Revenues fell to historic lows for many companies and their critical third parties when the world came to a halt, causing great uncertainty about their mid- to long-term financial health. This affects their ability to retain top talent, invest in technologies, processes and research. Business resilience, business continuity, pandemic planning and contingency plans for companies and their third and fourth parties immediately transitioned from status as an academic exercise to reality.
Companies with strong third-party risk management practices have a better chance of surviving and thriving.
Lifecycle Management Model Versus Governance Framework
If third-party risk management were a two-sided coin, one side would have a Lifecycle Management model on it and the other would have a Governance Framework.
A Lifecycle Management Model, sometimes called a “Target Operating Model,” is a visualization of the steps, repeatable processes and reusable tools that companies build to identify, assess, manage and monitor critical third parties throughout the lifetime of relationships, calibrated for criticality and the quality and quantity of risk.
The Governance Framework depicts the methodologies, controls, and reporting that delivers risk insight and enables risk-informed decisions and alignment between the amount and type of third-party risk the company is willing to accept and its risk appetite.
Third-party risk management is a complex discipline that crosses the company vertically and horizontally. It’s a team sport, touching every part of every company’s operations. Whether you’re in a customer-facing segment or behind the scenes, a strong working knowledge of effective third-party risk management is a valuable asset.