Let’s be honest we have all been talking about Third-Party Risk Management (TPRM) for several years now and while progress has been made organisations continue to grapple with multiple third-party related incidents every year.
2024 will be the year where we see organisations focussing on risks such as:
Economic Risks: Organisations must navigate economic challenges like steadying inflation, balancing cost-cutting measures with maintaining a positive customer experience, and grappling with rising insurance premiums.
Technology Risks: The proliferation of AI and the concentration of services in a few cloud providers pose significant technology-related risks.
Climate Risks: Climate change remains an ever-present concern, with investors and stakeholders pressuring organisations to reduce their environmental impact. Additionally, political risks, especially with elections in various regions and continuing geopolitical tensions, further compound these challenges. All of this is in addition to the existing risks organizations must manage.
This can be daunting and is one of the reasons organisations are still having too many third party (and other) operational incidents........they can’t see the wood from the trees to prioritise where they should focus.
It doesn’t have to be like this......
The progress made in recent years needs to continue. Boards require meaningful information that instils confidence in the following areas:
Risk Assessments are robust enough to identify all third-party risks that may impact delivery of the organisations strategy.
Third party risks have been prioritised versus all the other risks being faced.
Action plans are concise with clear action owners and deadlines.
Getting third-party risk management right not only helps prevent costly incidents but can also lead to proactive cost savings and revenue generation (e.g., reduced insurance premiums and attracting customers who see you as a resilient service provider).
What do we suggest you do? At Caveris we clearly believe technology is a key enabler and suggest the following:
Improve the quality of your risk assessments:
Get the right experts involved, encourage collaboration and break down silos. Workflow within a good GRC platform can help with this.
Look at dependencies between risks, do root cause analysis on previous incidents and do ‘what if’ scenario planning. If you have a good GRC tool, with robust reporting, then your team will have time to do this as they no longer need to spend the time preparing excel based reports! With modern GRC tools you can also get reporting that will help you identify some of these trends and dependencies.
Align third party risk management to your strategic goals.
Over the last few years firms in industries, such as financial services, have spent time mapping important business services that deliver customer outcomes to the ‘pillars’ that enable these services. This includes the third parties. It is not a huge leap to align this to your strategy. You can then be very specific on which third party risks could impact the delivery of your strategy so you can manage them. This will allow the Board to prioritise and be able to ‘see the wood from the trees’.
A number of firms face challenges meeting their strategic goals. Remember, a specific risk assessment workshop to identify execution risks can be very helpful.
Use data so you are proactive and not reactive:
There are subscription and open-source data repositories available that will allow you to look at cyber, financial, restrictions etc ‘scores’ your third parties (and associated forth / fifth parties) have. Use this data to enhance the quality of the third-party risk assessments.
Given the data is available you should have Key Risk Indicators and Continuous Control Monitoring in place to allow you to proactively spot problems. Setting this up is not easy and you should start small with a pilot to prove the value and get the necessary stakeholder buy in.
In summary, the number of third parties that firms are using has increased, the reliance on them has increased, the amount spent on third party risk management has increased yet we are still seeing a persistence in third party related incidents.
Third-Party Risk Management should be on every Boards agenda but they need the information so they can prioritise and focus efforts on what is most important to achieve the strategy. Incidents are inevitable but organisations that follow an approach like the one outline above will have improved visibility of risks and confidence to manage them effectively. They will also possess the agility to respond should the worst-case scenario become a reality.
If this is a topic close to your heart we would love to hear from you. For a free, no obligations conversation to share ideas then please contact us at [email protected]
To see videos of our Caveris ICAS platform in action click here - www.caveris.co.uk/videos