Third-party risk management (TPRM) focuses on identifying and mitigating risks associated with third-party vendors, suppliers, partners, contractors, or service providers. TPRM helps businesses monitor and analyze risk posed by third parties to determine when it exceeds the company’s risk threshold.
You must be able to define, measure and monitor threshold levels to identify if and when you have exceeded your risk threshold. Which risks you can control or manage? Which risks to you have little to no control over? Covid-19, Brexit, and the Suez Canal blockage are examples that you had no control over, but you can put yourself a position to effectively minimize risks with a robust Business Continuity Plan (BCP).
According to the World Economic Forum's Global Risks Report 2022, the health of the planet dominates societies concerns over a 10-year horizon. Environmental risks are perceived to be one of the five most critical long-term threats to the world as well as potentially most damaging to people and planet. Climate action failure, extreme weather, and biodiversity loss rank as the top three most severe risks. Respondents to the WEF survey also signaled debt crises and geo-economic confrontations as among the most severe risks over the next 10 years.
Technological risks such as digital inequality and cybersecurity failures are other critical threats. Therefore, we should have risk mitigation strategies in place for all those that directly impact organizations directly as well as indirectly.
All of this suggests that TPRM should be a top priority for procurement and supply chain leaders. Further, have senior stakeholders aligned with what the risk threshold for the business is, what it concerns, where and what it applies to and what the metrics you are collectively working from. We must recognize that country level legislation is now imminent with the German Supply Chain Due Diligence Act coming due in 2023, the Environment Bill under consultation in the UK, and in the financial sector in the UK SS2/21 from the Prudential Regulation Authority.
The Supply Chain Due Diligence Act requires companies to set up processes to identify, assess, prevent and remedy human rights and environmental risks that impact supply chains. They must also provide ways for employees of indirect suppliers to file complaints about human rights or environmental violations including:
-
Forced labor
-
Child labor
-
Discrimination
-
Violations to freedom of association
-
Unethical employment
-
Unsafe working conditions
-
Environmental degradation
In short, TPRM is, not only best practice, but a regulatory imperative. This kind of legislation typically occurs as a consequence of pressure on governments to adhere to a minimum standard. One way of visualizing this is to consider the six stage approach as outline below:
Moving into a more digital and regulated era means that procurement and supply chain leaders will need to have the skills of an “Executive Boundary Spanner” that can talk many languages, persuade and influence without bias, be an ethical, and have the critical thinking skills that make them part of the solution. They will need to consider the multi-faceted authenticity that creates trusting relationships to ensure:
-
Data needs and governance
-
Unifying taxonomy of risk attributes and identifiers
-
Ensure the governance, policies, and procedures are streamlined
-
Clear scope, milestones, and accountable decision makers
-
A digital roadmap to ensure competitive advantage
-
Provide the vision and roadmap for the digitally enabled future
-
Utilization of analytics and decision support systems
-
Agility and flexibility as defined by the organizational risk threshold and appetite
-
Segregated and integrated systems that provide effective defense to cyber security risks
-
Capture the fiscal and non-fiscal benefits of a TPRM programs and communicate them clearly and frequently
-
Don’t assume everyone knows what TPRM is
-
A clear pathway to retain, develop, and attract the right talent
-
Be an authentic collaborator
In taking this approach, leadership needs to be able to address the tough questions such as:
-
How digitally enabled are we and need to be?
-
How far along the digital maturity curve are we as an organization?
-
Is there active and passionate sponsorship for TPRM, and is it fully understood?
-
Who do I need to educate about TPRM and why?
-
What lessons can we learn from others?
-
How can behavioral science help with the change and adoption needed?
-
Even though you can’t plan and budget for everything , where will you start?
Because you can’t afford to wait.