- Published: Thursday 03 February 2022 09:16
Jelle Groenendaal and Bram Ketting provide advice for implementation and improvement We present a checklist of third-party risk management, a 6-step implementation approach and 10 good practices.
In its latest Global Risks Report 2022, the World Economic Forum puts the risk of supply chain disruption at risk as companies continue to outsource critical processes to third parties and digitize their physical supply chains. stressed that the increase in As stated in the report: “The digitization of physical supply chains creates new vulnerabilities. because they are under threat from Therefore, managing third-party risk is more important than ever. This article outlines 10 good practices for implementing Third Party Risk Management (TPRM).
Six-step implementation approach
TPRM is defined as the management process that manages the risks posed to an organization by its vendors, suppliers, contractors, business partners, alliances, agents, and other external stakeholders who provide products or services.
Simply put, any organization, regardless of department or size, can use the following six steps to implement and get started with TPRM.
- Foundation establishment: The first steps towards implementing third-party risk management include appointing a senior leader to implement the TPRM, developing a vision and strategy aligned with the business (e.g. what is the purpose of the TPRM), defining the scope ( For example: what is the purpose of TPRM). What risk domains are covered?), assigning ownership (who is accountable for the TPRM?), developing an operating model (e.g. should the TPRM be run locally or centrally ), establishing policies and corresponding procedures (what to do). Do governance changes need to be made?) and tooling implementation (for example, how can TPRM be efficiently and effectively enforced?).
- Define your requirements. The second step defines the requirements that third-party risk management should consider. We can distinguish between two types of requirements. Internal requirements (internal policies, business decisions, etc.) and external requirements (regulations, industry, sustainability, compliance certifications, etc.).
- Create a third party inventory. The third step is to create an overview of all third parties and agreements. Some organizations may be able to leverage existing inventory from procurement or strategic purchasing. Other organizations do not have a single source of truth and must build this from scratch. Be sure to assign a business owner and contact for each third party and each contract.
- Third party preferred: tThe fourth step involves prioritizing third parties by assigning risk profiles to third party engagements. Defining a risk profile for each third party and contract will help determine (a) which third parties are subject to due diligence assessments and (b) the order in which the third parties or contracts should be evaluated. .
- Conducting due diligence assessments: The fifth step is to conduct a due diligence assessment. A variety of assessment types are available, ranging from self-assessments, audits, or third-party data providers. From a content perspective, you have several options. You can use best practices assessment surveys, request a compliance statement, or create your own survey (preferably based on recognized frameworks such as ISO or NIST). Due diligence assessments can be performed pre-contract, during contract renewal, after external events (incidents, regulatory changes, etc.), periodically, risk-based, or continuously.
- Monitoring and follow-up: tThe sixth and final step is to ensure that all assessments are completed, analyzed and reported to identified stakeholders. Follow-up is initiated for risks deemed unacceptable.
10 Good Practices for Implementing Third Party Risk Management
- Formulate a clear and compelling vision. The vision guides the setup and is key to executive buy-in.
- Involve insiders such as risk and compliance, security, procurement, and business stakeholders from the beginning of the third-party risk management design and implementation process. As TPRM is a major project, buy-in from all stakeholders is required.
- Consider a centralized third-party risk management model that gets input from the business and facilitates risk assessment on their behalf. A centralized model promotes standardization and is usually more cost-effective.
- Ensure that third party risk management obligations are well documented in policies and corresponding procedures. A new or updated policy document that reflects the desired TPRM operating model is a condition for effective TPRM functionality.
- Use dedicated third-party risk management tools. Professional software is built entirely to manage third-party risk. Say goodbye to spreadsheet headaches!
- Distinguish between third parties and contracts. Inventorying with third parties (Third-Party Catalog) and contracts (Contract Catalog) is recommended, as you can get completely different services from one supplier.
- Assign risk profiles to third parties and contracts. By prioritizing between third parties and contracts, you can decide what to evaluate and in what order. This is especially useful if you have many suppliers.
- Perform due diligence assessments based on risk profile, service type, contract value, and other metrics. You don’t want to ask a small supplier the 200+ questions you ask a multinational company.
- Tailor the timing of the assessment to the risk profile of third parties and contracts. Simply put, you may want to evaluate critical suppliers more often than non-critical ones.
- Before you submit your initial due diligence assessment, start thinking about your data collection, analysis, and follow-up processes. Again, professional tools help us to securely process assessment results, perform initial analysis on the responses provided, and allow follow-up to begin.
Jelle Groenendaal and Bram Ketting are Managing Partners at RiskWork. Bram is also the managing director of He 3rdRisk, a TPRM SaaS platform.