The importance of Third-Party Risk Management - session 2

1. How to improve your TPRM Capabilities?

1.1.  Vision and Roadmap

Risk functions grow their digital fitness when they understand the digital strategy of the Organization and they can make sure they're providing strategic advice and assurance over the new and changing risks that the Organization’s digital transformation brings. They should make the function's digital vision come to life by setting specific desired outcomes for their digital investments and change performance metrics to reinforce behaviours. Setting and measuring desired outcomes are the most influential factors in risk functions' ability to advance the digital plans.

1.2.  Understand your third-party landscape and level of risk

The risk function should assemble an inventory of active third parties and associated engagements, conduct an inherent risk analysis of each (including how important each engagement is to the business/value chain) and assess the Organization's aggregate risk position for a given party (see also section CRP). Understand how third parties are used in your Organization and the risk they represent.

1.3.  Drive risk management attention

Management should identify processes that are critical to the Organization’s value chain, and then focus risk management investments and resources on the third parties supporting those processes.

1.4.  Engage the board and senior management for the most critical and highest risk relationships

The senior management needs to decide on the risk appetite of the Organization and define what can or cannot be outsourced. Third party relationships should be identified, validated and the board of directors should be able to oversee the third parties that support the most critical processes.

Senior management should re-evaluate their overarching risk tolerance for third parties. The risk functions must provide more proactive and real-time insights to support decisions that weigh opportunity against risk, using data, creating analytical models or dashboards in an audit.

It's an opportunity for risk functions to collaborate with higher management, create an awareness of the risk tolerance and monitor risks in better and more-efficient ways.

In order to provide the most relevant most-timely information and insights so the Organization can act on risks in real time, data (1) lakes are tapped. The ability to correlate data points across existing and new data sources will lead to greater collaboration across the lines of defence and a more-dynamic risk identification, monitoring, and testing. By bringing structured and unstructured data from both internal and external sources into a data lake, risk functions can better predict, identify, and address strategic risk. The correlations between data will support the risk function to better understand risk, and to quickly respond to the changes in the risk profile of the Organization.

Important note: Business case calculation of sourcing initiatives and future projects is often presented too positive because most risk analytics characterize risks as linear behavior: when risk A happens then it has B as consequence. Whereas, in most cases, risk A causes a series of effects at different times. Systems Dynamics (figure 1) can be an effective method for risk analytics. This method makes it possible to quantify cause and effect and takes the time dimension into account.

(1) Establish strategic risk data platforms - inclusive of internal and external data - to enable functions to get a broader view of risks and to foster collaboration on how to manage and monitor risks through the whole life cycle. 

1.5.  Drive accountability into the business line and beyond

Accountability for managing third party risks should be built into the fabric of management processes.

1.6.  Enable end-to-end risk management through procedures and technology enablement

Risk assessment should be executed during the complete lifecycle of the third-party relationship, including pre-contract assessment and ongoing monitoring during contract execution.

1.7.  Incorporate sustainability and continual improvement into your capabilities

Routinely evaluate the effectiveness of your TPRM programs and controls, including rigorous event analysis, quality assurance, and independent reviews.

1.8.  Find the right fit for emerging technologies in TPRM

Cloud technologies, Artificial Intelligence, Internet of Things, Robotics Process Automation, analytic capabilities, blockchain - all are coming into play at the same time to boost the productivity and quality of their operations. Risk functions start to use bots for reporting and introduce bots for such tasks as metrics reporting and quarterly quality assessment reviews. How much you embrace change is a significant success factor in the holistic digital transformation.

1.9. Ensure your contract mitigates risk and meets regulatory requirements

Sourcing teams sometimes learn, to their chagrin, that they do not have the protections they thought they had — and often this news comes at the worst possible time.

Risk are threats to the success of a contract. Every unexpected event which can change the course of the execution to obtain the contractual objectives should be reported as a risk.

1.9.1.  The Contract Risk Profile (CRP)

The CRP is an inventory of risks which are considered as a threat to the contractual objectives. Based upon his own experience the risk function will validate the severity of each risk and rate them with a score of 1 to 5. Where score 1 stands for very low risk and score 5 is considered to be an unacceptable risk.

1.9.2.  CRP Risk Categories

The following risk categories need to be scored in the CRP:

Availability: Are the contract objectives known and clear for both parties? Are there hidden or unwritten objectives in your own Organization? Is there a suspicion of hidden objectives of the counterparty?

Feasibility: Are the contact objectives realistic?

Sufficiently specific: Are the contract objectives sufficiently specific for the risk function to manage?

Match between delivery and objective: Are the deliverables described in the contract in line with the general contract objectives?

1.9.3. Contract Characteristics

These are the characteristics of the contract which are validated by the risk function:

Type of work versus type of contract: Different types of work lead to different complexity of delivery and performance. Is there a match between the chosen contract format, the type of work and the desired cooperation with the third party?

Political sensitivity: Is the assignment being followed critically by the public and / or the media? If the contract is looked at by the public, slips or failure are magnified and both parties can suffer image damage.

Lead time: The fulfilment of the need and the commitment of the delivery are time-bound. The requested product or performance must be available as from or at a specific time and the vendor can make a commitment to deliver as long as stocks last or as long as resources remain available. The agreed contract duration, the expected duration of the demand and the availability of resources should be in line with each other. The contract duration in relation to the type of contract is also a risk source of which a reliable estimate must be made. Short secondment contracts generally have a low-risk content. However, long-term secondment contracts become very risky in the course of time when, in the perception of the client, the commitment to achieve results is getting stronger. For long-term fixed price/milestone contracts, very strict follow up of the contract obligations is required.

Location of performance: Working in multiple locations inevitably entails a risk of communication, cultural differences, extra travel time and costs, and next to these risks, national holidays cannot be neglected.

Total Contract Value: Contracts with a larger value contain a higher financial risk.

1.9.4.  Available Personnel

In service agreements personnel of both parties can be a risk factor, which should be scored:

Availability of assigned Personnel: Is the staff of your own Organisation available and are the resources nominated in the contract? Are the third-party resources available and are these resources listed in the contract?

Complexity versus experience in delivery: Is the staff of the third party skilled and do they have experience with the same complex contracts which were successfully delivered?

Assignment of staff: Which profiles are and when are these profiles assigned during the contract? Is the assignment of staff transparent?

Subcontractors: Is the staff of the subcontractors available, when are they assigned and what kind of profiles are assigned?

1.9.5.  Incorporate these standard clauses into your contract

• Liability clause: Limitations in liability should be weighed against any accurate validated risk exposure.
• Indemnification for third party claims: All costs and losses caused by IPR infringement of the suppliers should be reimbursed by the supplier.
• Intellectual Property & Confidentiality clauses protecting the firm's sensitive corporate information (IP, financial information): Large vendors often refuse to comply with security assessments, because they believe that these surveys are too onerous and that it would be impossible for them to submit hundreds of requests. Plus, it would be difficult to track the vendor's compliance against the security regulations.
• Data Protection/Data Privacy protecting the Organization's sensitive corporate information (IP, personally identifiable information, financial information): Large vendors often refuse to comply with security assessments, because they believe that these surveys are too onerous and that it would be impossible for them to submit hundreds of requests. Plus, it would be difficult to track the vendor's compliance against the security regulations.
• Integrity: Mature Sourcing and Vendor Management teams include integrity clauses in their contracts. E.g., in case of fraud, the client is allowed to exit without extra cost.

1.9.6.  Modification of common clauses

Modify common clauses like force majeure to encompass other threats. This contractual provision typically frees both parties from liability when an event happens that is beyond the control of either party, like a pandemic. However, in establishing such protections, Organizations must be careful not to forgive a lack of responsible precaution.

• Extend criteria for eligibility for termination for cause. Contract managers should include termination provisions that provide an early, rapid response to changing supplier conditions, linked to visible triggers such as a sudden reduction in a supplier’s credit rating, admission of fraud, or misleading financial statements.
• Establish clear ownership of assets and documentation. Spend more time defining and claiming such intellectual property in contracts.

Add clauses and terms that address emergent concerns:

• Transition-out requirements. Sourcing teams should become more aggressive in securing transition assistance in a contract with adequate discussion of timeframes and payment provisions. Keep in mind that the requirement should apply whether the Organization’s transitions the work back in-house or to another provider. A clearly specified division of responsibilities is another important aspect of planning for transition requirements.
• Audit provisions where required. Requesting additional audits of a vendor’s conformance with specific industry regulations, service provisioning, pricing or even financials is an increasingly frequent response of outsourcing clients. Audit provisions should be used judiciously, because they are typically jointly funded by client and third party and are normally required infrequently in the course of an outsourcing contract.
• Clear responsibility for termination costs. Outsourcing contracts have become less asset-intensive during recent years, simplifying termination procedures. However, vendors are becoming less enthusiastic about funding equipment costs and “pass-through” expenses given today’s credit crunch, so minimizing these aspects can simplify transition and make it less contentious.

As many of the new scenarios and contingencies in contracting bring additional legal risk and complexity, sourcing teams should ensure that their legal counsel reviews contracts with particular care.

2.  Stakeholder Management

Are the risk functions engaging effectively with business leaders and board members regarding their organizations’ digital initiatives? Even with new digital tools and capabilities in hand, risk functions must actively engage and communicate with decision makers to contribute throughout the roll out of digital initiatives. Active engagement also helps risk functions get more-timely insights into organizational risks to better align resources and effort. They should continuously be connected with their stakeholders about the risks arising from technology innovations. Involvement during the whole process of the innovation by recommending controls, assessing risks, and discussing policies, is key. The risk functions are to present a consolidated and easy-to -understand view of risks with the help if digital dashboards. And they should chime in at the right moment so leaders can make more-informed decisions.

3. Resource Management

Do your risk functions have the right skills and collaboration tools to work in agile ways across the lines of defence? Risk functions need the knowledge and skills sets to provide advice on risks, both from a business as well as from a (emerging-)technology perspective. The risk analysis become more data driven, so they can provide strategic insights at the pace and scale of the Organization’s digital transformation. It takes a continuous investment to keep fresh skills as technology evolves and to keep digital resources satisfied.

The following skills can be seen as critical:

• Critical thinking
• Data analytics
• Technology
• Cyber and privacy
• Project management, collaboration and change management
• Storytelling
• Understanding of governance, risk and compliance (GRC)

4. Conclusion

Collaborate and align to provide consolidated view of risks. Now is the time for risk functions to work in concert to help the Organization through its digital journey. Cost curves, technology capabilities, and quality data are making the fusing of some activities more affordable, more feasible and more powerful. By working from one source of data on a common platform with a common tech stack, risk functions can bring leaders a consolidated view of risks. Successful risk leaders distance themselves most in their use of (i) one set of risk metrics or KRI's tied to organizational key performance indicators, (ii) a common risk taxonomy across the enterprise, and (iii) a common policy framework. These are all the necessary steps towards building a common view of risks.