We have been discussing Third Party Risk Management (TPRM) for about as long as our firm has been around – actually, perhaps even longer. And what we said was important decades ago is perhaps existential risk these days. All you have to do is to look at all the Supply Chain disruptions that we are facing and will continue to face including potential starvation in some parts of the world because of the breakdown of the food supply chain (Ukraine).
Here are some considerations that ALL of us must face and deal with quickly. This is what a number of suppliers are facing these days:
- Decline in revenues
- Increase in pressure from customers to reduce costs
- Ongoing viability concerns
- Consolidation of supplier base
- Customer retention
- Expansion of product lines to attract new customers
- Reduction in staff Fewer employees to handle more business & transactions
- Increase in use of subcontractors and off-shore providers
This list can grow quickly but the point remains – our suppliers are facing significantly more risks which means that most of those risks are being passed along to us.
The overall goal of TPRM is to progressively reduce exposure to risk from third party suppliers by:
- Identifying and quantifying the risk associated with third parties.
- Creating infrastructure to avoid, minimize or mitigate these risks
- Developing processes to implement risk responses based on timely identification of risk events
- Performing ongoing monitoring of risk exposure
- Institutionalizing TPRM capabilities throughout the organization
Without the above guiding principles, most TPRM initiatives fail to deliver their intended benefits.
Another common mistake is that there is a lack of integration with many other functions. Maximum effectiveness also requires integration with other related processes and functions:
- Sourcing / Procurement
- Credit Analysis
- Governance
- Compliance
- Capital Planning
- Audit
- Risk Analysis
- Legal
- Insurance
A TPRM process should also include required due diligence areas keyed to type of relationship. This will allow a customized approach as opposed to a one size fits all:
Here are some sample factors to draw from.
- Performance History & Reliability
- Financial Viability
- Personnel/Account Management
- Breadth of Services
- Service Delivery and Levels
- Geographic Reach
- Partnerships
- Technology Infrastructure
- Contract Flexibility
- Total Cost of Service
And of course, clear outlines of duties, responsibilities and obligations are also key to a successful TPRM program, and these are typically what we would expect to find:
- Scope
- Measurement, benchmarks
- Right to audit
- Cost and compensation
- Ownership and license
- Confidentiality and security
- Disaster recovery
- Insurance
- Dispute resolution
- Liability limits
- Termination
- Customer complaints
- Foreign-based providers
And the last and probably the most important point to be made about TPRM is that it’s an ongoing activity versus a point in time event. And therefore, the following must be attended to:
- Governance Structures and Controls
- Monitor Financial Condition
- Of Third Party
- Of Business Arrangement
- Monitor Controls
- Review Quality of Service
- Periodic Review of Providers and Portfolios
- Documentation
While most of the above points may feel fairly obvious, most TPRM programs are still lacking most of these so we would encourage you to use it as a check list for your program. The need for an effective TPRM program has NEVER been more critical.
