“Everybody is doing something to manage third-party risk, but no one is doing exactly the same thing.”
We joined nearly 200 risk, compliance, legal and vendor management professionals at the summit to hear about current practices, emerging trends and new technologies. This was the fourth year for the conference and it was a full house. The adoption of third-party risk management continues to grow.
As we listened to panelists from Google, United Airlines, Target, FedEx and others with established TPRM programs, it was really interesting to hear that no two companies are doing it exactly the same way. What they are doing is adopting the fundamentals of governance, policies, standards and reporting - and then personalizing the program to align with their own unique goals, industry requirements and overall risk appetites.
We heard a lot of insights and practical advice from both panelists and attendees who manage TPRM programs within their respective companies. Here are a few of our favorite quotes and takeaways:
“Risks with your third parties change - they aren’t static. You need to continuously evaluate and monitor them as the world changes around you.”
“If you’re waiting for the auditors/regulators to show up to know whether or not your TPRM program is working, you probably already know the outcome. You have to test it to know it’s working.”
When information about third parties is siloed, it’s impossible to make educated, compliant decisions. Get important data about your third parties in one place.”
“One area that’s getting a lot of focus right now is fourth-party risk; that is, understanding who your vendors rely on to provide goods or services to you. When you have critical vendors, you should know who your fourth parties are.”
“Risk profiles and appetites are different for every company. You need to know what yours are before you can design an effective TPRM program.”
“I’ve seen the vendor management office ‘live’ successfully within functional business units such as compliance, risk, operations and even procurement. However, the function that’s driving your desire for a VMO is likely the best place for it to live.”
“Lots of third parties sit outside of accounts payable. When you create your initial inventory of third parties, you’ll need to capture data from multiple systems to ensure you have a complete and accurate inventory.”
“We view our third-party program in three stages: design, implement and mature. We are through the first two, and will be working on the third continuously.”
“If your standard process is to wait until after the contract is signed to perform due diligence on your third parties you are wasting your time. It’s too late.”
“After due diligence is done we really hone in on addressing the residual risk; that is, the amount of risk that remains after we’ve been able to reduce it through other means.”
One final note. As we recommend to our clients, there was consensus that regardless of what industry you’re in you have to take a risk-based approach to managing third parties. Not all of them are created equal.
Focus on your biggest risk areas, get going with the fundamentals and continuously mature and right-size the program for your organization and your risk appetite!