by Patrick Ryan, Managing Director and Lee Bristow, Chief Technology Officer of Phinity Risk Solutions
Third Party Risk Management (TPRM) is a pillar of operational resilience. Based on extensive experience it has become clear that most organisations are unaware of how many third parties are involved in their operations, nevermind the risks that these third parties pose to the organisation. There is unquestionable strategic value in employing third parties to assist with the organisation’s service or product delivery, including:The science of managing the risks associated with employing these Third Parties has however lagged, exposing organisations to unknown risks.
Some of the key steps to be followed in order to manage these risks include:
“Third parties aren’t going away any time soon, so we need to manage the risks,” says Lee Bristow, Chief Operations Officer for Phinity Risk Solutions.
Making a concerted effort to manage and mitigate Third Party risk involves identifying and categorising the different types of Third Parties and how they can impact an organisation. These Third Parties can be diverse and often organisations do not consider all types.
The following diagram outlines the key parts of the business that utilise Third Parties and the typical nature of those Third Parties:
“43% of organisations do not perform due diligence checks on their Third Parties,” says Patrick Ryan, “so the TPRM process has a shaky start. As the number of Third Parties used by an organisation increases, the number of risks posed to that organisation increases too”.
The diagram below outlines some of the key risks that organisations should be aware of. Typically the management of these risks sits within different functions at the organisation (eg Compliance, Enterprise Risk Management, Operational Risk, Information Security, etc) so one of the challenges is to create a process that can cater to all of the internal stakeholder’s needs.
TPRM is becoming a strategic priority for many organisations. Based on client research, most organisations tend to lean towards a decentralised approach to TPRM due to the size and complexity of an organisation and their pre-existing processes.
Having a variety of TPRM processes can become problematic if not managed holistically as the organisation may not have the high-level perspective that is needed to be aware of all the risks that come with different third parties and the varying nature of the processes may lead to inefficiencies.
So, whilst third party ownership is an organisation-wide responsibility, organisational leadership should drive toward a shared framework and tools to enable the various risk management processes to share data and create efficiencies. This framework may be owned and overseen by risk management or procurement.
“By implementing a centralised Third Party Risk Management Framework, TPRM processes can be unified under an umbrella of excellence,” says Patrick Ryan.
Based on our experience and research, the vast majority of organisations still use manual processes & spreadsheets for TPRM. This manual approach means that scarce resources spend their time collecting data instead of analysing the data collected and remediating the risks that have been identified. According to Lee Bristow,
Managing Third Party risk manually is tedious, time consuming and often ineffective. There is a better way to manage third party risks.
Automation, such as Phinity Risk Solutions, can help organisations fast track their TPRM by providing a common framework, risk identification resources, efficient reporting, status tracking, and exception-based risk identification – all of which help the organisation cover more risk in an efficient manner.
Phinity provides a true integrated TPRM Framework that pulls together all of the disparate processes into a single unified method to manage risk effectively.
Follow this link to learn more about how to automate your third party risk management processes.
Watch this video to learn about how to tie together and boost your third party risk management processes: