3PRM, or Third Party Risk Management, is a relatively new and rapidly evolving discipline, driven primarily by regulators in the financial services sector. Like sourcing, procurement and other risk disciplines it is a highly complex, matrixed set of processes, tools, skills and outcomes. So what do sourcing and procurement professionals need to know about 3PRM? And how does this relate to effectively identifying, assessing, managing and controlling 3rd party risk? Let's start with some fundamentals that will send you on your way to seeing 3PRM in 3D.
What is a 3rd Party?
Historically sourcing and procurement organizations were tasked with acquiring and contracting sound vendor relationships that meet business requirements at the best cost. 3rd party is a term that includes both vendor and non-vendor relationships. In essence, all commercial relationships except those with clients. Whether you were involved with sourcing them or not, vendors are relatively easy to find. All of them are contained in your active vendor list in Accounts Payable. Non-vendor relationships often very difficult to identify because they may or may include a monetary exchange, and when they do it may be buried in a business line P&L. Some examples are shared revenues, co-branding/marketing agreements, joint product development, fees paid from or deducted from external sources, basis points earnings, or another opaque arrangement.
3rd Party Lifecycle Management
A robust 3PRM program is sequential, leverages the expertise of risk management specialists from a wide range of disciplines including Enterprise Risk Management, Operational Risk Management, Information Security and Privacy, Physical Security, Business Continuity Management, Legal, Compliance, Finance and many other specialized risk management functions, some of which are specific to the outsourced activity or the industry.
Our proprietary 3PRM Operating Framework is a visual depiction of a typical 3PRM lifecycle, which is supported by a 3PRM Governance Framework. This Framework is complete, is transferable across industries, and has met with regulatory approval in the intensely focused financial services regulatory environment.
Unlike project-based out/sourcing events, 3PRM is executed throughout the lifecycle of 3rd party relationships, from initial strategy discussions through to termination and sometimes beyond. An effective 3PRM program is sequential and specifically defines the roles, responsibilities, processes, tasks and documentation required at each step and stage of the relationship.
Quantifying 3rd Party Risk
Understanding the risks associated with the third party relationship through the lens of the criticality of the business activity and relationship are the lynch pin of an effective 3PRM program. That means have a systematic, consistent process to identify a wide range of 3rd party risks, comprehensive due diligence and risk assessment processes, and process to quantify the relationships and risks into structured tiers.
A well designed 3PRM program quantifies both Inherent and Residual risks of 3rd party relationships and critical activities. Typically, a well-designed 3PRM program enables quantification of 3rd party relationships into four tiers of risk: enterprise critical - that handful of relationships that could cripple or bring down your whole company, high, moderate and low risk. Additionally, similar to low value "tail spend", 3PRM programs invariably have a long tail of very low risk relationships that require little, if any, active management.
The terms Inherent and Residual risk are simple to understand, even though they're a lot of work to quantify. Inherent risk is the risk a 3rd party relationship presents in the absence of controls. Residual risk is the risk that remains after the adequacy of the 3rd party's internal controls have been evaluated, and after your company negotiates appropriate incremental controls, if required. Therefore, Residual risk can be equal or lower than Inherent risk but not higher.
3rd Party Management
Regardless of their role in identifying and assessing risk, or defining risk controls, all 3rd party risk is owned by the lines of business, who are referred to as the "first line of defense". Because of this, it is no longer enough to rely on the relationship owner in the first line of defense to decide how to manage 3rd party relationships. It is the responsibility of the 3rd party risk management team, typically in a corporate function like Procurement or Enterprise/Operational Risk in the "second line of defense" to define management responsibilities, tasks, documentation and frequency and to periodically validate compliance. This includes managing performance to SLAs, conducting periodic business reviews, dealing with incidents and outages, maintaining change control logs, validating invoices to contract pricing, and assessing customer satisfaction, and much more.
Monitoring your 3rd Parties
Monitoring is typically a shared responsibility. The 3rd party risk management program must define the type, frequency and responsibilities for monitoring 3rd party relationships and risks. Monitoring may consist of periodically reassessing multiple dimensions of risk by refreshing due diligence that was executed during the selection and/or contract renewal process, contracting for and evaluation alerts and externally sourced negative news about the 3rd party, required validating controls, and requiring and assessing independent controls assessments like SOC2's or SSAE16's.
There are several types of controls in a well-designed 3rd party risk management program. Every 3rd party has internal controls that must be evaluated for their effectiveness. Their internal controls may reflect internal controls within your own environment, and may be stronger or weaker. The key is to have a consistent, risk-adjusted assessment process so you can evaluate their effectiveness, acting reasonably. Your own company has expectations regarding internal controls that your 3rd party is executing against. Some of these may be negotiated in the contract. Some controls are simply standard contractual terms that are designed to protect your company. It's unusual to get everything you ask for, so your processes need to determine the effectiveness of the controls as negotiated. And finally, your internal risk experts may introduce additional controls that the line of business relationship owner must introduce into their management of the 3rd party relationship.
Effective 3rd party risk management is a never-ending journey, one that is easily distracted by too much baggage. It's your job to simplify the complexity and right-size it according to the criticality and risks presented by the relationship. If your 3rd party program is risk-centric and risk-adjusted, you're already seeing 3PRM in 3D.
About the Author
Linda Tuck Chapman, President Ontala Performance Solutions Ltd. and CPO Emeritus. In association with Crowe Horwath Global Risk Consulting, Linda is a respected author, popular speaker and widely recognized subject matter expert in 3rd party management, outsourcing governance and sourcing optimization. You can contact Linda at firstname.lastname@example.org or 416.452.4635