Renewing Your Third-Party Risk Management Vows — A Real World Perspective (Part I of V)
When you get on the mailing lists for legal and compliance products, seminars, conferences and general palabra, I usually become transfixed. Millions of marketing and promotion dollars are being spent in an attempt to distinguish or highlight the subject of third-party risk, position a product or highlight the expertise of a speaker. Sometimes I take the time to read some of the emails — to be honest, I wish I did not.
I recently read a promotion for a third-party risk management conference and was struck by the fact that the message said next to nothing of value except general strings of phrases that I know in the real world has little practical importance. Indeed, the speaker at the conference had written a “best-selling” book on the subject (don’t ask me where since I did not see it on any best seller list). In the end, the best I could tell the conference was about third-party risk management, included high-level statements surrounding the issue and underscored the expertise of the leading thinker on the issue.
Now, mind you, I have nothing against the conference promoters, the speaker and the need for such a conference. That being said, what troubles me is the fact that such conferences are not addressing the need of most legal and compliance professionals who want to address their third-party risks and are searching for real-world solutions, not platitudes of theory, aspirations, so-called compliance rock stars and general mumbo jumbo (a technical term I know).
Excuse me, but the legal and compliance product and conference industry has to get its act together. They need to respond to the specific demand of legal and compliance professionals, especially in various key areas such as third-party risk, policy management, training and employee reporting systems.
My series this week is intended to bring us back to planet earth and renew our commitment to third-party risk management, starting with approaches to holistic third-party risk management; division of risk management functions between onboarding and monitoring and auditing; segregation of the third-party population by function (distribution/sales versus supply chain/procurement); design of appropriate controls, and oversight of the third-party population. My approach is guided by two basic principles — first, the system has to be affordable, and second, the system has to be practical and relatively easy to use. It has to have applications to legal and compliance programs that can be implemented realistically.
The global economy has suffered two significant shocks — first, the pandemic sent shockwaves through every organization, and second, the war in Ukraine. Both of these events exposed the importance of risk management, especially with regard to supply chain and distribution operations. Hence, the renewed focus on third-party risk management and the repetitive description of “holistic” third-party risk management.
Reality has a way of forcing change and we are now experiencing significant adjustments to overall risk management procedures. At the top of every list has to be third-party risk management beyond legal and compliance risks — we have new disruptive risks that have to be identified, quantified or ranked, and then addressed.
At the heart of every risk management system is a simple proposition — every organization has limited resources to dedicate to a third-party risk management system and therefore any system has to be based on a risk-based priority system. In other words, when designing a third-party risk management system, legal and compliance professionals have to allocate resources based on a priority system that identifies high-risk issues and risk ranks specific categories and populations.
It is not feasible to design and implement a system that eliminates all risks.
Such a system, while theoretically possible, is not practical. A risk-based system, by definition, leaves every ethics and compliance program with exposure — the overarching question is what types of risk and how much?
My series this week is intended to address how to implement a system starting with an immature third-party risk management system — i.e., an open source intelligence database combined with a spreadsheet listing all third parties divided into two basic categories — sales/distributors and supply chain/vendors. While many organizations have moved past this point in developing their third-party risk management systems, the principles outlined in the series are consistent throughout the process — whether you have a manual or an automated system, a sophisticated ranking, oversight and auditing program to manage such risks, and robust notification and monitoring protocols.