Compliance has its lingo — and one particular one I like, Third-Party Risk Management or “TPRM.”  Years ago, everyone cited third-party risks.  Now, we use TPRM as if everyone knows exactly what it stands for. 

The language usually evolves with the substance.  And that is certainly true. The coverage of third-party risk has expanded with the years to embrace many new risks, issues and challenges.

In the early days, we were hyper-focused on third-party anti-bribery risks given the new emphasis on third-party misconduct as highlighted in DOJ and SEC FCPA enforcement actions.  Companies responded with new mitigation strategies, compliance vendors developed new technologies and platform to address anti-corruption risks and third-party due diligence and monitoring programs.

At the same time, aggressive sanctions enforcement resulted in underscoring third-party risks in dealing with sanctioned individuals and entities.  To no one’s surprise, sanctions and anti-corruption were the primary focus of TPRM programs.

Like everything else in compliance, TPRM was not static.  As cybersecurity risks increased, so did the need for identifying third-party risks of cybersecurity.  The Target cyber event in 2012, resulting in the breach of massive amounts of financial data, was the result of a third-party’s failure to maintain basic data security protections.  As a result, TPRM had to expand to incorporate this new area for inquiry, given the ease with which hackers could gain access to corporate systems through weak third-party infrastructure.

Many TPRM systems were expanded to include IT and cybersecurity input on TPRM onboarding and monitoring systems.  By bringing these functions together, companies were able to ensure that efficient systems and controls were applied.

Similarly, as data privacy concerns have grown, with the enactment of GDPR and other data privacy frameworks, third-party risks have grown yet again with this important compliance concern.  Third parties come into contact and possession of sensitive data that may be shared with a company or vice versa and there needs to be appropriate sensitivity to these issues, along with compliance commitments.

And so, we are now witnessing yet another new risk being added to the equation.  As Artificial Intelligence risks continue to develop, third parties present a potential risk in their use of AI and interactions with companies.  Depending on the third-party function, compliance with AI compliance requirements and a company’s AI Use Policy will be a critical requirement moving forward in this rapidly changing area.

TPRM will continue to evolve to encompass all of these risk areas.  Companies have faced such challenges before and addressed these issues.  But companies have to be mindful to the need to constantly monitor and adjust their TPRM systems.

Companies should regularly review their TPRM system by asking the following:

1.  What specific risks does our TPRM address?

2.  If any new risks have to be added, how should that be done?

3.  Can the current TPRM framework incorporate these additional risks?

4.  If not, how can the TPRM system be adjusted to include these new risk areas?

5.  Overall, does the existing TPRM system address current risks, including reputational risks?

All of these questions are important to ask when addressing your TPRM system.  Too often, it is easy to look  at an existing framework without questioning the overall effectiveness of the system and thinking about modifications that may be needed to bring the system into full compliance.

We can learn from our past and there is no question that the growth in TPRM has been done with careful analysis and strategic thinking.  Using this same approach, a TPRM system built for current risks can be implemented with deliberate approaches.  If anything, the past has shown one thing — making rash decisions on risks, or thinking narrowly rarely leads to an effective result.

Compliance is a task that is never completed.  Once one project is completed, there are many more standing in the wings ready to be addressed.  Compliance continues to evolve and progresses just like a compliance program — always evolving.