By Alpa Inamdar, BNY Mellon and John Bree, Supply Wisdom:
Even before COVID materialized, traditional Third-Party Risk Management (TPRM) practices were struggling to keep pace with today’s business needs. The expedited roll out of products and processes as a result of our increasing adoption of Agile DevOps strategies proved that these outdated risk assessement practices were too cumbersome and time consuming to handle the increased pace. Then along came COVID, and these shortcomings became even more acute as companies faced additional unanticipated challenges that required rapid onboarding of new service providers.
There is an alternative to the reactive scramble we have witnessed with this pandemic crisis. It doesn’t need to be this way going forward, and in fact it shouldn’t. Companies need TPRM practices that are agile, forward looking and able to keep pace with accelerated business delivery timelines while also enabling efficiently and effectively onboarding resources and third parties without compromising on good governance or risk. By modernizing our TPRM practices, we can fundamentally change a company’s ability to keep pace with business and stay ahead of risk.
Where Traditional TPRM Fell Short
We demand a lot of our TPRM programs. Due diligence, risk assessment and governance cycles must support increasingly aggressive business delivery timelines to ensure customer satisfaction and profitability models all while ensuring risk is inline with the companies’ accepted risk apetite. Additionally, in the middle of a global economic crisis, companies still need to meet audit and regulatory requirements, internal policy and procedure protocols as well as maintaining an accurate, current and comprehensive awareness of their risk exposure.
Industries that are highly regulated, including healthcare, financial services, insurance, life sciences and utilities have an even higher need for modernizing TPRM practices to provide the assurance required in today’s rapidly changing risk environment. Manufacturing, with complex global supply chains that rely on hundreds or thousands of third parties, can also greatly benefit from a modernized approach.
Unfortunately, COVID taught us a painful lesson earlier this year as service providers that had been strong partners in the past, were thrown into various degrees of chaos trying to cope with both the demands of clients and the significant financial, employee health and other pressures brought on by the crisis. For those that were unsuccessful, organizations were forced to quickly identify and onboard alternative vendors to meet the immediate need. Unfortunately, the manual, in-person and lengthy due diligence and onboarding processes traditionally relied on were not condusive to the quick turn around required or the COVID remote work restrictions. Cumbersome questionnaires that required hundreds, if not over a thousand responses, and extensive interaction between internal team members and the service providers were not feasible. As a result, companies onboarded new service providers without a comprehensive and current view of their risk exposure. This limited or incomplete due diligence and risk assessment may have left companies with significantly increased exposure to vendor incidents.
Another challenge in traditional processes was the almost laser focus on limited risk categories like financial and cyber. Doing so created serious blind spots that left organizations without a comprehensive view of their entire risk landscape. In today’s risk environment other risks including ESG, people, regulatory, extreme weather events, political instability, and social unrest just to name a few can also pose risks of disruption and negative financial consequences.
But perhaps the most significant challenge posed by traditional risk management during this crisis can be boiled down to the lack of continuous risk intelligence. As COVID so clearly demonstrated, data collected during static point-in-time assessments, quickly became stale and of little use as the crisis quickly and unpredictably cascaded from one risk to the next making it virtually impossible for companies to know in real-time the health of their suppliers and in turn their risks of disruption. Additionally, as point-in-time assessments are not forward focused, companies are forced to act reactively when risk events occur which does not lend itself to effective risk mitigation or avoidance.
Where We Are Today
Now that we have spent almost a year dealing with the pandemic and companies are beginning to accept the “new normal”, traditional governance and oversight programs are back in operation. Audit functions have started to review the tactical actions taken to meet the need, which were at the time praised for “getting the job done” but are now being scrutinized. Internally questions being raised include how gaps in basic and enhanced due diligence were covered, what TPRM protocols were followed or omitted, and what is the plan to correct these gaps in governance and control.
To compound the internal audit impact, regulated industries also have to prepare for pending regulatory reviews, which often begin with a review of internal audit and RCSA issues and subsequent corrective action plans. Companies now require an expedited view of their service providers, both the new ones as well as those onboarded before the pandemic, to provide current and validated risk profiles in days versus weeks and months.
Clearly as we’ve outlined here leveraging pre-pandemic methods of due diligence and risk assessment are inadequate going forward. Companies require a agile forward looking, proactive risk management solution that covers the needs of the entire TPRM lifecyle while also addressing internal and regulatory requirements. It must be able to handle expedited vendor and service provider onboarding without exposing organizations to unacceptable levels of risk.
The Ideal Solution
Today, an agile, inclusive and forward-looking risk intelligence program is a necessary foundation for a successful and flexible TPRM Program. Companies need to move away from their overreliance on static assessments and their limited focus on financial and cyber risks. Incorporating a continuous monitoring capability into TPRM processes will ensure the early risk warning capability that is critical going forward. Risk frameworks must be expanded beyond cyber and financial to include a broad risk aperture to ensure that the entire supplier and location risk landscape is monitored. We believe that continuous risk intelligence and monitoring should be expanded to include the following risks:
- ESG (Environmental, Societal, Governance)
- Nth Party
To streamline the RFP process, real-time risk data enables an efficient and effective pre-selection process by enabling accurate and current supplier comparisons. Always-on continuous monitoring enables streamlining of due diligence, onboarding, and even the assessment process by targeting efforts to the actual vulnerabilities that exist in real-time. While stale assessments hinder ongoing governance efforts, continuous monitoring enables proative risk mitigation responses as ongoing real-time alerts notify team members when risks increase. This pre-warning enables companies to react before risk events become reality. When it comes time to renew or replace a supplier, real-time health ratings allow companies to truly know their suppliers and renew or replace with confidence.
Modernizing TPRM processes by implementing continuous monitoring for real-time risk intelligence provides the agility companies require to maintain a sustainable and resilient sourcing and service provider ecosystem. Going forward, companies will be able to handle the demands of increased business delivery timelines and rapidly onboarding suppliers without compromising on risk or good governance.
About the Authors:
Alpa Inamdar is Head of TPG Advisory, BNY Mellon. Previously, she was head of the Americas Business Change Group within Asset Servicing. Prior to joining BNY Mellon, Inamdar served as Vice President and Chief of Staff in the Regulatory and Tax Operations division at Goldman Sachs & Company and as Cost Allocation Specialist for Société Générale. She serves on the board for Pratham and Ascend Leadership and as a member of the Shared Assessments Steering Committee. As the program creator for Women Helping Women in Finance and Take 2, Inamdar is committed to mentoring and helping to advance women in business.
John Bree is recognized as a global financial industry executive and risk subject matter expert in developing and managing vendor/third-party risk management, AML/CTF, KYC, and anti-fraud programs. He is Chief Evangelist & Chief Risk Officer with Supply Wisdom, the leading patented continuous risk intelligence and monitoring solution for third parties and locations. Prior to joining Supply Wisdom, Bree held senior positions globally for Citi and Deutsche Bank covering corporate, investment, commercial and consumer banking both internal and vendor operations. He is a member of the Shared Assessments US and UK Steering Committees and Co-Chair of the Financial Industry Vertical Strategy Group.