Decoding the Best Practices in Third-Party Risk Management

Third-party risk management (TPRM), as we understand it today, heavily depends upon smart technology and data management.

However, it is also important to understand the crucial role of stakeholders and subject-matter experts responsible for procurement operations.

While the latest digital risk management solutions are capable of cognitive analysis to a great degree, they still have limitations. Artificial intelligence (AI) can identify and flag factors of risk across different categories of procurement.

However, the evaluation and mitigation of risks must still be monitored by people who can understand the issues and act upon solving them in real time.

Safe and strategic data use in TPRM

The role of data in procurement risk management is omniscient.

However, the sheer volume of master data being generated itself creates a risk. Hence, security and integrity of a company’s master data are primary factors in contemporary risk management.

Most external data influencing procurement operations is typically public knowledge, and the best digital procurement platforms are constantly updated. This would include information from various sources, such as government or regional authorities, subject matter experts (SMEs), industry lobbyists, as well as from the suppliers themselves.

The strategic use of this data happens when the company’s internal data is carefully compared with the inflow of regulatory, regional, and supplier-generated information. This is how internal procurement stakeholders and external procurement partners collaborate to create effective supplier risk management strategies.

Such strategic use of master data must also be aligned with a company’s supplier relationship management since continual interaction with vendors is necessary for any far-sighted plan to mitigate risks.

There are also regular inputs from sources such as consultants who specialize in licenses, insurance, or compliance regulations. Their inputs create the reference list used to develop a comprehensive risk management plan for any company.

How subject matter experts and technology collaborate for TPRM

The documentation and validation processes (considered due diligence) following a vendor verification request or before a contract are usually the most tedious and time-consuming activities necessary for risk management operations.

The latest supply chain risk management solutions can implement many cognitive operations within this entire cycle, including automated reminders, intelligently processing entries on e-forms, and organizing and analyzing the constant flow of data from multiple sources.

However, the final validation must be under human supervision to avoid false positives or the chance of computing errors.

The technology currently employed in procurement is considered among the best examples of “disruptive” technology. The physical paperwork and manual document curating that once made global-scale TPRM operations so complicated has almost entirely been transitioned into a digital system over the last few decades.

Today, e-contracting and online third-party verification procedures can be conducted across geographies and validated at multiple touchpoints.

However, this is only a limited view of how digital services and data sciences have transformed risk management holistically.

In the larger context, technology has made global risk management possible in real time, giving companies of all sizes the leverage to expand operations globally on comparatively small margins.

Automation and cognitive technologies are also doing their part in reducing human effort to a great degree.

Defining a mature and strategic approach to TPRM

The infographic above is an overview of various risks in procurement and the strategic way to plan effective risk management.

However, we also need to define risk assessment and management as a core business function.

So far, we have determined the role of people and the use of technology in risk management operations. Now, in conclusion, we can define an effective and dynamic approach to risk management as a combination of:

1. Assessment capabilities, RACI charts, and supplier relationships

RACI charts are the first step to risk management following assessment because they identify the ‘Responsible, Accountable, Consulted, and Informed’ individuals or departments in context to the different risks in procurement.

These RACI charts must be developed through the joint effort of a company’s internal stakeholders and the expertise of their procurement partners. Procurement partners also help manage relationships with suppliers and vendors, making long-term risk management easier, and improving risk mitigation capabilities.

2. Defining the role of data and technology in risk management solutions

Once the risks have been evaluated and defined, the active mitigation operations must commence with prompt diligence. Companies must use available data and apply technology resources to enhance their risk management efforts.

The latest procurement platforms with AI attributes can automate many of the statutory risk mitigation processes and identify immediate and probable risks. However, human analysis and market intelligence based on the continuous incoming data from various SMEs and reliable sources help the responsible stakeholders expand the scope of risk management and improve their mitigation efforts over time.

3. Identifying the role of internal stakeholders and procurement partners

Procurement partners provide vital expertise and technology that save much of a client company’s internal resources. The technology they provide helps process and secure the massive volumes of master data, while their expertise helps determine the best risk mitigation solutions possible.

However, even with the best supply chain risk management partners, the final decision rests with a company’s internal decision-makers. Procurement partners can help extensively with strategic operations like supplier relationships, risk identification, spend analysis, and strategy-building – but risk ownership is always a company’s internal obligation.

While it is difficult to define specific ROIs for TPRM efforts and retrieve numerical values in profits, no company would be able to survive in a global economy without efficient risk management protocols. It is up to the decision-makers and owners to understand the critical importance of risk management and implement it strategically across their procurement and supply chain operations.

Read the first installment in this series -- How to Build Lines of Defense in Supplier Risk Management.