The disruptive events experienced in 2020 has brought about significant change in the way we way we work. What we have witnessed offers first-hand reference to the impact on business, its people and their communities, but has also demonstrated an innate resilience to rise up and navigate through the disruption. Financial and operational leadership have been surprised and pleased how quickly adjusting to the disruption has introduced significant operational efficiencies and cost savings.
This natural human resilience demonstrates that we are quick to do the right thing albeit at the expense of doing things right. It is in hindsight that we turn and reflect on how governance, risk and compliance have been set aside. It is only now that some normality is returning to strategic thinking that organisations are reviewing how dealing with disruptions without preparation and without a tested Business Continuity Plan (BCP) have exposed themselves to financial risks that have a direct impact on the longer term business sustainability.
With so many recent disruptive and tragic events receiving our attention, the topic of new ways of work, key stakeholders now expect their board and senior management to look to protect them with investment in a robust BCP.
A successful third-party risk management (TPRM) program extends beyond just the vendor onboarding and offboarding process. Organisations need to be invested in the maintenance and continuous validation (testing) of the end to end TPRM lifecycle.
A huge amount of time and effort typically goes into an initial vendor assessment and onboarding. But third party service providers that manage business critical functions or who are part of the supply chain need continuous validation and management to avoid the consequence of not being ready for disruption, either that facing their clients or their own business continuity capability. There is a higher likelihood of a data breach or compliance failure by the third party vendor.
Organisations share confidential and sensitive information with approximately 583 third parties on average—that adds up to a lot of additional risk. And only 34% of organisations in the study reported keeping a comprehensive inventory of these third parties, while just 35% rated their TPRM program as highly effective *
Managing third party risk can be overwhelming. Also, the cost of mitigating the risk through a comprehensive and continuous program can be daunting to the point that the importance of such a program is often ignored….yes ignored, and we all know what we expose ourselves to when we ignore issues of regulatory compliance and corporate importance.
A sensible approach will determine a high-level view of priorities and more affordable approaches that can be managed with credible external partners, such as:
Here are nine areas where improved processes using appropriate technology and an experienced audit partner can help.
Regulatory requirements, stakeholder expectations, and organisational goals and risks will shift over time. By following the TPRM lifecycle and having an experience audit partner who can help you quickly adapt to changes, you can make the entire TPRM process easier on everyone. Software is an important tool to assist you build trust and confidence in your TPRM program. It is of course worth noting that when you run critical functions such as TPRM and payroll on Cloud platforms – your technology partners are themselves a third party vendor, and giving up control of your data introduces significant risk in its own right.
*source: Third annual Ponemon Institute Data Risk in the Third-Party Ecosystem 2018 study