Die wichtigsten Säulen des Risikomanagements für Drittparteien

by Arnaud Malardé

Third-party Risk Management (TPRM) within Services organizations, especially Financial Services (FSI), has become critical over the last few years. Some of this is due to regulation but a lot is simply due to the increase in risk occurrences of varying types and the increasing complexity of third- party relationships. In Q3 2021, The Hackett Group conducted a comprehensive performance study of third-party risk management across a wide demographic of companies. The results were segmented to isolate perspectives for both manufacturing and services-based organizations, here we’ll focus on the later. 

What is Third-party Risk Management? 

One might assume that manufacturing organizations and those with large physical supply chains are better at monitoring and mitigating risk–but Services organizations are, in many ways, more sophisticated.  

Critical Risk Factors for Services Organizations?

Services organizations highlight confidential data access, data privacy, and cloud/data security as the highest-probability, highest impact risk types (figure 2). For Financial services organizations, these are extremely high risk areas due to the nature of their business and their regulations.

Interestingly, Services organizations actively monitor risk for strategic, direct, IT and onsite suppliers more frequently than manufacturing orgs. According to 70 % of respondents, the number one risk assessment criteria within Services is supplier access to sensitive data.

For Procurement organizations, this means having a strong process for onboarding a third-party that may have access to data with all the right risk assessments, approvals, reviews that may be necessary. Not only that, they should also be prepared to do assessments on an ongoing basis or have them be automatically triggered based on certain events relating to internal or external data. This is precisely where organizations see the benefits of a TPRM program built into or working seamlessly with a Strategic Sourcing or Source-to-Pay solution. The importance of a single supplier database and a 360 degree view of all information and activity is often underestimated.

Figure 2: Critical Risk Factors for Services Organizations

Relevant data is the foundation of insightful risk mapping. Multiple risk indicators, financial data, and compliance information are the most critical types of data used for third-party risk management (figure 3). However, risk programs should rely on a much broader set of data sources to best address supply risk. Even the least important data sources (newsfeeds and supplier stakeholder surveys) were reported as having high or medium importance by more than 69 % of respondents. 

While monitoring risk across strategic suppliers is important, they are typically not the ones where the biggest risks tend to appear. Having some level of risk understanding across all your suppliers is crucial, but visibility into tier 2 and tier 3 supplier risk is equally important. Additionally, third-party risk assessments need to be more granular and consider the risk of a relationship with a supplier. For instance, a contract that has been signed, independently from the inherent risk of the supplier itself, bears a certain risk level. In some regions, Banks are required by regulation to monitor risk at contract level, especially for outsourcing agreements. 

Risk-Aware Decisions

One of the main benefits of a TPRM program is the ability to continually assess and mitigate the effects from risky third-party relationships. However, leading procurement organizations leverage risk data to manage decisions proactively rather than constantly reacting to risk. A view into risk will always lead to improved decision-making-whether it is simply a RFx, contract negotiation,  purchase of a good/service, or the processing of an invoice.

How are organizations leveraging technology to infuse risk information into key decision points? According to Hackett (Figure 4), over the next 2-3 years, 77 % of services organizations plan to use spend management suites, a sizable jump from the 59 % that use this as their TPRM tool today.

Figure 4: Most Used TRPM Tools 

Services organizations prefer these suites as they embed the top three most important features needed to effectively monitor risk (Figure 5): 

• The ability to segment suppliers and risk in many different ways – by category, criticality, etc
• A smart alert system based on triggers
• Connections to third-party data sources

We could also add Seamless Integration across all Source-to-Pay processes to this list. Most of the features above would not be possible or only partially possible with the other options being used. The interconnected nature of a spend management suite (at least some of them) ensures access to risk insight at any step of the Source-to-Pay process, to support better decision-making. 

This unsuitable toolset could also explain why TPRM is still mostly reactive, under regulation pressure, rather than an opportunity to predict and anticipate risk events. For instance, the report also states that 50 % of businesses mostly react to risk to ensure regulatory compliance rather than getting ahead of the problem.

Today, most services organizations already have sophisticated risk management processes that mainly support compliance with regulation. To achieve the next level of risk mitigation, they will need technology to support them when turning risk data into predictive, business-driven insight.

Download our Data Sheet and Take Action to Mitigate Third Party Risk with Ivalua’s TPRM Capabilities.