GRC Tuesdays: Vendor Risk Management, Supplier Risk Management, Customer Risk Management, Third Party Risk Management… Why Not Simply Enterprise Risk Management?
When I started focusing on what wasn’t yet known as Governance, Risk, and Compliance (GRC) software over 15 years ago, “risk” was just one of the components of the compliance solutions.
Companies mostly wanted to implement compliance tools focused on SOX-type regulations that were being enforced across many countries.
Progressively, and most likely thanks to COSO II Enterprise Risk Management and ISO31000 frameworks, there was a realization that this wasn’t sufficient and that these programs should be extended to help “identify potential events that may affect the entity” and not just to tick the compliance box.
Coming from a risk background, I could only gladly welcome this shift!
Is it Vendor Risk Management, Supplier Risk Management, Customer Risk Management, Third Party Risk Management? Something Else?
I then noticed “risk” taking more and more importance in customers’ GRC programs which was great… Until I started encountering a sustained trend in the past few years that I personally find concerning: the creation of independent – and siloed – additional risk programs. Especially in the area of 3rd parties.
Of course, I will never suggest that monitoring 3rd parties is not a good practice, but I have met with a few organizations recently that seemed quite confused and created multiple initiatives in this area. Initiatives that were not always coordinated or even planned to come together at any point.
A common definition of “third party” in business terms is that of an entity involved in a transaction but that is not one of the principals.
Taken as is, then there’s actually no real purpose in focusing only on vendors/suppliers, contractors, customers, or only some actors of the chain. The focus should be on any company or individual involved.
Now, in my opinion, the monitoring of these parties is only a partial program. Indeed, no-one monitors something just for the challenge it represents. There must be a business objective. And, in our case, it is to ensure that the company can deliver on its strategies: protect its customers, deliver its products and services on time and in quality, increase its revenue, etc. Regardless of who is involved in the process.
But, isn’t that precisely what ISO31000 defines more widely as “risks”? I.e. the “effect of uncertainty on objectives”. If so, and since ISO31000 further defines “risk management” as the “coordinated activities to direct and control an organization with regard to risk” then wouldn’t the organization benefit from having all these 3rd party risks included directly in a single, coordinated, risk management process instead of a siloed or parallel one?
Benefits of a Single Enterprise Risk Management Process
Going a step further from simple semantics, ISO31000 recommends that all risks be taken with the external and internal context of the organization. It then defines “external context” as including but not limited to:
“— the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external stakeholders’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.”
This clearly indicates that Third Party Risk Management (TPRM) initiatives would benefit from being included in the wider Enterprise Risk Management (ERM) process. But this finding alone is probably not compelling enough so please allow me to detail some of the tangible benefits that the organization would be able to achieve:
1. Faster onboarding and reduced investment
Most companies already have an Enterprise Risk Management process live and tested. Extending it to 3rd parties might be the most straightforward and rapid approach. Indeed, if designed along ISO31000 guidelines, then it would be ready to “ingest” new contexts such as any 3rd parties. Associated risks could then be included directly in the defined risk management process and routed to the right stakeholder without needing to reinvent the wheel sort of say.
2. Overall visibility on its operational, strategic and business risks
As I have regularly suggested in these blogs: risks do not occur in silo. They are the result of a chain of events – the root causes. These can be internal to the organization, or result from external triggers. For operational risks for instance, reliance on external parties for part of the production or delivery process is inevitable in our global networked economy. Even small niche producers rely on some type of machinery that they didn’t build – nor do they maintain.
Including 3rd party risks as potential root causes will provide decision makers with a more representative and factual picture of their real risk exposure.
3. More adequate response strategy
Bias is the enemy of risk management, especially when it comes to risk mitigation. The worst case scenario is the one where a risk had been identified, assessed as critical, but wasn’t mitigated properly because part of the root causes were ignored or because some of them were exacerbated and concentrated all the focus of the response strategy (action plans, controls, etc.).
Including potential root causes arising from 3rd parties could prevent part of this bias.
And there’s an additional benefit here: the power (knowledge) of the risk community.
I have recently reviewed a few 3rd party risk management programs that were very heavily focused on cyber aspects. I don’t deny that this isn’t important, of course, but it shouldn’t overcast threats arising from financial instability, illegal and unethical practices, and so on. When included in a wider risk program where collaborative risk identification and assessment is being leveraged, this bias is counter-balanced, and all known root causes will be documented by various experts and can therefore be addressed individually if need be.
As you can read, I believe that Vendor Risk Management (VRM), Supplier Risk Management (SRM), Customer Risk Management (CRM), Third Party Risk Management (TPRM)… On n-Party Risk Management (n-PRM) is not just about vetting a business relationship – regardless how distant it is. It’s about ongoing protection of the business itself and to its sustainability.
In addition to ongoing checks for compliance, companies should also continuously monitor their business partners on various aspects: time and quality of deliveries, financial, legal, reputational aspects, etc. and include this information in their Enterprise Risk Management program.
No company succeeds alone, it’s an ecosystem! Being able to have the right (key risk) indicators to alert process owners of a negative trend on their risks – including when some of the triggers come from 3rd parties – could make the difference between a proactive reaction to a situation to put it back on tracks… and triggering a business continuity plan to continuing operating even if in a degraded mode.
What about you, how does your company manage its third-party risks, are they included in a wider risk management picture? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
I couldn't agree more Thomas. The proliferation of 'types' of risk management is confusing (to business and risk function, and software vendors who respond with 'niche' solutions), unedifying, and ultimately dangerous as you say. Fragmented risk management is full of cracks, cracks are like holes in the swiss cheese model showing how vulnerabilities becoming events.....
Thank you very much for your comment, Neil!
I really like your statement that "Fragmented risk management is full of cracks" that makes organizations vulnerable to adverse events.