A holistic approach to third-party risk management– Part III

Relationships between the organization and third-party service providers are commonly decentralized and are typically formed on an ad-hoc, as-needed basis. Individual departments outsource for a specific purpose with little participation or input from other elements of the organization. This siloed approach can lead to under-utilization of the service offering by other business units who might otherwise benefit. In the end, you end up effectively over-paying through lost opportunity costs. Worse, your ability to Govern the relationship, manage the Risk and enforce Compliance (GRC) is severely compromised.

This lack of an enterprise-wide focus highlights the need to develop internal organizational structures to both better leverage the potential hidden benefits of the third-party service across the enterprise and to properly manage risks present in any external relationship. Such structures would include formal procedures and risk assessment protocols applied at the contracting business unit and a corporate governance process to ensure those protocols are followed and enforced. Internal audits, performed by the chief risk officer would close any process gaps uncovered.

Parallel to the need to better manage risk in the third-party relationship, many companies tend to overly focus on the "spend," often automatically selecting the lowest-cost provider rather than that with the most favorable risk profile, control systems and the ability of the provider to help add value and drive business performance.

[In our line of work we have repeatedly seen migration away from the provider who was the least costly because the relationship failed to meet the expectations of the contracting entity. It is a hard lesson to learn - an expensive waste of time and resources that leaves the organization exposed to preventable business risks. Alternatively, we see the contracting entity fail to realize other service features that do not impact on them directly but could be of benefit to other areas of the business. Sooner or later those departments come on board and derive value from the unused service resources, but not without more lost time and opportunity.]

As the example above illustrates, by moving the point of focus away from the micro toward a more holistic, enterprise-wide view, the third-party relationship can create value and address business objectives beyond the original, narrowly-defined purpose.

Moreover, viewing the third-party relationship in terms of the "greatest good" naturally forms an alignment of intra-company interests, fosters communication and drives the risk management discussion forward, ultimately defining requirements, enforcement and compliance. If GRC is the goal, as it should be, you just succeeded in pulling it all together.

In the end, managing with a wide-angle lens has multiple benefits. Take advantage of the opportunity presented by carefully reviewing the assumptions driving your next RFP. You may be surprised by the hidden value unlocked by asking the right questions to the right people internally before the RFP hits that third-party's inbox.