The third-party risk management ecosystem - Part I

John Donne may have been onto something when he observed "no man is an island entire of itself" but I'm sure he never thought about the modern implications for his famous poem. Now, 400 years later, we have a globalized business environment where no company is an island. The interconnectedness of commerce has caused organizations to interact with an ever-increasing number of third-parties. In fact, outsourcing is expected to continue growing at the rate of 20% or more for the foreseeable future.

As relationships with third-parties - whether vendors, partners, agents, tenants or other service providers – become more complex, the need to acknowledge the importance of managing risk becomes self-evident. Forward-thinking risk managers will do this in a proactive, strategic manner.

Risk Transfer

Perhaps the most obvious and prevalent approach is to off-load exposures to the third-party through written contract. When executed properly, this is tied to verification of contractual compliance, often through provision of documentation, such as certificates of insurance and indemnification agreements. The often-neglected step is to supply consistent monitoring and enforcement, which may lead, ironically, to another third-party arrangement, one of professionally managed compliance on behalf of the enterprise.

Value Creation

Beyond the strategy of risk transfer, which is essentially a means of value protection, investment in third-party risk management initiatives is being justified by the ability to include value creation in the equation. Moving beyond reactive, it embraces the concept of using risk management tools and protocols to improve business practices through identification of risks across the enterprise. By extending risk management to anticipate and manage third-party exposures originating from all business operations the value delivered by those relationships can be optimized.

What does the risk look like?

In the new world of extended networks, risk is inherently broad and often difficult to assess because of the unique nature and potential severity of each third-party relationship. Technology, principally through the immediacy of social media, can swiftly impose catastrophic damage in high-visibility incidents such as data breaches or product failure. The globalization of manufacturing has brought supply chain continuity into the spotlight; the balance between just-in-time and just-in-case inventory management has never been more precipitous. New risk is further being driven by the proliferation of regulatory compliance and the accompanying civil penalties for failure to play by often burdensome and costly new rules. And disruptive events such as these will carry opportunity costs; the distraction will drain resources and slow future business progress.

A complex situation

There are many moving parts that impact on effective third-party risk management. In subsequent issues we'll examine TPM best practices and specific third-party service provider challenges. In the meantime, let's remember that there is a line in the Donne poem all risk managers should wish to avoid; you know, the one about "for whom the bell tolls." As we move forward in this series, we'll look into how to avoid the bell-ringer.