Third-Party Risk Intelligence: Delivering 360° Situational Awareness to the Extended Enterprise
Written by Supply Wisdom Team
Recap of the webinar from November 2, 2021
Mike Rasmussen, GRC Pundit & Analyst, GRC 20/20 Research, “Father of GRC”
Debra Zoppy-Hendershott, Head of TPRM & Op Risk Business Resiliency, Guardian Life
Q1. What does it meant when we talk about the extended enterprise?
Definition extended enterprise –
- Includes extended third-party relationships – suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary works, brokers, agents, dealers, intermediaries, etc.
- Nested in deep supply chains and sub-contracting relationships
- Issues in your third-party relationships are your issues, their challenges are your challenges
Q2. What is inadequate about most solutions today that requires a new approach to TPRM?
- Risk is dynamic and often the risk management and risk assessment models that existed have not been as dynamic
- Need to move to continuous monitoring
- Need to see full spectrum of risk
- Siloed approach to risk –
- Need to see the aggregate risk of a third-party relationship i.e., an integrated view of risk
- Challenge – third-party supply chain is growing exponentially but typically resourcing is not being expanded
- Need to be able to focus in on what the key risk areas are
- Need to leverage continuous monitoring tools to be able to understand financial health, cyber health, reputational issues, ESG, etc.
Key Insight – With siloed approach to risk can’t see the aggregate of risk in any given relationship – organizations need to shift from siloed approach to an integrated strategy to understand the aggregate risk exposure for 360° situation awareness
Q3. What does 360 situational and risk awareness mean?
- Continuous assessment is important because business is dynamic – changing minute by minute and second by second at the enterprise level and throughout your extended enterprises
- Continuous risk intelligence on your third parties can alert you in real-time instead of months later at the next periodic assessment
Key Insight – Important to monitor beyond financial and cyber risk to include the full-spectrum for early warning of disruptions (a cyber incident often starts as another risk i.e., employee issues, attrition, financial issues, lack operation controls). Early warning in one risk domain can prevent disruptions in another risk domain.
- Move to continuous monitoring increases noise – with negative news monitoring there can be a lot of false positives
- Leveraging AI can get rid of some of the noise – still maturing accuracy will keep rising
- Better to be alerted and have to go through a little bit of noise than to remain ignorant and get caught off guard
- Examples of early warning of a disruption it helped to avoid a disruption – announcement of storm, floods, elections, death of a celebrity – employees can’t get to work – redirect to other locations or work from home strategies
- Early warnings mean nothing if you don’t act
- Regulators are no longer sympathetic to companies’ lack of warning system – ignorance is not an excuse anymore
Q4. How is ESG redefining TPRM and Supply Chain Risk Management?
- ESG has teeth and regulatory enforcement (unlike CSR that was passed around the organization and often treated as a marketing exercise)
- Boards of Directors voted in and out based on ESG metrics
- Institutional corporate investors are making investment decisions based on ESG practices
- Customers making decisions on who they do business with based on the values of the organizations
- Employees (particularly millennials and gen z) are making employment decisions beyond salary and benefits to consider the values of the organizations
Key Insight – As organizations build their ESG practices, ESG becomes more prominent in continuous monitoring and risk intelligence needs
Advice for companies with regard to ESG:
- Start working on it now – getting a lot of attention from boards and regulators – organizations have to be paying attention – need to address ESG within organization and be able to manage across the extended enterprise
- Regulators starting to ask for disclosure – future will become requirements
- Good ESG practices pay off – barely seeing the impact to enterprises, but very soon they will see the impact on talent – eventually that translates to reputation and impacts revenues
Q5. What does continuous risk management and good TPRM practices mean to you? How does one enable it?
- Today – Understand your current state – where you are at in your maturity of Third-Party GRC /risk management
- Tomorrow – Define your future state
- What’s your road map to get there? Need to include how you are going to address continuous risk intelligence
- Need to better integrate data and share the data across teams (other shareholders)
- Selecting a continuous risk intelligence solution is critical to early warning
- Consider integration of risk intelligence solution into your workflow software – risk mitigation managed in your workflow software
- Consider your standard operating procedures – when you receive an alert or change in intelligence
Key Insight – By integrating process from risk intelligence to risk management to risk actions, there is the potential to automate a large portion of risk actions enabling teams to accomplish more with less resources
Q6. Advise for customers considering continuous monitoring and workflow integration? How does one sustain it and maximize value?
- Raise awareness with the people who own the relationships with the third parties – need to understand the types of risks as they enter or expand contracts
- Ensure you are getting the right tool for what you are looking to accomplish – and can integrate into your platforms
- Stakeholder engagement – ensure connection with the other risk teams in the end-to-end process – Procurement, Legal, IT, etc. should all be part of solutioning
Key Insight – Intelligence can be utilized across all workstreams to benefit the overall end-to-end third-party risk management activity
Building a business case to move forward with continuous monitoring:
- Efficiency – How is continuous risk management service going to make me more efficient in terms of time saved and money saved?
- Effectiveness – How is going to provide value in terms of accuracy, completeness? (i.e., less things slipping through cracks, not being caught off guard, keeping up with change – regulations, business environment and third-party environment)
- Agility – How will it make me more resilient and agile?