When a major retailer suffered a massive data breach after its credentials were stolen from a third-party vendor, it had serious consequences to manage. Over 40 million credit and debit card accounts were compromised, which resulted in 140 separate lawsuits, payment of millions of dollars in claims, and incalculable damage to the retailer’s reputation.
Events like this—triggered by distributors, agents, joint-venture partners, contractors, and other third parties—are now common. As supply chains become more complex, and regulators extend their reach, organizations face greater reputational damage. While most global enterprises acknowledge these threats, few have moved beyond ad hoc approaches and stop-gap solutions.
Leading organizations have, however, begun to adopt comprehensive and proactive strategies that align risk management frameworks with end-to-end business processes. The ideal TPRM framework leverages domain expertise while effectively exploiting leading-edge digital technologies and advanced analytics. A sustainable framework enables responsive and proactive risk management processes through enhanced visibility and ready-to-action reporting, as well as the timely execution of remediation actions.
A wide range of risks threaten organizations’ financial and operational health (Figure 1). Current trends include:
- Pressure to reduce overall procurement costs has increased reliance on suppliers in emerging markets where corruption and illegal business practices are more prevalent
- Increasingly complex supply chains require accurate data interchanges with a growing number of diversified suppliers as organizations have less direct contact with their customers
- Third-party failures can result in both regulatory fines and operational losses that are difficult to predict but potentially devastating
- Regulators have become more aggressive in enforcing frameworks such as the Foreign Corrupt Practices Act and guidelines from the Organization for Economic Co-operation and Development. They are also expanding their reach beyond financial services
- Social media continues to influence consumer sentiment, drawing attention to unethical practices
- Many investments in digital risk management technologies, such as workflow or language processing tools, fail to deliver the expected results because they are not fully aligned to business outcomes
Ad hoc approaches prevent end-to-end TPRM
Despite this demanding risk environment, many enterprises persist with an ad hoc approach to TPRM. By solely reacting to external events and attempting to patch gaps in business processes as they appear, they end up with incomplete solutions.
Traditionally, companies operating internal TPRM programs have had relatively easy access to financial risk scores when screening their suppliers, but they face significant hurdles when it comes to non-financial risks, which require the interpretation of large volumes of data from both local and remote audits. Designing and running in-house TPRM programs can also be expensive and time-consuming due to limited awareness of evolving regulations and a lack of access to the right skills and technology.
For these reasons, many enterprises have yet to implement TPRM frameworks that manage risk across end-to-end business processes on a global scale. Leading organizations are responding with holistic approaches that aggressively address risks across the supply chain.
Holistic, end-to-end TPRM
To anticipate, prevent, and manage adverse events throughout their operations, global enterprises need enhanced visibility of their third-party risks. They need more efficient risk assessments to support targeted mitigation strategies, and the ability to predict potential outcomes throughout their operations.
Digital technologies play a key role in an integrated program (Figure 2). To increase the likelihood of TPRM initiatives achieving the expected outcomes, organizations can adopt a Lean Digital approach that combines digital technologies, design thinking methods to focus on the end customer, and Lean principles that offer greater agility.
This approach tightly aligns risk processes to business outcomes, and helps overcome the challenges from legacy operations by driving the right choices end to end rather than focusing on the individual parts of the process.
Deep risk management knowledge helps design robust policies, procedures, guidelines, and governance processes. This helps identify business and regulatory threats, and prioritize third parties that should be assessed with additional rigor.
Holistic TPRM encompasses four key processes:
Best-in-class screening − Direct person-to-person contact between buyers and suppliers is fast becoming the exception, placing greater reliance on data-driven communications. Data from top global vendor screening databases like LexisNexis, Dow Jones, and Thomson Reuters can be interpreted using cognitive computing, machine learning, and robotic automation. This technology helps separate true “hits” from false positives while maintaining an audit history to demonstrate due diligence.
A footwear and apparel manufacturer identified more than two dozen potentially problematic third-parties in its high-risk countries by adopting an end-to-end screening processes enabled by digital technologies and advanced analytics.
Comprehensive risk assessments - Equally important is the need to improve the depth and scope of risk assessment. Digital technologies, such as natural language processing and advanced analytics can transfer audit information in real time, and facilitate the analysis, scoring, and aggregation of results across the world. Dashboards, structured scoring mechanisms, and advanced visualization enable decision-makers to identify potential issues with precision.
Audits that direct resources - The right combination of on-site and remote-site audits is key to reducing assessment cycle times and formulating action plans. This is essential as cost-cutting pressures push supply chains out to smaller suppliers that may be missed by ad hoc approaches. Digital tools can help solve this puzzle by enabling allocation of limited resources to the right areas and geographies.
Targeted action - Corrective and preventative action requires efficient targeting of remediation plans, which depends on the assessment of several complex parameters, including the organization’s risk appetite and the criticality of the vendor. This involves working with the vendor to improve processes or, as a last resort, recommending termination of the relationship.
Pulling it together with lean Digital
Integrating these four processes into a cohesive whole can be a challenge, and that’s where Lean DigitalSMcomes in. A comprehensive TPRM program supported by Lean Digital generates substantial impact on business outcomes by targeting sources of risk and enabling ready-to-action reporting and rapid execution. As a result, companies can mitigate the losses from regulatory fines, business continuity disruptions, and reputational damage while improving resource utilization by embedding TPRM into their processes. By delivering intelligent risk management operations with greater visibility and control, organizations can sense, act, and learn from the outcome of their actions.
Companies that proactively address their third-party risks reduce the threats facing their businesses while increasing productivity as they comply with regulations.
Case Study: Compliance rate increased by 50% with significant cuts in compliance costs by adopting TPRM
A leading financial services firm adopted a comprehensive TPRM framework that included controls assurance, audits, and risk remediation plans with ongoing monitoring through a series of simple, responsive dashboards. As a result, the firm increased its internal TPRM compliance rate from 40% to 90% in less than a year, and slashed compliance costs by half by combining remote and on-site execution.
This paper was authored by Subhashis Nath, Global Senior Partner for Corporate Governance and Controllership Solutioning, Genpact.
For more information, contact, firstname.lastname@example.org and visit, genpact.com/what-we-do/business-services/enterprise-risk-compliance