• Blog

Deciphering third-party risks

Technology can build a granular view of third-party risks and anticipate supply chain problems

In my last blog, I explored how procurement is well positioned to play a bigger role in third-party risk management (TPRM). Next up, I take a look at the role of technology in TPRM programs and the three main challenges it can help solve.

Richer third-party risk profiles

To create a holistic, meaningful view of third-party risk, it's necessary to collate data from a wide range of sources. Some of these may be internal, such as questionnaires to gauge the exact nature of dealings with a third party, but the majority will be external. Entries on sanctions lists, geographical bribery ratings, responses from third parties, and adverse media are just some of the useful sources of information on which companies you should or shouldn't do business with.

But trawling through these different sources manually is an arduous task, sucking up significant time and dollars. Technology can at the very least automate data collection from multiple sources and, at the most, integrate with them completely. This frees up manual resources and speeds up the data collection process.

Risk criteria such as ratings or responses to closed questions can be automatically assessed to generate an initial view of a company. This view can be built out with supplementary evidence or free text responses to color the risk picture.

Fewer supply-chain surprises

Without up-to-date information about suppliers, companies are usually unaware of trading risks until orders are late, canceled, or suppliers cease trading altogether.

TPRM platforms can monitor updates across the supply chain, whether it's a company being added to a sanctions list or the latest news stories, enabling more proactive risk management. This ability to react quickly to changes ensures security of supply, delivers more orders on time and in full, and enhances corporate reputation.

Visualization of the risk landscape

Given the size of today's global corporations and the complexity of their supply chains, creating a single view of the third-party risk landscape is a serious challenge.

TPRM analytics can help build this view in a number of ways. Firstly, it can aggregate data associated with risk inputs, spend, and, critically, use these individual data elements to create alternative views of risk, enabling visualizations tailored to different stakeholders quickly and easily.

Secondly, the use of date stamps means information is auditable, and dynamic elements, such as the impact of mitigation strategies and the changing nature of the supplier relationship, can be demonstrated to business leaders and audit committees.

Technology can't do it all

Using an appropriate, effective technology solution that enables a balanced, proportional approach to TPRM will create a better user experience and generate useful data and insights that will add value to an organization. But I think it's important to recognize that implementing a technology solution won't solve existing TPRM problems. If you add technology to poor TPRM processes, issues with stakeholder conflict and credibility will remain.

There is also an element of human judgment that technology can't replace. Experienced procurement professionals with the capability to interpret risk outcomes and use this to develop effective mitigation strategies with third parties remain fundamental to the success of TPRM programs.

Weighing up the technology options

In my experience, an effective TPRM technology solution will have these characteristics:

  • Scalability – it must be able to flex with your organization. Expansion into new markets or product lines, or growth through acquisition, are all situations that the technology must be able to cope with to avoid the need for further investment and disruption in the future
  • Flexibility – as existing risks change and new risks develop, technology should be able to absorb new data and integrate with new data sources
  • Configurability – every organization's risk appetite is unique. TPRM technology should be able to be configured to reflect a company's tolerance and ensure that process outcomes are relevant to its stakeholders
  • Internal integration – third-party risk data can be used in a number of ways, including links to master and contract data. Being able to integrate and feed this data into different business processes delivers additional value

The one thing you should get right during implementation

We've implemented a number of TPRM platforms for clients, and our experience reflects that of other system and technology implementations – investing time in defining a pragmatic process with appropriate escalations determines the success of a program. But, for me, the key differentiator is ensuring the involvement and buy-in from risk experts across the business during design, build, testing, and launch. This will underpin how effective the technology will be at supporting TPRM processes and deliver the ROI that it's capable of.

TPRM is a complex subject. Factors such as the activities, locations, and history of a third party all play a part in determining the level of risk and how to manage it. But technology can manage this breadth and complexity of data and build a coherent risk profile that informs business decisions.

Visit our procurement page

Learn more
  • Andy Rayment

    Assistant Vice President, Source to Pay

    Share on LinkedIn