Point of View

A crystal-clear view of third-party risk

How digital technologies create a robust risk framework

  • Facebook
  • Twitter
  • Linkedin
  • Email

When a major retailer suffered a massive data breach because thieves stole its credentials from a third-party vendor, the consequences were severe. The event compromised over 40 million credit and debit card accounts and led to 140 separate lawsuits. Claims cost the company tens of millions of dollars and the breach badly damaged its reputation. Events like this—triggered by distributors, agents, joint-venture partners, contractors, and other third parties—are now common. Supply chains are growing longer and more complex. Meanwhile, regulators are extending their reach. Companies risk their reputations if they don’t establish comprehensive third-party risk management (TPRM) programs. But while most global enterprises recognize this, few have moved beyond stop-gap solutions.

Firms in the vanguard know better. They’ve already begun adopting comprehensive, proactive strategies that align risk management frameworks with end-to-end business processes.

The ideal sustainable TPRM framework takes advantage of domain expertise, leading-edge digital technologies, and advanced analytics. It promotes responsive and proactive risk management processes with excellent visibility and ready-to-action reporting. And it supports timely remediation.

Where do the risks come from that can threaten a firm’s financial and operational health? Figure 1 shows some key sources. But there are other trends contributing to the importance of TPRM:

  • Pressure to reduce overall procurement costs means businesses rely on suppliers in emerging markets where corruption and illegal business practices are more prevalent
  • Increasingly complex supply chains are making accurate data interchanges with ever-more-diversified suppliers essential; enterprises may also have less direct contact with their customers
  • Third-party failures can trigger unpredictable — and potentially devastating — fines and operational losses
  • Regulators are more aggressively enforcing frameworks such as the Foreign Corrupt Practices Act and guidelines from the Organization for Economic Co-operation and Development. They’re also expanding their reach well beyond the traditional realms of banking and finance
  • Social media has a powerful influence over consumer sentiment, calling greater attention to ethical practices in the supply chain
  • Many investments in digital risk-management technologies aren’t delivering results—often because workflow or language processing tools, for example, are not be fully aligned to business outcomes
  • Audits that direct resources where they’re needed most: The right combination of on-site and remote-site audits is key to reducing assessment cycle times and rapidly formulating action plans. This balance has become essential as cost-cutting pressures push supply chains out to suppliers whose disadvantages may be missed by ad hoc approaches. Digital tools can help solve this puzzle by focusing limited resources on situations and geographies where the risks are greatest
  • Targeted action to limit damage — or prevent it altogether: To take corrective and preventive action, you need targeted remediation plans. These plans have to take into account complex parameters, such as a firm’s risk appetite or how critical a given vendor is. This may mean having a strategy for working with the vendor to improve processes or, as a last resort, ending the relationship

The evolving landscape of third-party risk


Getting end-to-end TPRM

Many enterprises still take an ad hoc approach to TPRM. But by solely reacting to external events and trying to patch gaps in failing business processes, they end up with incomplete solutions.

Companies with in-house TPRM programs may have easy access to financial risk scores when screening suppliers. But they face real hurdles when it comes to non-financial risks that call for interpreting a lot of data from both local and remote audits. Designing and running TPRM programs inhouse can be expensive and time-consuming, too, if teams aren’t on top of evolving regulations, or lack the right skills and technology.

Some industries, such as the automotive and pharma sectors, have formed councils to share supplier risk assessments and best practices. But risk audits are generally not a core competency of these groups — so important considerations can fall through the cracks. Bottom line: Many firms don’t have TPRM frameworks that are capable of managing risk across end-to-end business processes on a global scale. But they’re beginning to realize that this has to change. In fact, leading companies are already taking a holistic approach that aggressively addresses risks across the supply chain.

Take a copy for yourself

Download PDF

Holistic, end-to-end TPRM

One thing leading firms realize is that global enterprises need crystal-clear visibility into third-party risks if they hope to anticipate, prevent, and manage adverse events. They also need more efficient risk assessments to support targeted mitigation strategies, plus a way to predict potential outcomes throughout their operations.

Digital technologies can play a key role in an integrated third-party risk management program (see Figure 2). For the best TPRM outcomes, enterprises often adopt a Lean DigitalSM approach. Lean Digital combines digital technologies, design thinking methods that focus on the end customer, and Lean principles that offer real agility.

This technique tightly aligns risk processes to business outcomes and helps overcome the challenge of legacy operations by driving the right choices end to end rather than focusing on quick wins or discrete fixes. The result: Simple transformation that requires few changes.

But it takes deep and specific knowledge to design robust policies, procedures, guidelines, and governance processes for risk management. That kind of domain expertise can help identify the threats associated with business and regulatory requirements. It can also prioritize which third parties to assess with greater rigor.

Holistic TPRM encompasses four key processes:

  • Best-in-class screening to cut through the noise: Direct person-to-person contact between buyers and suppliers is fast becoming rapidly becoming the exception rather than the rule, placing greater reliance on datadriven communications. The good news: Cognitive computing, machine learning, and robotic automation can now interpret data from top global vendor-screening databases like LexisNexis, Dow Jones, and Thomson Reuters. This technology helps separate true “hits” from false positives and maintains an audit history to demonstrate due diligence
  • Comprehensive risk assessments that present a complete picture: Improving the depth and scope of risk assessments is equally important. Digital technologies, such as natural language processing, workflow tools, and advanced analytics, can make a significant difference. These solutions can transfer audit information in real time. They also make it easy to analyze, score and aggregate results across a region or around the world. Dashboards, structured scoring mechanisms, and advanced visualizations mean decision makers can zoom in on potential trouble spots with unprecedented precision

A best-in-class risk management process enabled by digital technologies


Pulling it together with Lean Digital

Integrating these four processes into a cohesive whole can be a challenge, but a comprehensive program using Lean Digital can help. It can target sources of risk for ready-toaction reporting and rapid execution so companies can mitigate losses from fines, business continuity disruptions, and reputational damage. At the same time, it can make better use of resources by fully embedding TPRM into business processes. Intelligent, more transparent risk management operations that can sense, act, and learn from the outcome of their actions give companies more control. And Lean Digital is the key component behind the most responsive and proactive programs that identify and manage third-party risks.


Companies that proactively address their third-party risks reduce the threats facing their businesses while increasing productivity as they comply with regulations.

  • Compliance rates increase and compliance costs cut with TPRM A leading financial services firm adopted a comprehensive TPRM framework that included controls assurance, audits, and risk remediation plans with ongoing monitoring through a series of simple, responsive dashboards. The firm increased its internal TPRM compliance rate from 40% to 90% in less than a year, and slashed compliance costs by half by combining remote and on-site execution
  • Third-party screening eliminates corrupt suppliers from high-risk territories A footwear and clothing manufacturer ran an end-to-end screening process with built-in data analytics to assess the company’s existing network of third parties in high-risk territories. The company identified over two dozen potentially problematic third parties, reduced the risk of regulatory penalties, and gained greater protection from serious damage to its reputation.

Visit our Risk and Compliance solutions

Learn More