Management guru Peter Drucker distilled the discipline of innovation into a set of enabling components, or “innovation opportunities.” These building blocks remain as relevant as ever, and they also apply to the field of third party risk management (TPRM).
The first four enablers — unexpected occurrences, incongruities, process needs, and industry and market changes – exist within a company and/or its industry. The remaining three innovation opportunities — demographic changes, changes in perception, and new knowledge – reside beyond the four walls of an organization. All seven dynamics are present in TPRM. That’s great news considering the historic magnitude of disruptions affecting supply chains and third party relationships in 2022.
Shared Assessments’ committees, awareness groups, and vertical strategies groups are designed to capture new knowledge and thinking on existing and emerging risks in order to seed the development of innovative TPRM practices. With the 2022 meetings of these groups now underway, I asked Shared Assessments Senior Advisor Bob Jones for an update on those discussions and the innovative TPRM developments they will eventually generate.
Jones facilitated recent gatherings of both the U.S. Best Practices for Third Party Risk Management & Assurance Awareness Group and the UK-EU TPRM Strategies group. “While both groups share many of the same priorities given that so many companies operate in both geographies, there are some subtle differences in terms of 2022 focal points,” Jones reports. The U.S. group is considering ways to drive efficiency across key TPRM processes, for example, while the UK-EU body is zeroing in on regulatory compliance requirements and cybersecurity matters. During their bi-monthly meetings, both groups will continue to identify issues that impact the TPRM community.
U.S. Best Practice Priorities
Members of Shared Assessments U.S. Best Practices Group are discussing new ways to assess the individual vendors that provide outsourcers with multiple products and services across different business units. “The issue is that a service a vendor is providing to one business unit is more critical from a risk management perspective than those it provides to others in the organization”, Jones explains. “So, the question becomes: How do you assess that vendor in a way that makes the most sense from both an effectiveness standpoint and an efficiency perspective?”
The group is asking similar, process-focused questions about other TPRM blocking and tackling issues. For example, how can continuous monitoring activities be synchronized with point-in-time assessments, such as a Shared Assessments Standardized Control Assessment or an AICPA SOC-2 report?
“Let’s say that an on-site assessment with an annual cycle has been completed several months before the end of the outsourcer’s reporting period,” Jones notes. “Well, that may not align with the outsourcer’s schedule, and a point-in-time assessment is obviously time-sensitive because it becomes stale relatively quickly. So, how do you deal with this synchronization challenge, especially in a company that has dozens, hundreds, or thousands of vendors?”
Fortifying resilience remains a hot-button issue as well, adds Jones, who points to the recent formation of Shared Assessments’ new Procurement & Sourcing Strategy Group as another important source of practices-related discussions and innovations in 2022.
UK-EU Best Practice Priorities
Formed three years ago, the UK-EU group is hitting its stride from a practices-sharing and networking standpoint, according to Jones. “The discussion during its recent meeting was the most robust we’ve ever had,” he asserts. “It definitely takes time to get to know each other, especially given that the members of this group are based in so many different countries – and that they are contending with some massive changes, like Brexit ”
The top-five 2022 focal points of the UK-EU group are similar to the priorities of the U.S. groups (albeit with some subtle differences); Jones reports that these issues include:
- Cyber attacks throughout the supply chain;
- Compliance with sweeping new data privacy regulations;
- Concentration risk;
- Environmental, social, and governance (ESG) risk management and reporting requirements; and
- Contracts.
Jones notes that the UK-EU group also considers the way in which TPRM programs fit into the organizational structure as a top-10 priority this year. “The group is looking at how to best organize the third-party risk management function in a given entity, regardless of whether the entity is decentralized or centralized,” Jones notes. “Identifying that optimal structure largely depends on the culture of an organization.”
Both the U.S. and UK-EU groups are applying similarly comprehensive structural considerations to contracts with third party providers – especially when it comes to capturing exit strategies in contractual stipulations, Jones adds. “In some ways, this work calls to mind crafting a prenuptial agreement. “One of our members, a lawyer, suggested an interesting parallel. He joked that planning for divorce is an effective way to plan for a successful marriage.”
