Supply Chain Regulation Upheaval Requires Third Party Risk Management Maturity

Keeping pace with supply chain regulation upheaval requires a disciplined approach to managing third party risk.

Two years ago, a comprehensive benchmarking survey report on third party risk management (TPRM) practices concluded that “vendor risk management programs are barely able to keep up with the fast pace of change in the external environment.” Since the report appeared, the external environment has served up a trade war between the world’s two largest economic powers, a steady procession of new regulatory requirements, a global pandemic, the steep recession the pandemic triggered, and a burst of U.S. political unrest not seen in more than a century.


The benchmarking study, jointly produced by the Shared Assessments Program and consulting firm Protiviti, also determined that only 40% of organizations have “fully mature” TPRM programs – and that almost one-third of companies have only “ad hoc” programs or no significant TPRM processes in place.


Given the rapid rise of volatility since the report appeared, it’s a safe bet that most TPRM programs would benefit from a rapid and sustained maturation process. Fortunately, an approach exists to guide the development of TPRM capabilities in disciplined and methodical manner.


“Regulatory disparities among different global geographies represent just one of many complex challenges confronting third party risk management teams, but it’s a huge challenge,” notes Santa Fe Group Senior Advisor Gary Roboff. “A global organization needs to have a carefully designed system in place that makes them fully aware of the unique compliance requirements in each region and how policies are appropriately designed, applied and monitored in accordance with those requirements.”


Achieving and maintaining that discipline is becoming more difficult due to a range of disruptions and drivers of business complexity. Supply chain upheaval also figures as a huge challenge – to TPRM groups and senior executive teams alike –as trading partners work through hard-earned COVID-disruption lessons to make changes that could reconfigure the movement of as much as $4.5 trillion worth of global goods during the next 48 months, according to McKinsey research.


That research, which examines post-COVID trends with staying power, suggests that executives across all industries deduced three insights from supply chain vulnerabilities that were exposed amid pandemic shutdowns and health measures:

  1. Shutdowns among suppliers and other third parties are not uncommon. McKinsey indicates that any given company should expect to contend with a shutdown that lasts roughly 30 days every 3.7 years.
  2. Cost differences between sourcing in developed countries and those with developing economies continue to shrink. For many U.S. companies, this means that domestic suppliers and vendors are more viable, which will increase the volume of sourcing changes in 2021 and beyond.
  3. Most companies, according to McKinsey, “do not have a good idea of what is going on lower down in their supply chains.”


That final insight will not come as a surprise to the many TPRM practitioners who strive to manage nth party risks. To be sure, massive supply chain rebalancing and the regulatory disparities Roboff highlights mark only two of larger collection of factors that continue to hasten the pace of external change.


Keeping pace requires a disciplined approach to managing third party risk. The Shared Assessments Vendor Risk Management Maturity Model (VRMMM) is designed to foster that discipline. The tool, Roboff explains, organizes a TPRM program into eight components:

  1. Program governance
  2. Policies, standards and procedures
  3. Contract development, adherence and management
  4. Vendor risk assessment process
  5. Skills and expertise
  6. Information sharing
  7. Tools, measurement and analysis
  8. Monitoring and review

The tool also identifies performance criteria – anywhere from 17 to 44 standards – within each program component. This structure helps TPRM teams conveniently self-assess their activities in each TPRM performance component and then track their improvement progress over time. These evaluations are based on six levels of maturity assessments:

As 2020 thankfully recedes in in the rear-view mirror, companies will resume looking ahead. As they do, they will see a growing need to get their TPRM capabilities in shape for a future that will require even more resilience, adaptability and discipline.