The July 2019 Shared Assessments Member Forum introduced the first sections of the Program’s Third Party Risk Management (TPRM) Framework. The Framework is a new member resource designed to provide TPRM guidance to risk professionals across the experience spectrum. The first module of the Framework focuses on risk basics and provides a foundational grounding about broadly applicable risk management concepts. This module goes on to introduce readers to a range of important TPRM practices, such as maintaining vendor inventories, differentiating critical vendors and basic resiliency techniques, such as testing ability to recover from an unplanned service interruption.
As part of the presentation, we polled Forum attendees on four subjects, and the results were instructive. Without a coherent perspective on risk limits, outsourcers may well find they have taken on more risk than is prudent or the board expects. To test the notion that even when boards develop complete risk appetite statements, they often fail to socialize risk appetite in a way that can be useful when making decisions about third party risk at the business unit level we asked: “is your organization’s risk appetite widely understood and applied and deployed?” Sure enough, more than 40% of attendees reported a negative response.
Is your organization’s risk appetite widely understood and applied throughout your organization?
The second polling question was designed to test whether attendees had a vendor inventory that is accessible across their organization. The results of that polling question were surprising – more than 43% said that even this most basic TPRM requirement was not available. Without a widely available vendor inventory, outsourcers have a much harder time protecting against concentration risk, the exposure that comes from too much centralization of third party resources into a single vendor. If a vendor that poses multiple points of exposure fails, consequences may be felt across a number of important functions without management recognizing the extent to which concentration risk is a major point of vulnerability for the organization.
Does your organization have a complete vendor inventory accessible enterprise-wide?
The third polling question was designed to test another basic but critical requirement – that outsourcers clearly differentiate those vendors that have the potential to expose the outsourcer to the highest levels of risk. The polling results in this instance were heartening – almost 95% of responses said they regularly differentiated critical vendors; a task that allows outsourcers to better match the degree and type of due diligence activities to the amount of risk a critical vendor may present.
Do you differentiate critical vendors in your inventory?
The final poll was designed to provide insight into the extent to which attendees’ test their organizations’ ability to restore services after an interruption. Vendor testing is a subject that Shared Assessments explores in our , conducted annually in partnership with Protiviti. The results of this informal poll tracked nicely with Benchmark Survey findings – about 75% of the Forum participants test regularly.
Have you tested your ability to quickly restore all critical services?
Whether you are a practitioner new to the field of third party risk management or a long time veteran, we think you’ll find the new Shared Assessments TPRM Framework a uniquely valuable resource. You can download the first two sections at (https://sharedassessments.org/framework/). The next Framework module, which focuses on periodic assessments and continuous monitoring, will be made available soon. Watch for the upcoming release notice.