Spend Matters welcomes this guest article by Ian Cotter from GEP.
In today’s current business environment, companies are becoming more reliant on their network of vendors, contractors and partners than ever before. Complex business processes are intertwined between businesses and their supplier networks, and this has made it difficult for them to effectively monitor and assess their information security and third-party risk.
The wave of recent data breaches at Fortune 500 companies such as JPMorgan Chase, Apple iCloud, Home Depot and Target raises serious concerns about the rigor of the private sector’s information security and third-party risk management practices.
In the last 2 years, there has been more updated regulations regarding third-party risk than at any other point in time. Media attention and penalties by industry regulators has put the oversight of third-party risk as a top priority for all levels of management within large organizations. It is now a “board level” issue for most companies. Various regulators and industry bodies have all issued their third-party risk management guidelines creating an overlap of requirements depending on the types of services that the organization may have outsourced.
It is imperative that companies take a proactive approach and implement a third-party risk management (TPRM) program to mitigate the risk of a serious breach. Implementation of a TPRM program is a complex process. But it is a vital step in understanding the risks inherent when contracting with third parties and effectively managing enterprise risk. Third-party risk management is not a “one-size-fits-all” approach – the level and type of risk assessments to be performed is directly related to the scope of work they perform, the type of data or information sharing and may trigger different regulatory compliance obligations based on the type of service they provide.
The first step in implementing a TPRM program is to segment your existing supply base to identify the suppliers that need to be covered by TPRM. Once you’ve identified which suppliers need to be covered by TPRM, you must begin active monitoring of your in-scope suppliers. This includes creating “risk scorecards” whereby you perform detailed risk assessments and provide the results back to the suppliers so that they can start working on any action points that the risk assessment uncovered. The scope and frequency of the various assessments must match the risks associated with the services provided by the vendor. If the risk assessment identified any critical issues, a contingency plan should be put in place for that particular vendor. In certain instances, exit plans need to be put in place if the risk is deemed to be too high.
An effective and efficient TPRM program will provide important, quantifiable benefits to the business. You will have enhanced visibility into your suppliers’ performance and this can actually help strengthen your supplier relationships. A good TPRM program will also help you standardize and simplify your new vendor onboarding process and your ongoing risk assessments. Most importantly, it can also help your company from ending up on the front page of a newspaper for all the wrong reasons.
For more interesting thinking on procurement, visit the GEP Knowledge Portal.