Worried About Third-Party Risk Management? Your Procurement Team Can Help!

risk goranga/Adobe Stock

Spend Matters welcomes this guest post from Wayne Weil, director, performance improvement at Alvarez & Marsal.

One of the hottest topics in the financial services regulatory world is third-party risk management (3PRM). While regulated firms scramble to meet new guidelines, they may be surprised to find there is a group within their organization that has been working to accomplish many of the same goals for years: the procurement organization. The people, processes and tools found within most procurement organizations can provide a powerful complement to the compliance organization’s third-party risk management aims. As firms grapple with developing compliant 3PRM programs, they would be well served to partner with their procurement teams to jump-start the implementation, as well as to capture the additional hard-dollar benefits that have been the yardstick for success in traditional vendor management.

Over the past several years, all of the major financial regulators have opined on the topic of 3PRM, including the Office of the Comptroller of the Currency (OCC), the Financial Industry Regulatory Authority (FINRA), the Securities and Exchange Commission (SEC) and the Federal Reserve (FED). This guidance, as with much regulation, articulates a high-level description of the characteristics of a compliant program rather than providing a prescriptive “how to” guide.

The relative lack of specificity has left regulated firms struggling to define and then implement a compliant program for managing third-party risk. In response, firms have prioritized and invested in both wider and deeper oversight of vendor relationships. What they may not realize, however, is that just down the hall, procurement has been wrestling with many of the same issues for years and has probably already built many of the processes and tools needed to meet these new regulatory demands.

Regulatory guidance on 3PRM comes in many flavors, typically couched in language that is long on principles but short on actionable direction. There are, however, common elements across the various pieces of guidance:

  • Segmenting the vendor portfolio based on the degree of risk each represents to the buyer organization and identifying vendors whose products/services support “critical” activities and whose potential failures would be most impactful
  • Tailoring the depth and frequency of diligence and oversight to be commensurate with that risk-based segmentation
  • Adopting a “lifecycle” approach to managing vendors (and the attendant risks) that begins with planning prior to any interaction; continues through due diligence, selection and contracting; provides ongoing monitoring during the active life of the relationship; and contemplates the eventual termination of the relationship

The traditional activities of the procurement organization already cover many of these elements. A lifecycle approach to vendor relationships has long been considered a “best practice” in the procurement world, as is the concept of segmenting vendors, although often the segmentation is based more on commercial considerations (i.e., spend volume) than risk concerns.

And while traditional procurement organizations may have devoted less attention to ongoing monitoring, here, too, there may be an answer already lurking within the firm at large. Many firms have, in one form or another, created a vendor management (VM) function to perform ongoing monitoring that is very much in line with what regulators want. Organizationally, the VM function may live within a larger procurement organization, reside in an IT or Operations group or leverage the “relationship owners” across the business, in distributed fashion, to perform the ongoing monitoring as part of maintaining the relationship. Regardless of organizational alignment, the people, processes and tools can be valuable contributors to solving the 3PRM challenge.

So, how should organizations unite the needs and capabilities of the compliance and procurement functions to deliver a compliant 3PRM program? The compliance function, in response to regulatory focus, is clearly in a position to “ignite the burning platform” and spur the organization to action, securing the executive support and, more importantly, the budget required to build out a comprehensive 3PRM effort. Additionally, compliance has the experience with crafting policy and demonstrating alignment with regulatory imperatives to build the procedural framework.

Procurement, on the other hand, has the people, processes and tools that can serve as the infrastructure to make compliance’s procedural framework a reality. Working together, these two groups bring both the theoretical and practical expertise required to build out a compliant 3PRM program.

As the compliance team begins to draft the policies and procedures that will define a compliant program, existing procurement policies are a natural starting place. Rather than beginning with the regulatory guidance and a “clean sheet of paper,” a more effective first step may be examining existing procurement and vendor management processes and performing a gap analysis between them and the regulatory guidance. Making modifications to an existing set of processes will have a lower impact on the organization and, accordingly, a higher chance of successful implementation. Moreover, the resources are already in place to execute on the procurement processes, so aligning the compliance requirements to what procurement is already doing will lower the incremental cost required to demonstrate compliance with third-party risk management requirements.

A final argument in favor of the compliance-procurement partnership relates to the different, but complementary, benefits that each group pursues. Compliance, directed by regulatory guidance, focuses on mitigating third party-related risks that could threaten ongoing operations, the viability of a division or firm or the financial services industry as a whole. Procurement’s focus, instead, is often primarily on risks that could result in near-term financial impact: rework, downtime, overpayment and the like. By leveraging procurement’s people, processes and tools, a compliance-procurement partnership can clearly accelerate the path to demonstrating compliance with its board-level set of concerns. However, by empowering those procurement people, processes and tools with the urgency and organizational resolve that compliance brings, some additional, more tangible benefits can also be realized.

While the risks addressed by the procurement approach to vendor management may seem more mundane, they can and do result in quantifiable “hard” benefits: better “value for money” from vendors, higher quality service, higher customer satisfaction, fewer errors and less rework. These hard benefits, which flow directly to the bottom line, can serve to offset the additional investment required to meet the compliance mandate and are at the heart of the “win-win” partnership between compliance and procurement.

Traditional procurement and vendor management organizations have been making the case for years that investment in their processes and tools will generate tangible returns at a multiple of their costs, but in many cases have had trouble garnering the senior executive support needed to fully deliver on that promise. Enter compliance and the current focus on third-party risk, offering board-level attention and budgetary support, but in need of a way to implement. The power and mutual benefit of a partnership between these groups seems self-evident and is, at a minimum, worthy of consideration.

As boards of directors, senior executives and compliance leaders tackle the many challenges of third-party risk management, it behooves them to seek out the vendor experts within their own organization. They will likely find a group already focused on many of the same issues and with many of the building blocks required for a compliant solution.

Not to mention, they may even save the organization a few bucks.

Discuss this:

Your email address will not be published. Required fields are marked *