Creating a Successful Third-Party Risk Management Strategy: What You Need to Know

risk adrian_ilie825/Adobe Stock

It’s almost 2018 and time to think about updating — or creating — your risk management program for next year. Financial health ratings firm RapidRatings recently held a webinar on the most important factors to consider as you plan your risk strategy. Presented by Brian Sica, director of sales operations at RapidRatings, “Developing a Third-Party Risk Management Strategy for 2018” takes a broad approach to the topic, starting with alignment to business objectives before progressing to the actual planning and execution of the program.

For procurement professionals, risk management never ceases to be a pertinent topic. According to a Deloitte study from earlier this year, managing risks is one of CPOs’ top business priorities — and for good reason. During the webinar, the audience was polled on whether they have experienced a supplier or vendor disruption within the past 24 months, and 48% said that they have.

Sica started off by saying the implementation of third-party risk management programs generally occurs in three phases: planning, execution and refinement. RapidRatings has found that in the cases of unsuccessful risk management programs, the fault oftentimes lie in organizations not paying enough attention to the planning phase. People tend to want to jump right into the execution phase, Sica explained, but planning is crucial for success.

One of the first things to do in developing a risk management program is to tie it to the broader objectives of the business. Sica mentioned increasing revenue, decreasing costs and increasing asset utilization as three of the major objectives that all businesses likely have.

For example, a large organization that is trying to expand internationally or into a new market would want to at least protect, if not increase, its revenue. Since the organization is less likely to have logistical networks in place for its new overseas market, there is a large amount of risk associated with the expansion, and consequently a need for a comprehensive risk management program.

In more mature industries like automotive, Sica said, third-party risk tends to be tied back to cost cutting. Think supplier disruptions, such as when BMW car production stalled earlier this year due to a shortage of steering systems from its supplier, Bosch.

When it comes to actually putting together a risk management strategy, Sica suggested a five-step approach, which is as follows:

  1. Understand the types of third-party risks that your organization faces
  2. Segment your third parties by criticality
  3. Standardize data to evaluate risk
  4. Create an organizational structure to support risk initiatives
  5. Define how success will be measured

We’ll look at a few of these steps more closely. The likelihood is high that you already have a good idea of what the biggest risks your third parties expose your organization to. If you’re in the banking industry, information security risk would be a top issue. If you’re in the energy industry, your biggest risk might be environmental, including natural disasters. If you’re in manufacturing, you might rely on a small, family-owned business for a particular product. “[Manufacturing companies would] need predictive analysis to determine whether that organization can withstand a disruption, like a recession or [increased] interest rates,” Sica said.

But perhaps fewer procurement organizations have completed a thorough supplier segmentation. One of the first things to determine is supplier criticality, and for this Sica recommended asking yourself a few simple questions. Is the supplier a sole-source supplier? Is it integral to business operations? Is it associated with a high amount of spend? If you answer yes to one or more of these questions, the supplier is a more critical one.

The next thing to think about is the amount of data available on each supplier. Information on public companies will of course be much easier to get, whereas data on private companies will require some digging. “It’s very important to collect that information directly from those companies,” Sica said. “You need an efficient process for that … understanding what information you need to collect is paramount to properly segment your suppliers.”

The most difficult step to achieve, however, is the last step, measuring success. Sica noted that RapidRatings’ clients struggle with this, and perhaps many Spend Matters readers have struggled with it, as well. How exactly do you know if you’re mitigating risks?

Sica suggested coming up with different measurements for short-term (think first few months) and long-term success. One sign of short-term success is simply the ability to collect more information and make risk evaluations more efficiently. In the longer term, measurements of success include whether your organization has been able to protect revenue and reduce costs that result from supplier disruptions.

Toward the end of the webinar, the audience was polled on the success of their supplier or third-party risk management program. Forty-three percent considered themselves somewhere in the middle — attempting to implement clear goals and demonstrate ROI. A considerable percentage, however, said that they have not been able to achieve either.

We would like to flip the same question to our readers. How successful is your third-party risk management program? Tell us in the comments below!

The full webinar replay is available here.

Share on Procurious

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.