Being prepared for third-party risk events – Think big, start small, grow fast

The appetite for third-party risk management (TPRM) within procurement and the supply chain is keener than ever before — risks are more numerous and complex in what is an increasingly fast-paced and global business environment. (Read our analysis: Risk is complex — The different types and sources of risk.)

From chip shortages to geopolitical tensions and pandemics to canal blockages, recent years have highlighted the ever-present vulnerability of global supply chains. According to our analyst, “the world in which companies operate has reached levels of VUCA (Volatility, Uncertainty, Complexity and Ambiguity) not witnessed for many decades, and which will neither disappear nor shrink any time soon.”

As a consequence, senior executives increasingly recognize the need for a comprehensive approach to risk management. Compliance-driven functions are giving way to a more holistic view of risk, driven not only by regulatory but also customer and executive mandates. This includes addressing immediate risks and building resilience and agility in supply chain operations for the longer term.

This quarter Spend Matters is focusing on third-party and supply chain risk management (SCRM) and speaking with industry experts to better understand the nuances of risk and how practitioners can both recognize and address them.

Dean Alms is chief product officer at integrated risk and resilience solution specialist Aravo Solutions. We tapped into his 20-years-plus experience within the industry to get his take on the risk landscape of today.

Appetite for risk management has evolved over recent years

Aravo has been receiving risk-related requests from its customers for over 20 years, so the appetite for risk is nothing new, just different. “What has changed,” he tells us, “is the desire to look at third-party risk more holistically. Traditionally, the types of customer requests are very fragmented for a particular risk domain. They come primarily from a cyber perspective, from an anti-bribery and corruption (ABAC) perspective, from an ESG and a supply chain resiliency perspective and, of course, data privacy.

“Because regulations have come into play and firms have witnessed various risk events, there is usually someone in the organization who is held accountable for addressing a particular risk. But, businesses have implemented a number of disparate technologies over the years to respond to risk concerns and have thus introduced organizational fragmentation around addressing risk.

“So, what we are seeing now is a greater need for unified visibility and control across a number of risk domains — which is where our focus lies.”

How the risk landscape has changed for procurement practitioners

Risk management is, and always will be, an expanding area. But according to Dean, cyber, infosec and data privacy are the areas of concern that have ramped up over recent years. And today, the responsible use of AI can be added to that list. “AI use is becoming a very important consideration when companies measure their third parties’ risk exposure,” he says, “especially in terms of data source, algorithms and so on. A number of different initiatives have come into play, like GenAI, that have added to the risk management pool. So AI has definitely become a big topic because of the liability associated with it. For example, if your provider is using AI and doesn’t have the rights to use the data they are supplying to you, then you, having bought that data, are held accountable for ‘the sins of their suppliers.’ So it can be a double-edged sword, and it’s really important for companies to keep aware of what’s going on and manage that risk accordingly.

“Our customers, particularly in Financial Services, in high-tech firms and in the Pharmaceuticals sector, want to understand not only what their third parties are doing with AI but also how we, as their provider, are using AI to help them more efficiently and accurately assess their risk exposure. With anything up to 200,000 third parties to manage, our customers can clearly gain efficiencies from the use of AI if applied meaningfully. With TPRM, 60% or more of the effort is collecting data from third parties. Targeted AI processing promises to take what used to take weeks or months down to hours or minutes.

“Cyber is also a huge risk concern right now. One financial services company we talked to saw a 600% increase in the number of ransomware attacks against its supplier base over a two-year period. And that’s something we hear often. In the automotive industry earlier this year, a major software provider suffered a ransomware attack; it had to pay $25 million in fees to get its systems back online, and even so, it brought down 15,000 automotive dealerships for five days. Then we saw the CrowdStrike situation which impacted many businesses, particularly the airline industry. These highly newsworthy events serve to highlight why businesses are nervous about this risk.

“But looking at the macro picture, it shows how the digital transformation that has been going on for the past decade or so has interconnected organizations to the point where, if something goes wrong in the IT environment, it impacts the extended enterprise landscape, not just one company. And while digital transformation has brought a lot of efficiencies, it has also brought about quite a few new risks that need to be managed in a much more diligent way than we have done in the past.”

Fortunately, the ability to detect risk further down the supply chain is growing

According to Dean many companies are still struggling to manage their initial third parties, let alone tackle the opaqueness of the deeper tiers. However, deeper tier risk visibility is becoming more achievable through technology. “It takes risk-intelligence technology to detect all the suppliers in the chain,” he says, “because questionnaires alone don’t work.

“But even then, there are some risk events that you cannot foresee. For example, because all companies use software in order to operate, and many use various cloud service providers like Google Cloud, Microsoft Azure or Amazon Web Services, when something goes wrong, the risk is concentrated and impacts every company using that infrastructure.

“There is little companies can do to mitigate those events, except rely on the provider to provide as much backup, recovery and resilience around those systems as possible.”

Having said that, risk mitigation stands a better chance if every arm of a business is captured in the risk assessment and monitoring process.

Risk must be managed for every business unit

There are two main macro processes that Aravo’s customers choose to address risk.

One is full lifecycle management of a third party. That means bringing all relevant parts of a supplier into the system — multiple business units, managed services, consultancy, the implementation team, etc. — because all of those various entities have a different risk profile. “Companies need to manage risk not at the company level, but at the engagement level,” says Dean, “from enrollment, to onboarding, to continuous monitoring to offboarding, each must be carried out in a disciplined manner.”

The second is due diligence for the various risk domains. “In terms of data capture,” he says, “you need all the information on a third party in one place so you can manage that risk. Then it is put through an evaluation engine so it can be scored in terms of the scale of its risk. Then there is remediation, the turning of identified risk from high (red alert) into low (green) and giving the customer corrective actions to consider. Then there is the overall review and auditing of what has taken place with a given customer.

“But, in a fragmented company, certain risks are assessed with one technology and others with another. So what we are hearing increasingly is a desire to centralize risk, to bring it all under a single umbrella to avoid data redundancy. Having different databases of suppliers to manage is convoluted and likely to get out of sync, so these customers want unified visibility into risk for a given company. That way they can be fully aware of any risk at every level before they allow a supplier into their system.”

The main drivers of risk management

Aravo finds that when it begins its discovery process with a customer, there are four main business objectives that come up which drive a company’s pursuit of a risk management program:

• Revenue assurance — to make sure their suppliers are able to deliver so they can deliver their end product to their customers.
• Financial liability — that liability comes from fines and lawsuits as well as ransomware and recovery costs.
• Regulatory compliance — often the number-one driver for financial services and pharmaceuticals.
• Brand reputation — with long-reaching effects.

“A very big issue facing the market right now,” says Dean, “is supplier fatigue. With every company that is implementing a TPRM program asking the same questions of their suppliers, and those suppliers asking the same of maybe 100s or 1000s of their suppliers, we get ‘fatigue.’ This means responsiveness is reduced and the quality of the data goes down. So using risk-intelligence providers to capture information from data firms is far more efficient than forcing a third party to answer multiple questionnaires. And this is why Aravo responded by carrying out ‘Intelligent First Data Capture.’”

Be prepared for risk events

Whatever the driver for risk management, a company must accept that risk events will happen. When one does, sometimes the customer is left bemused over how it happened and, importantly, unsure of what can be done about it. “When Silicon Valley Bank went down,” he says, “it caught a lot of people who relied on it solely off guard. They ran into all sorts of issues, including payroll. So what we encourage is: take a look at a risk event when it happens; ask yourself what was your overall compliance stance?

“Risk event levels of engagement are:

Ignorance: when the event happens with no warning, like CrowdStrike, and you haven’t considered how it could affect you.

Negligence: where you knew there was a risk, but you chose to ignore it. (This could result in millions in fines because you had no system in place to manage it.)

Tolerance: where you know a risk is possible, but the cost of mitigation is so high that you choose to accept the risk and source alternatively should it happen. Sometimes there are just no alternatives.

Diligence: where you seek to be compliant with all of the possible risk issues. You have a TPRM program and you are monitoring and managing the risk.

Persistence: where you have built a culture around risk, like ESG or human rights concerns, rather than simply complying with regulations. Persistence takes compliance to the next level.

“So risk has to be looked at through a multi-focal lens. There are many facets to risk and many levels of risk that a business has to deal with. It’s important to decide where you sit on that spectrum. You don’t want to be ignorant or negligent. But the other three are a choice you have to make.

“My advice is: look at the risk opportunities, avoid being reactionary and get to know what could happen, especially for a critical supplier, and what steps are you going to take if it does — build in your plan of record.”

Selling TPRM to the business – think big, start small, grow fast

It’s important to decide what you want out of your overall third-party risk management program if you want to sell its benefits to the business. But, just like every business unit presents a different risk profile, so each risk owner has different motivations.

“There are several different roles that TPRM sells to,” says Dean. “These include the CPO with the full picture, the CIO with the cyber piece of the equation, the chief privacy officer because of GDPR, the chief sustainability officer for ESG or the chief supply chain officer. So you have to consider the role of your buyer and the problem they want to solve. And this is why it’s important for the business to consider the program in a much broader sense, because the experts who understand one set of issues might not understand those of other domains, like within InfoSec or Regulations or Privacy. But there does need to be a centralized component for operational efficiency rather than operating with pockets of technology that eventually someone is going to have to bring together in order to report. And procurement officers require some centralization because ultimately they are the ones who need to make the right choice over which third parties to work with or, conversely, disengage with.”

Some solution providers, like Aravo, offer a projected payback solution — an ROI tool.

“We encourage users to include the business objectives in the ROI tool as much as the operational ones because oftentimes companies think in terms of tangible savings, like less headcount. But there are clearly savings that are not tangible but which could definitely affect the bottom line, like compliance regulations, GDPR and others, which if you fail to meet, could cost you dearly. The German Supply Chain Act, for example, levies a penalty based on your overall revenue. So it’s wise to factor in those business outcomes, not just your operational outcomes, to get the full ROI picture.

“However, we do encourage everyone to think through the full life cycle as well as all the different risk domains. But start small. Pick a domain or two. Then grow. And ultimately, a TPRM program will more than pay for itself.”

Many thanks to Dean Alms of Aravo for contributing to our series on risk management for procurement practitioners.