Building trust with persistent third-party risk management

Risk and compliance leaders know that the more third parties the company does business with, the more challenging it becomes to vet, onboard, and continuously monitor them all. But with the US Department of Justice (DOJ) ramping up scrutiny on compliance programs with updated guidance, confirming TPRM is integrated into your overall enterprise risk management program isn’t optional–it’s imperative. 

Additionally, companies that do business in the European Union or serve EU customers need to confirm your process is complying with the General Data Privacy Regulation (GDPR) as well as understanding and monitoring how your third parties handle customer data.

Strengthening trust with data-driven compliance

Despite the challenges of limited resources, siloed third-party vetting and compliance accountability—and in some cases a mindset that TPRM isn’t business critical—there are also many opportunities. Companies can benefit from stronger, more integrated, scalable TPRM because when it’s integrated into a comprehensive enterprise risk management strategy, it helps strengthen trust among customers, employees, and many other stakeholders. 

A technology-enhanced TPRM program can provide companies with the advantage of quicker, data-driven decision-making to assist in driving your company's strategy and a comprehensive audit trail on various third-party relationships, which covers you in case a regulator asks to see it and offers the opportunity to glean insights from the data you’re monitoring. A digitized TPRM program can make you more nimble, give you a competitive advantage and show regulators you’ve been vigilant and proactive.

More third parties mean more risk

Third-party relationships are numerous and extend into many areas of the business. Look at any company’s catalog of risk functions and it’s clear that third parties can touch on many of them.

And yet, companies have historically under-budgeted for TPRM and other aspects of due diligence. It can get expensive. But technology solutions that automate many historically human-intensive TPRM processes—and make it possible to break down silos by enabling cross-functional collaboration and accountability for monitoring third-party risk—can help increase effectiveness and control costs.

It’s important to note that in some cases, a cultural or mindset shift may also be needed to confirm that the business units that most often engage third parties fully appreciate the need for persistent TPRM, as well as ways they can benefit from it almost immediately.

Fortifying overall compliance and building trust

As with enterprise risk management overall, TPRM done right offers its own set of opportunities.

Knowledge truly is power. When the right people across multiple functions have access to comprehensive data, they can act on that information faster and more effectively. The DOJ expects companies to bolster their ability to use data to drive compliance. Improving data handling across the enterprise should be part of ongoing digital transformation efforts. The DOJ aso expects companies to monitor third-party risk on an ongoing basis, not just during onboarding.

Taking a hard look at your TPRM program also offers the opportunity to assess your cybersecurity strategy and identify weak spots. After all, some third parties may have access to your systems and data, so you need to confirm they’re applying the same security measures you expect from your own organization’s enterprise-wide controls and employees’ individual vigilance.

Another element of stakeholder trust is a growing focus on environmental, social and governance (ESG) issues. Compliance leaders are factoring this into their strategies because third-party risk and ESG programs share significant intersection points. After all, third parties’ business practices ultimately reflect on your company, making it critical to confirm they are operating lawfully and ethically. In PwC’s most recent Trust in US Business Survey, almost half of business leaders said they’ve taken steps to achieve an ethical and sustainable supply chain as part of their overall efforts to strengthen stakeholder trust. 

Setting yourself up for TPRM success

Many companies have robust, advanced TPRM programs. Those that don’t are definitely playing catch-up. But you have to start somewhere—and even if you have a program in place there’s always room for improvement. Here are some useful questions to ask and next steps to consider:

• Are resources adequate?  In turbulent times, justifying increased spending in any one area can be difficult. Technology solutions that integrate automation and analytics to help vet and monitor third parties offer a way to control costs and streamline TPRM processes, while also hardening other aspects of data security and cybersecurity. The TPRM solution you select should also be easy to enhance as the regulatory landscape changes.

• Are the right people involved and accountable? One mistake some companies make with regard to TPRM is not getting the right people involved in program design and upkeep. Compliance teams should be involved, of course, but so should people close to the third parties (particularly people from the business unit that initiated the relationship).

• Is your TPRM aligned with your overall business strategy? This is critical, but it’s sometimes an afterthought. And like your business strategy, your TPRM program should evolve along with changes in the market or company goals.

As with most complex business challenges, there is no silver bullet for managing third-party risk. But when it’s done right, companies can conduct continuous monitoring, establish a single source of truth about how your organization is interacting with a third party, and effectively strengthen trust among your stakeholders.