After a crisis few saw coming, should you view risk in a new light?

5 minute read 27 Aug 2020

There are three imperatives for third-party risk leaders to action as they face altered realities post pandemic.

In brief
  • The third-party operational trade-offs of resilience, efficiency and cost must now be considered and aligned to an organization’s strategy and risk appetite.
  • A re-evaluation of risk methodology provides an effective way to address future risk concerns and integrate with enterprise-wide risk initiatives.

In the current COVID-19 pandemic landscape, organizations are faced with an unprecedented duality: of managing the transition to a “new normal,” while also reimagining the future of work and business.

Third-party risk leaders must take this opportunity to take on board recent learnings of how to manage third-party relationships and maintain risk-controlled operational continuity during the pandemic. Simultaneously they must challenge themselves and their current third-party risk management (TPRM) programs to improve resiliency, increase effectiveness and drive transformation while reducing cost.

For the TPRM function to transform, and reimagine the alignment of enterprise-wide risk to future business strategy in a post-pandemic world, it requires thinking in three key areas.

1. Strategic review of third parties

A strategic review of third parties considering lessons learned in the pandemic is critical to operating in the new normal and preparing for more uncertainty in the future. And balancing the risks and benefits of using third parties is key, and TPRM will play a critical role.

The third-party operational trade-offs of resilience, efficiency and cost should now be considered and aligned to an organization’s strategy and risk appetite. This could potentially result in a redefinition of what organizations consider as truly strategic third parties – including the specialty of the service provided, geographic location, risk exposure and exclusivity of the relationship.

In-house control over operations during uncertain times may be desirable, but outsourcing can offer its own benefits, so leaders need to weigh up both short-term and long-term benefits and risks.

For example, organizations are now considering the cost advantages of having significant Indian outsource operations against the recent infrastructure and security challenges presented by remote working during lockdown. A common response has been to begin moving more critical or high-risk services, such as customer-facing services, to near- or on-shore outsource providers, or bring them in-house completely.

An organization’s ability and desire to take on risk is of course impacted by recent events, so risk tiering should reflect this new perspective and diligence activities applied accordingly. Critical definition may also be expanded to include third parties that are strategically important and/or niche and hard to replace.

During uncertain times, leaders need to weigh up both the short-term and long-term benefits and risks of keeping in-house control over operations versus outsourcing. A common response, following the COVID-19 pandemic, has been to begin moving more critical or high-risk services, such as customer-facing services, to near- or on-shore outsource providers, or bring them in-house completely.

The EY Global Third-Party Risk Management Survey 2019-20 revealed that 18% of third parties in scope for a TPRM program or function were classified as critical. This varied by industry – higher percentages were in the non-financial services industries, with advanced manufacturing and mobility being the highest at 37%. These could increase further as organizations review classifications.

Evaluating the use of third parties across operations, and the significance of those operations to the organization, will reveal varying risks. Understanding the organization’s interconnected supply chain and leveraging nth parties to support operations, production and provide services allow organizations to find alternate providers, align reserve inventory planning and strengthen contract language.

These activities and resulting consequences can decrease risk in the post pandemic world.

2. TPRM framework and operating model evaluation

Next, third-party risk leaders should revisit their organization’s TPRM framework and operating model with a renewed focus on cost reduction and increased risk management. This allows them to use the recently learned lessons to review the effectiveness of the TPRM function and minimize future risks to third-party operations.

In particular, a re-evaluation of an organization’s risk methodology, with a focus on resilience, provides an effective way for leaders to address future risk concerns and integrate with enterprise-wide risk initiatives.

Cost reduction can be achieved through new approaches or resource models. Risk leaders are now realizing that a proactive, centralized approach can better manage third-party risks in a way that delivers the growth, confidence and trust needed to strengthen the business.

The recent EY TPRM survey revealed that 50% of organization respondents operate a centralized TPRM program, while 39% operate a hybrid model of centralized and decentralized operations. Outsourcing TPRM to a managed services provider is another approach gaining traction: 45% of surveyed organizations expect to adopt this approach over the next two to three years, while 56% plan to use more market utilities/exchanges.

A shift to larger volumes of remote assessments and the resulting organizational requirements should also be considered in operating model evaluations as work force models evolve and future operating models are assessed.

A centralized approach can deliver confidence and trust

50%

of organization respondents operate a centralized TPRM program.

Outsourcing TPRM to a managed services provider is gaining traction

45%

of surveyed organizations expect to adopt this approach over the next two to three years.

3.  Adoption of technology and data

Technology and data are not new drivers of efficient and leading TPRM programs; however, their importance will be heightened in the post pandemic world as workforce models and supplier interactions evolve.

Real-time and on-demand data enable TPRM leaders to make more informed decisions, which is a necessity with the current and future global uncertainties. The integration of dedicated TPRM platforms or modules connected to enterprise risk systems provides alignment across the organization and to external suppliers. This further enables real-time and accurate data to drive better TPRM decisions.

However, many organizations have been slow to adopt a dedicated technology platform. The EY TPRM survey indicated that 43% of respondents do not have a dedicated TPRM technology platform and more than 86% use a manual process or reconciliation to enable reporting.

Slow adoption of a dedicated technology platform

43%

of respondents do not have a dedicated TPRM technology platform.

Risk leaders may wish to rethink this, as the use of new technologies such as machine learning and data analytics can enhance automation and continuous monitoring to lower costs and improve overall operations. These are also necessities in a post pandemic world.

Reimagining the TPRM function

By capitalizing on this time of uncertainty and recognizing and reflecting on learnings from the pandemic, TPRM leaders can reimagine the TPRM function’s integration across the organization and overall interaction with third parties.

A strategic review of third parties, a renewed look at TPRM framework and operating model, and adoption of data and technology are key considerations for TPRM leaders to transform their functions and help future-proof in a post pandemic world.

Summary

Third-party risk leaders have an opportunity to reimagine their TPRM functions’ connection with the organization and with third parties. There are three key areas on which leaders must focus: a strategic review of third parties, an evaluation of the TPRM framework and operating model, and the adoption of technology and data.

About this article