Many companies continue to face a long list of trials and tribulations pertaining to their third-party risk management programs, according to a new survey jointly conducted by Compliance Week and Crowe Horwath.
When asked to identify current challenges posed by third-party risk management programs, respondents rattled off a litany of compliance woes: lack of technology to help manage workflow, lack of third-party participation, the inability to produce meaningful reporting, and much more.
“Overall, the survey tells us third-party risk management is continuing to evolve,” says Gayle Woodbury, managing director in Crowe Horwath’s risk consulting practice. “Although some companies have clearly moved beyond the basics in terms of maturity, many are still working through some foundational elements.”
According to the survey, 42 percent of 101 respondents cited third-party participation as one of their top challenges. In that aspect, robust communication can go a long way toward forging closer ties with third parties, both as it pertains to their participation in a company’s due diligence and ongoing monitoring efforts and willingness to work through more rigorous contracting requirements.
“Companies that have really good buy-in and good participation rates from their third parties have a really strong communication process,” Woodbury says. Clearly communicating expectations—as well as why and how the third-party risk management process works—is all the more important, given that third parties have multiple corporate customers, each with different processes and procedures required to satisfy their third-party risk management programs, she says.
Companies with mature third-party risk management programs are those that have built that rapport and mutual respect with their third parties, says Michele Sullivan, a partner in Crowe Horwath’s risk consulting practice. If managed well, that rapport can result in numerous benefits, including improved quality in the information that is shared and targeted consolidation of third-party capabilities, thus, resulting in potential cost savings realized by the company as well as potential revenue generation for the third party, she says.
In addition to third-party participation, 39 percent of respondents cited “lack of technology to help management workflow” as another top challenge posed by third-party risk management programs.
“Although some companies have clearly moved beyond the basics in terms of maturity, many are still working through some foundational elements.”
Gayle Woodbury, Managing Director, Risk Consulting Practice, Crowe Horwath
When asked to identify what tools and technologies they use for third-party risk management, the majority of respondents said they use end-user computing—such as Excel, Access, or SharePoint. Moreover, the use of end-user computing was most common across the board for all kinds of purposes—performance scorecards, control assessments, contract administration, risk reporting, procurement, and more.
Of the respondents who said they use commercially available software, third-party/inventory was the most widely cited (34 percent), followed by contract repository (31 percent), issues management (24 percent), and risk reporting (23 percent). Others said they use it for things like sourcing/procurement, contract administration, and performance scorecards. Fewer respondents said they use an internally developed solution.
More than one-third of respondents (36 percent) said the ability to produce meaningful reporting was also a pain point, which could be due to not having the necessary technology solutions in place. On a related note, when asked to identify what specific types of reporting that their third-party risk management program regularly produces, 48 percent of respondents cited “reporting to the board.”
Other common types of reporting cited by respondents included key risk indicators (38 percent), third-party performance scorecards (34 percent), and reporting to the senior operating committee (33 percent).
At the bottom of the list, only six respondents said they produce reports on “fourth-party and sub-contracting” risk. Woodbury says it’s not surprising that only a handful of companies produce fourth-party and sub-contracting reports, which would be reporting indicating the impact a third party’s own third parties or sub-contractors pose to the company, given that this is still an emerging area.
As we see companies’ third-party risk management programs evolve and reach a level of maturity, “I think we will see those areas evolve, as well,” Woodbury says. “We’re seeing some companies reaching a level of maturity where they are identifying the same critical fourth parties or sub-contractors servicing multiple third parties of the company and, therefore, being identified as a higher risk to the company than some of the company’s own third-party relationships.”
Regarding the types of components that companies include in their third-party management programs, many cited the usual controls: risk assessments, control questionnaires, on-site reviews, continuous monitoring, etc.
Compliance Week and Crowe Horwath asked respondents to their third-party risk management poll to select the current challenges facing your company’s third-party/vendor risk management program (please select all applicable):
What was surprising, however, is that “completeness of inventory controls” didn’t rank higher, “because that is such a foundational element of a program,” Woodbury says. “You can’t assess and manage what you don’t know about.”
That finding might correlate, however, with the 36 percent of respondents who said that “identifying third-party relationships” still poses a challenge. This could be an indication that some respondents just aren’t sure about what controls they should be putting in place as it concerns the completeness of inventory controls, Woodbury says.
Those controls will vary depending on the types of third parties that the third-party risk management program covers. There is no silver bullet answer or one tool to put in place that’s going to scour your third-party universe. “You have to look in different places,” Woodbury says. “Some of them aren’t always super intuitive.”
Nearly all respondents (96 percent), for example, said they use traditional vendors, such as products and service providers. With traditional third parties, where the company is paying the vendor directly, one area to focus on is payment controls. “You can look at accounts payable, corporate card spend, expense reports, or procurement card spend,” Woodbury says.
With non-traditional third parties, including revenue sharing or those collecting money on behalf of the company, such as debt collectors, however, you might need to pay closer attention to non-customers paying or sending money to the company. “You may need to look at some of the accounting and revenue recognition processes and follow the money that way,” Woodbury says.
Another survey finding that was surprising, Woodbury says, is the small number of respondents who said they use “internal change-of-use monitoring” (to identify if the company has changed how it’s utilizing third parties). “I expect that’s something we’re going to see shifting over the next few years, especially as new tools and technology come out and companies look for ways to narrow the focus of assessments to drive sustainability,” she says.
Monitoring when a new network communication port is opened or when a request for a physical access badge is requested can help ensure both accuracy and completeness of the inventory. “Companies should be asking themselves if they have mechanisms to identify when these things happen,” Woodbury says.
Centralized vs. decentralized
In the survey, respondents were also asked which operating model best describes their third-party risk management program. A variety of answers were provided including, but not limited to:
Centralized in procurement (21 percent);
Decentralized: risk management embedded within each business unit (18.7 percent);
Hybrid, with centralized components in procurement (16.5 percent);
Centralized in operational risk management/enterprise risk management (15.4 percent); or
Hybrid, with centralized components in operational risk management/enterprise risk management (14.3 percent).
Centralizing third-party risk management in procurement may not always be the best option. The tendency in many companies has been a migration away from having third-party risk management centralized in procurement, Sullivan says. “Often, procurement’s metrics in terms of success are focused primarily on spend and aren’t necessarily aligned to holistic management of risks presented by third parties,” she says.
Just a few respondents said they have a centralized or hybrid model in IT or information security. “There is not a right answer across the board,” Woodbury says. It will completely depend on the company’s size, structure, and the overall maturity of its third-party risk management program, among other factors.
In addition, respondents were also asked whether the procurement and contracting functions were integrated with the third-party risk management program. Nearly half responded that both the procurement and contracting functions are integrated.
However, the second highest number of respondents (21 percent) answered “no” and further said they don’t have plans to integrate procurement or contracting, which could be a mistake. “We’ve seen it works really well and drives efficiencies for many companies that have those functions really well aligned, because procurement and contracting are critical pieces of the third-party management cycle,” Woodbury says.
Overall, survey respondents that rated their third-party risk management programs as most mature commonly utilize procurement, contracting, and third-party risk management technologies. They also tend to incorporate continuous monitoring tools and completeness and accuracy of inventory controls, and they have expanded their programs to cover traditional vendors, non-traditional third parties, fourth parties, and others.
“Third-party risk management is as much about the journey as the destination,” Woodbury says. “It’s important to learn as you go and continue to build upon a solid foundation, increasing your coverage and improving your precision in understanding and managing the risks presented by your third-party relationships.”