Enterprise Risk Management [Part I]: A Primer on the Basics of Third-Party Risk Management
A Quick Review: The Basics of Enterprise Risk Management
Let’s begin our Enterprise Risk Management (ERM) mini-series of blog posts by taking a quick look at the basics of ERM.
As a process made possible by an organization’s management, support personnel and project leaders, ERM is applied to all aspects of a business and applied to the whole business entity. An ERM protocol is designed to pinpoint and manage any potential events that may have an adverse effect on the company’s ability to reach crucial, strategic goals.
Further, adopting an ERM strategy allows organizations to develop a holistic perspective on the most significant risks that stand to prevent the achievement of objectives.
The various risks are typically classified as financial, operational, strategic and hazardous. Additional considerations include insurance liabilities and technology and data risks.
What Is the ERM Framework?
As you likely understand, any type of risk management requires ongoing attention ERM is the same, having no “end point.” The need for vigilance is constant, but with an ERM framework, risk becomes more easily manageable.
The ERM framework consists of the following:
- Strategy and objective setting
- Risk identification
- Risk assessment
- Risk response
When business leaders adopt this framework and look at ERM as a process that must be regularly tended, managing risk becomes simpler for everyone on the team.
Where Does Third-Party Risk Management Fit in the Realm of ERM?
Some people may think of ERM and Third-Party Risk Management (TPRM) as interchangeable, but they are actually two completely different functions.
While ERM operates at the highest levels of an organization—most frequently banks and other financial organizations—resulting in a top-down approach that applies across all facets of the business, TPRM is most often thought of as a subset of ERM.
Most importantly, TPRM delves much deeper into various aspects of vendor management, as well as other third-party relationships, than ERM does.
Why Has Third-Party Risk Management Become an Increasingly Important Component of Risk Management?
All types of organizations are increasingly outsourcing certain functions of their business out to third-parties that specialize in the areas they need. Outsourcing functions may include human resource responsibilities, payroll administration, cloud solutions, IT support, graphic design and web development, and much more. Third-parties include businesses like vendors, suppliers, business partners, brokers, contract manufacturers, distributors, agents and resellers.
Regardless of the type of third-party or service rendered, the arrangement is invaluable, allowing businesses to tap into high-quality, specialized talent and expertise without having to hire and train staff in-house, which is comparatively more expensive than outsourcing. Business leaders frequently look to outsourcing to cover long-term projects that do not warrant hiring a full-time staff member.
With all of that expertise, relying on a business that may or may not follow the same risk-related protocols as the client company, there most certainly comes a reasonable concern about potential third-party-related risks.
Per recent research by CFO Research Services and Crowe Horwath, outsourcing is quickly becoming more the norm than the exception. It turns out that two-thirds of survey respondents indicated that they interact with third-parties regularly while only four percent stated that they rarely or never do.
Further, many businesses may outsource more than one—or even several—functions to different vendors, so the need for businesses to peer more critically into third-party risk issues is crucial.
What Is Third Party Risk?
Sometimes understanding the risk you face is the first, and most important step, to determining how to manage it when choosing to work with a third-party associate.
Following are just a few types of potential risk that may result from third-party relationships:
Such risk is often due to a third-party having made adverse business decisions, or their not having properly implemented the necessary business requirements to meet their goals.
Basically, if a third-party entity suffers from poor public opinion, the client company’s business may ultimately suffer as well.
This risk is associated with inadequate or failed processes, systems, people or other external factors. Such inadequacies and complexities within a third-party organization may cause unnecessary complexities and issues for the client company.
Transaction risk arises from problems with service or product delivery. The third-party may fail to perform as anticipated by customers or the financial institution due to reasons that may include technological failure, human error, fraud or inadequate capacity. Any one of these can expose the client to transaction risk.
When the third-party is unable to meet the terms of their contractual arrangements with the client, they may become a credit risk. However, most often the credit risk is associated with the financial condition of the third-party itself.
If a third-party company violates rules, laws or regulations, it may reflect on the client company. Once a third-party relationship has begun, they must comply with any of the same necessary rules, laws and regulations that the client business must.
What Is Third-Party Risk Management and How Can You Use it in Your Organization?
If you are considering outsourcing one or more functions for your business, you are probably wondering just what TPRM is, independent of ERM. Now that you have some idea of what risks are most often associated with third-party engagements, you can start devising a management strategy. Addressing each area of risk is a prime strategy to help you avoid, or at least mitigate, any risk you face when working with third-parties.
TPRM requires you to focus on improved methods of balancing regulatory requirements with the expectations of the organization’s management and board members to measure risk acceptance against the company’s business model.
With that in mind, here are a few key components of TPRM:
Perform a Risk Assessment of the Third-Party
A risk assessment, performed by a trusted auditing firm, is the best way to launch your search and decision-making process for the right third-party engagement that will pose the least chance of encountering unnecessary risk. The core goal of the risk assessment process is to learn whether or not the proposed relationship is consistent with your institution’s overall business strategy.
Vet Third-Party Organizations Carefully
One of the best steps you can take in TPRM comes down to fully vetting and carefully selecting your third-party vendors and associates. Once you have performed a formal risk assessment, you can build on those results and learn a great deal about these companies with robust due diligence. Check the company’s financials, their performance, their reputation, their fit with your institution and any other meaningful and measurable criteria for your organization.
Increasing the Involvement of High-Level Managers
It is important to put high-level management and other leaders on the front line; particularly if they work closely with third-party organizations. These high-profile staff members can form a relationship with the outsourced entity to better understand their risk. At the same time, the manager can help the organization to understand their responsibilities to avoid risk. Additionally, the manager can more readily identify risk, due to sheer familiarity with the account.
Control the Risks You Perceive as Possible, and Prepare for Those You Cannot Imagine
If you have already engaged a third-party organization, and you begin to see the potential for risk in certain areas, it is important to do your best to mitigate your exposure. Under the best of circumstances, you must always stay vigilant, understanding that anything can happen, at any time, in another organization. Your approach to the outsourced arrangement may allow you to prepare for any potential exposures that may arise.
Do You Need Help Developing Managing Third-Party Risk?
Third-party organizations are essential in today’s fast-paced business landscape, particularly in banking and financial institutions. Working with a specialized business to meet your needs, save money and provide invaluable expertise is simply part of modern business. At the same time, you need to protect your institution from the many potential risks that may arise, thanks to a third-party’s lack of alignment with your institution’s goals.
At I.S. Partners, LLC., we’ve seen the sharp rise in third-party engagements over the past several years, and it isn’t slowing down. We help many of our clients gain better insights into protecting themselves from risks associated with working with third-parties. We can help you find the right outsourcing entity to meet your needs, perform the risk assessment and much more.