Transformative Strategies in Third-Party Risk Management

An effective third-party risk management (TPRM) strategy requires compliance professionals to engage with people and processes that are outside of our control . . . and it can be maddening!

In fact, one of the most difficult challenges that compliance professionals face is building a TPRM program. Components of a TPRM program typically include vendor evaluation, risk assessment, due diligence, risk remediation, continuous monitoring, and offboarding processes.

But any effort to evaluate the potential threats introduced by third parties and implement controls to address them is worthwhile. An effective TPRM strategy helps organizations reduce costs associated with data breaches, maintain regulatory compliance, reduce overall risk exposure, and gain visibility into their third-party ecosystem.

And when executed well, an effective TPRM strategy should enable your organization to identify, assess, and mitigate the various risks introduced by their reliance on external third parties. These might include cybersecurity risks (data exposure, cyberattacks), operational risks (business disruptions), compliance risks (regulatory violations), reputational risks, financial risks, and strategic risks.

Two weeks ago, I had the opportunity to sit with Rodney Campbell, Senior Vice President, Head of Third-Party Risk Management at Valley National Bank, to discuss TPRM strategies at Compliance Week National 2024.

We kicked off the conversation with a sobering statistic. Stanford Law School tracks the number of FCPA Matters initiated annually that allege bribery schemes involving third-party intermediaries such as agents, consultants, or contractors. So far in 2024, this number is 100 percent – and that’s not uncommon.

That’s why compliance professionals should consider a four-pronged approach to creating a TPRM program that considers strategy, infrastructure, action and implementation, and the consequences of neglect.

Strategy. According to Campbell, compliance professionals need to develop a strategy that addresses both activity and impact. What activities will you take to achieve maximum impact within your organization? What are you doing, and how does it impact the organization’s bottom line? Have you received stakeholder buy-in? Why does this matter?

“Constant and consistent engagement with your key stakeholders is the best way to hone in on a lasting strategy,” said Campbell. “You cannot act as an adversary to others in your organization. Everyone needs to understand the role they play in your process.”

Looking at your organization’s Environmental, Social, and Governance (ESG) report is an important way to understand your organization’s priorities and future goals. Think about ways to tie your TPRM efforts into the ESG report to show how you can contribute to your organization’s overall objectives – and protect the business in the process.

As compliance professionals, we can’t write rules in a vacuum. We need to understand the systems and processes that other teams are using to get work done. Then, we need to find the least intrusive way to ensure that we are mitigating risk within this infrastructure.

Infrastructure. After you’ve established a strategy for your TPRM program, the next step is to build an infrastructure around that strategy. Think about how you can build out your program in a way that is both sustainable and scalable.

“One of the best pieces of advice I can share is to embrace learning,” said Campbell. “Learn more about all aspects of what you’re trying to do. Get training. Bring all your stakeholders on board.”

But where does learning fall within a TPRM program? Who do you train – employees, vendors?

“Training is fundamental,” said Campbell. “It should be tailored based on roles and responsibilities.” And while this may differ from organization to organization, it is a key to a successful process. Many organizations provide training to employees who interact with third-party vendors to ensure they understand their responsibilities for managing third-party risks. This may include training on identifying red flags, securely sharing information with vendors, and reporting concerns.

Action and Implementation. Then, ready or not, we have to take action. Understanding what your organization can realistically achieve – both from a knowledge-based and a capacity-based perspective – is a key factor here. Show your stakeholders that you’ve truly considered the potential (and potential limitations) of your TPRM program. And then implement your plan:

1. Start by identifying and assessing the potential risks associated with third-party relationships. This includes evaluating the nature of the third-party’s services, the sensitivity of the data they have access to, their geographic location, financial stability, and their security measures.
2. Conduct due diligence on third-party vendors before entering agreements. This may involve reviewing financial statements, conducting background checks, assessing compliance with relevant regulations, and evaluating their security practices.
3. Ensure that contracts with third-party vendors include clear provisions outlining their obligations regarding data protection, security measures, compliance with relevant regulations, and the consequences of non-compliance. Consider including audit rights and requirements for regular reporting.
4. Implement processes for monitoring third-party vendors throughout the relationship. This may involve regular assessments of their security posture, financial health, compliance with contractual obligations, and any changes in their business operations.
5. Finally, develop a robust incident response plan that outlines how your organization will respond in the event of a security breach or other compliance issue involving a third-party vendor. Ensure that all relevant stakeholders are aware of their roles and responsibilities.

By starting with high-risk issues for your organization – country of operation, size of contract, types of goods and materials procured, etc. – you can find a starting point for your program. Tackling the highest risks will help to build credibility and allow scale.

Consequences of Neglect. Neglecting a TPRM strategy can have far-reaching consequences for your organization. Consider the following risks:

• Security Breaches: Neglecting proper risk management can result in security breaches if your vendors’ systems are compromised, potentially exposing your organization’s data or systems to unauthorized access.
• Data Loss or Theft: If a third-party vendor experiences a security breach or mishandles data, your organization’s sensitive information could be compromised, leading to financial loss, reputational damage, and legal consequences.
• Reputational Damage: Customers, partners, and stakeholders may lose trust in your ability to protect their information, leading to a loss of business and damage to your brand.
• Regulatory Compliance Violations: Neglecting third-party risk management can result in violations of regulatory compliance regulations, leading to fines, penalties, and legal action by regulatory authorities.
• Financial Loss: Remediation efforts, legal fees, regulatory fines, and potential lawsuits can all contribute to financial losses for your organization.
• Operational Disruption: A security incident involving a third-party vendor can disrupt your organization's operations, leading to downtime, loss of productivity, and disruption of services to customers or clients.
• Loss of Competitive Advantage: Customers may choose to take their business elsewhere if they perceive your organization as unreliable or insecure.

That’s why it is so important to implement robust risk management practices to mitigate these risks and protect your organization’s interests.

Every employee plays an important role in helping with supply chain management by understanding what global supply chain and vendor compliance is and calling out potential risks. Skillsoft recently introduced a new Global Supply Chain Compliance Solution to address third-party risk management which includes a new high-end video scenario and an updated design treatment.

This is a composite course that is fully configurable with our hide and reorder functionality. So, you can choose which topics are most relevant to your organization as you look to implement your TPRM strategy.

• Human Rights and the Global Supply Chain
• Forced Labor and Modern Slavery
• Excessive Work without Fair Compensation
• Unsafe and Unhealthy Working Conditions
• Best Practices for Addressing Human Rights Compliance

Supply chain and vendor compliance management is critical to your organization’s long-term success because it not only helps to prevent operation interruptions and potential reputation damages, but also helps to achieve your mission and vision by influencing suppliers and vendors to raise their ethics, health, and safety standards.