Risk management in a world in crisis
In times of upheaval and uncertainty, people and organizations need a vision, and a clear value orientation that the organization and its employees can use. They need a clear “sense of belonging” and “sense of direction” so that their actions have meaning and impact.
It is no secret that corporations around the world today struggle to manage their risks. At the center of that struggle are third parties.
Third parties challenge business operations like never before. They can disrupt supply chains stretched around the world; open the door to cybersecurity attacks within your organization; or cause costly compliance failures such as anti-corruption, data breaches, or antitrust violations.
The good news: most organizations can leverage their prior experience with corporate compliance programs into stronger, more comprehensive third-party risk management programs. Management teams can then turn that better risk management capability into a strategic advantage for years to come.
The Changing Nature of Risk
The challenge with third-party risk has several causes: First, businesses today use more third parties than ever before. Even small companies rely on dozens of third parties.
Second, businesses use third parties in more ways, and often in mission-critical ways. For example, a global manufacturing
business might use contracted labor at its plants (supply chain risk), overseas agents to drive its international sales (compliance risk), and cloud-based IT services to run R&D, finance, and other functions (cybersecurity risk).
Third, businesses operate at a scale and manner that leaves their operations “tightly coupled,” where a failure in one part of the enterprise can disrupt many other parts. With so little room for error, it becomes more important for all parts of the enterprise to run smoothly at all times.
And fourth, regulators around the world are paying more attention to business conduct since governments and the public are more exposed to the consequences of poor conduct. An environmental disaster might ruin the water supply; a cybersecurity failure could leave millions without access to power or bank accounts. A privacy data breach can expose millions.
The risks themselves — supply chain, cybersecurity, compliance, financial — aren’t new, but their severity and unpredictability are, for all the reasons mentioned above. In such a world, third-party due diligence is no longer enough for
success. Rather, companies must use their due diligence capabilities as the foundation for more comprehensive third-party risk management.
That, in turn, allows senior management to make better decisions about achieving business objectives, without worrying that an errant third party might derail your plans. New Pillars of Risk Management and Response
To achieve strong third-party risk management, a business must be able to do four fundamental tasks:
• Identify risks facing the business.
• Implement controls to keep those risks at suitable levels.
• Monitor the risks to determine when they rise to dangerous levels.
• Respond with appropriate steps when a risk does come to pass.
Working backwards from those four tasks, companies can reverse-engineer the capabilities they’ll need to get those tasks done.
The first capability is risk assessment, so the organization can identify and understand all the third-party risks it faces. Most likely, you’ll need to assemble an in-house risk committee from across the enterprise, to discuss how the business uses and depends on third parties and what might happen if those relationships falter. For example, the risk committee might be led by a company’s chief risk officer or head of internal audit, with representatives from legal, compliance, procurement, IT security, sales, and other important business functions.
Second is an ability to implement policies, procedures, and other controls, to keep the risks you’ve identified at acceptable levels. This might entail policy management tools, to assure that management develops one set of policies that communicate uniform messages across the enterprise. Training, internal reporting hotlines, and due diligence procedures would all be important tools too.
Third is an ability to monitor how third parties interact with your enterprise and behave overall. Monitoring is seldom easy. Risk managers will need to track data across multiple business functions and weave them into a cohesive larger picture that connects back to your risk assessment.
The goals in building a third-party risk management program are always transparency, agility, and responsiveness. Management teams need a clear understanding of the risks their third-party relationships pose, plus an ability to respond quickly (and effectively) when those relationships somehow go awry.
Conclusion
Third-party risk management will be essential for corporate success in years to come. The question is whether organizations will react to third-party risks in a piecemeal fashion as adverse events happen; or manage third-party risks in a more holistic way, with deft and efficient incident response.
A strong compliance program will always be the foundation for third-party risk management — but businesses will need more, too. They’ll need technology that can help with scenario-planning, data analytics, and reporting.
Seizing that opportunity will require leadership, focus, and technology. The payoff, however, will echo from the boardroom to the corporate hallways and to the bottom line!!
I hope this highlight on risk management in unpredictable times is helpful; should you need assistance, let me know; I can connect you to the right people; you can contact me at hjschumacher59@gmail.com