27 August 2019 by Jake Holloway
What are some of the challenges for assurance, procurement and risk managers, and what role does technology play?
Businesses need to manage many risks, with their impact and complexity growing and placing a greater burden on organisations all the time. Some risks are simply a factor of doing business – if a company wants to grow or enter new markets then it takes calculated risks on what the outcomes might be. If it wants to change its products or services, it will undertake extensive research to inform those decisions, thus minimising risk and assessing the investment levels required.
Financial risks and the regulated risks that have a direct impact on whether an organisation can trade, and its subsequent trading performance, are probably the most closely and regularly monitored. IT is another great example, where companies will have teams focussed on ensuring that the risks of a data breach or cyber-attack are mitigated, and that downtime for any other reasons that might impact trading are minimised.
It has become increasingly popular for organisations to use third parties as part of their business model, whether as part of the extended supply chain, bringing in expertise not available in the business, out-sourcing business processes, or supporting an internal function such as finance or IT.
When taking on any third party in this way, organisations often require the service provider to provide assurance that it has sufficient controls to manage financial, operational and regulatory risk that relate to their specialism and the service they will provide. In its broadest terms, an organisation wants to be sure a future supplier:
• is who it claims to be
• is experienced at delivering the services it claims
• will not embarrass or place at risk the reputation of the company
• is financially stable
• is qualified and accredited as required
• is fully compliant with the relevant regulations in all countries of operation.
Companies will, or at least should, look at all of these areas as part of the supplier selection and onboarding process, in what we would call pre-contractual risk assessments and evidence gathering. Making sure that all the paperwork and checks with regulators point to them meeting all criteria. Once fully onboard, that supplier will be regarded to have provided Third-Party Assurance (3PA) and be ready to supply its services to the company.
Supplier management processes are something that every company should have in place to monitor the performance of all third parties recruited to perform functions on behalf of companies. This should be a cyclical process that aims for continuous improvements and minimised risks. 3PA issues should be part of this process but aren’t always.
Each of the four main categories of 3PA risk – Financial and Regulatory; Compliance; Corporate Social Responsibility (CSR) and Technology and Data – should all be represented as part of the supplier management process and therefore regularly assessed.
The reality is that we know this does not happen and there are always gaps in how companies assess their 3PA. Take for example the Modern Slavery Act which requires companies with revenue of over £36 million to produce a Slavery and Human Trafficking statement, indicating the steps they are taking to prevent modern slavery abuses in supply chains and operations. All companies should have published their first statement by 30th September 2017, and although an estimated 8,000 of the 9,000-11,000 required to comply have published statements, only 2% meet the minimum statutory requirements laid out in the Act.
It’s a complex area, and there are over 15 general areas of 3PA risk that fit under each of the categories outlined above, and that is before you dig down into individual pieces of legislation, or special requirements for specific vertical markets. The reality is that there is an almost unlimited amount of 3PA that an organisation could conduct on its suppliers, third parties and supply chains. It could be very expensive to be ‘perfect’ so companies need to be smart about focussing on the areas where risks are highest.
Another aspect that makes 3PA so complicated is that each area of risk may need to be measured at different frequencies and falls under the responsibility and expertise of different departments within the company. How do you manage that efficiently, securely, and gain a single view of an individual supplier’s risk assurance?
Moreover, understanding the risk level of individual suppliers is only useful up to a point. A company needs to be able to prioritise 3PA risks, and you can only assess that with a company-wide view of those risks, and the potential impact they could have on the business.
It’s a phrase that can strike fear into the hearts of everyone involved, but the reality of modern business is that ‘continuous risk assessment’ is necessary. Large companies are increasingly under scrutiny by internal audit committees, boards, and regulators. Existing assurance processes for managing risks are often outdated, insecure, and struggle to deal with the large numbers of third parties that need to be assessed. The fallout from a company not keeping a constant grip on its regulatory risks, as well as other risks, is just too great and could result in lost contracts, legal battles, loss of reputation, or even the loss of the right to trade in a heavily regulated sector.
Ultimately, companies need a more holistic and continuous view of the risks they are exposed to through third party relationships, managing them in a proactive way that reassesses risk at regular intervals.
Technology can play a key role in giving risk and compliance professionals the control and visibility they need across the organisation, moving risk compliance from a siloed and reactive activity, to a connected, proactive process that delivers a complete view of a company’s third party risks. A radar view can highlight underperforming suppliers, regulatory risks and drive business improvements, whilst lowering the costs of risk assurance, and storing confidential information securely.
There are four key areas where technology can help address the challenges of 3PA risks. The first is consistency. It is difficult to ensure all suppliers are assessed with the latest question set appropriate to their level of risk, and overstretched assurance departments also make more mistakes. Using technology automation does not just manage the process of gathering data in a consistent way, but also provides consistent scoring of the responses from each supplier. In the case of onboarding new suppliers this can give assessors an instant guide to their risk level, speeding up approvals.
The next is scaling up. Assessing thousands of suppliers the old way over the phone, via email, or even paper forms, is expensive and difficult. It can mean pressure on teams and possibly to many third parties going unassessed, because they simply fall through the cracks. Using technology allows teams to focus on the high-value task of managing assessments and risk, rather than the expensive task of collecting data.
Thirdly, is improved security. Risk assessments can contain highly sensitive information and attachments, and paper or email-based systems are both insecure and hard to audit, allowing information to be easily changed and shared outside of the intended recipient. A good technology platform will be secure and encrypted, giving only approved users access to data and assessments, as well as ensuring any interaction with data is controlled and auditable. This is particularly important, given the rise in the importance of good data security under GDPR, where failings can lead to significant fines.
Finally, the last key area is reporting. Accessing data on suppliers is difficult when everything is contained in scanned documents, PDFs, and has several versions passed around or kept in separate files and folders. This is the typical picture of compliance and third-party data across organisations.
By using a technology platform to manage compliance and risk assessment, the data is brought together in a consistent and secure format that can then be viewed giving an instant picture of a business’s compliance status, allowing for effective supply chain assurance, KPI reporting and metrics in a few mouse clicks, that represents the real world and can be used to make informed risk management decisions.
Technology needs to be at the centre of managing third party risk. The first step as risk and compliance professionals is acknowledging the risks our own departments and outdated processes pose to our businesses, as we struggle to cope with greater regulation and more complicated structures.
Accepting this reality, and placing technology at the heart of third party risk assurance means you can focus on the bigger picture by using that risk radar to manage risk across your business, rather than fighting to stay on top of understanding those risks in the first place.