Organisations are no longer a self-contained entity defined by brick and mortar walls and traditional employees. The modern organisation is comprised of a mixture of third party relationships that often nest themselves in complexity, such as with deep supply chains. Two decades ago the term insider was synonymous with employee, now over half of the insiders in many organisations are not employees; they are contractors, consultants, temporary workers, agents, brokers, intermediaries, suppliers, vendors, outsourcers, service providers and more.
The extended enterprise of third party relationships brings on a range of risks that the organisation has to be concerned about. Managing third-party risk has risen to be a significant regulatory, contractual, and board-level governance mandate. Organisations need to be fully aware of the risks in third-party relationships and manage this risk throughout the lifecycle of the relationship, from on-boarding to off-boarding of a third party.
These risks poise significant reputational, financial, and operational concerns. They also poise a growing burden of regulatory concern and oversight (e.g., UK Modern Slavery Act, UK Anti-Bribery Act).
As organisations confront the growing exposure in third party risks, they soon realise that the scattered redundant ad hoc approaches of the past are not sustainable. Third-party risk can no longer be managed by different departments doing similar things in different ways, often with a mountain of emails, documents, and spreadsheets that are out of date and cost a significant amount of employee time to keep on top of. Managing third party risk requires a structured and integrated process that is supported by an information and technology architecture that can address the range of third party risks consistently without things slipping through the cracks.
An effective third-party risk management process enables the organisation to consistently manage the following lifecycle of third party relationships:
Managing this lifecycle in documents, spreadsheets, and email leads to the inevitability of failure. It is simply a matter of time before something is missed and slips through the cracks leaving the organisation exposed. In this context, regulators are requiring structured processes with full audit trails of what was done, by whom it was done, and when was it done to support third-party risk and compliance management requirements. To facilitate third-party management processes the organisation should look to agile third party management solutions that provide for efficient and effective interaction with the organisations back-end processes for managing third-party risk while being able to be accessible to the range of third parties that have to respond to requests.