Implementing a Third-Party Risk Management Platform: Why So Complicated?

A TPRM platform is critical for today’s businesses. Still, hurdles during implementation can turn into major stumbling blocks. Here’s what to know.

Managing your third-party relationships has never been more important than it is now. With more organizations expanding their vendor databases to address the unsettled global supply chain, the risk of exposure to financial and legal compliance issues and violations is rising.

A third-party risk management (“TPRM”) platform can mitigate that risk — and even prevent issues before they occur. Designed to monitor vendor activity automatically, a robust TPRM platform uses standardized risk-and-review assessment to track compliance. That’s a huge plus for organizations in today’s world where downstream ESG standards are so closely scrutinized.

Selecting and implementing a TPRM platform that is also scalable and adapts to the changing regulatory and risk landscape begins with assessing your company’s vendor universe. Is it consolidated, centralized and risk ranked? If so, you are on the right track. Do you have an established onboarding program for vendors? A pre-built automated processing interface (“API”)? Support from the IT team of your procurement system provider? If the answer to these questions is “yes” as well, then implementing a TPRM platform should be straightforward.

If not, you will likely find the typical hurdles to implementation turn into major stumbling blocks. To help you understand the process, here are three hurdles to anticipate along the way.

Scope: As noted above, getting a handle on the number of vendors and assessing risk by vendor type across your full enterprise is a key starting point. But it is often easier said than done. You may discover, for instance, that individual business units have expanded their vendor rosters hastily in the pandemic or are resistant to an audit due to their own budget or time constraints. There’s also the question of how your organization defines “third party” in the first place. Are you aware of specifically how the Department of Justice/Securities Exchange Commission (“DOJ/SEC”) defines the term?¹

Design: The objective during the design phase is to create a platform that is comprehensive and user-friendly without being too complex. Take a look at the questionnaires you send to your vendors during due diligence: Are they multi-paged, long-winded opuses that take way too long to complete? Or are they standardized and relatively painless? Consider your vendor-vetting process: Does it prioritize your higher-risk third parties, or are you spending time vetting every single vendor with the same due-diligence approach?

Integration: Having a pre-built API may be the single greatest advantage when it comes to implementing a TPRM platform. Why? Because it eliminates the many pitfalls that come with building one yourself. Your procurement system provider, for example, may not prioritize working on the API within your implementation timelines, or have the availability or capacity to do so. Is your provider able to test within your system to accurately replicate the production environment and identify errors?

You should also be prepared for shortcomings with the risk intelligence databases you may integrate into your TPRM platform. For instance, their presentation of monitoring results and new information about a third party may be user-unfriendly, requiring you to spend time hunting through a report update or implementing a work-around to improve the efficiency of the presentation. And be aware that a database provider’s API version/key will evolve, forcing additional development time to upgrade. Finally, the format and categories of the data from providers are constantly changing. Do you have the resources to keep up?

Measure Twice, Cut Once

As supply chain issues continue and companies look to expand their vendor databases, it becomes all the more essential to develop a robust, scalable, adaptable TPRM. Just know it’s wise to proceed with forethought and care before jumping in. With the right approach, you can leap over the hurdles as they come and improve your vendor relationships, compliance and security, and even your competitive standing.

Risk Management

Footnotes:

1: “U.S. Department of Justice Criminal Division: Evaluation of Corporate Compliance Programs (Updated June 2020).” https://www.justice.gov/criminal-fraud/page/file/937501/download

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.

About The Journal

The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.