Organizations responding to cost pressures and increased competition have been going lean for ages. Standardization of processes began in the industrial revolution. The roaring Six Sigma eighties process optimization morphed into “Lean” inspired by the Japanese industrial prowess at eliminating waste from processes. Then technology took a seat at the center table, and automated enterprise management of supply chains and processes brought even more leanness. Disruptive technologies and digital platforms seek to take these efficiencies up another level. Along with process optimization and technology, the smart use of third parties has been critical to making organizations lean and competitive. Third parties bring economies of scale and knowledge that allow organizations to achieve business objectives without having to build expensive capability in-house.

This economic era has been dominated by the gig economy as it applies to freelancers. However, the same principle of extending capabilities by using third-parties is being practiced extensively by companies. Internally the view is that of an “Extended Enterprise,” which includes suppliers, service providers, agent networks, etc. Third-party relationships are valuable, strategically critical, and are a competitive advantage. They take time to build and must be managed and nurtured. They are also a critical source of compliance failures, some so severe as to bring down entire organizations and often enough to dent business performance on an annual or near-future basis. Governments are no longer giving any leeway either, and the process of “Extended Enterprise” is how they view compliance for a single company. You are not only responsible for your own house but also your third-party ecosystem. Compliance actions by the US government are at an all-time high, and the pressure is only going to grow from regulators in every country.

Phases of third-party risk lifecycle management

Organizations now understand that third-party risks are not well understood, and this exposes them to risk. Organizations with the best compliance records have something in common; they take a third-party risk lifecycle approach. A lifecycle approach ensures maximum possible risks are covered. The third-party risk lifecycle has three broad phases: Planning, Onboarding, and Monitoring. While specific activities within each phase can differ based on sector, level of regulation within it, and value chain within which a company operates, the fundamental principles driving each phase usually remain the same.

Planning: Is the third party necessary and why? The calculus is simple. More entities mean more risk. Alignment between business strategy and operations is critical here. What are the company’s growth plans, and how does it seek to achieve that growth? Under this umbrella understanding, then one must have a third-party plan including division by transactional and long-term third parties. Once this is decided, you must qualify third parties based on their ability to execute. Finally, due diligence is done on contenders in this stage, and justification must be internally approved along with a third-party “owner” internally from the business side, above and beyond procurement.

Onboarding: While at the planning stage, you make profiles of the company and shortlist candidates based on capabilities needed and resources available at the onboarding stage that you filter them on compliance and risk. Who has ownership, and are there any red flags there like politically exposed persons? Are they on any watchlists? Do they have the creditworthiness and financial wherewithal to honor their commitments? What is their payment risk according to globally accepted metrics and scores? Companies that pass these checks will then need to be contracted. It is critical that the contract covers payment terms and that contracts are reflective of country and sector benchmarks. It is also important that the person evaluating reports of compliance which are often provided by independent vendors, have the exposure and experience to be able to make the call on if there are any red flags and be able to escalate accordingly.

Governance: Often, there are operational, compliance, and investment costs related to onboarding, so a longer relationship is beneficial for all parties involved as it improves the ROI of the relationship. Thus, monitoring the relationship is not only useful from a risk mitigation perspective but also smart from a business point of view. Monitoring consists of regular meetings to go over compliance checklists, rules of engagement reviews and amendments, incidents and events discussions and compliance training, etc. A lot of companies do not include the digital domain in compliance. This can have serious consequences. Monitoring must extend to enterprise security postures, data sharing, and related providers. A best practice at the governance stage is to guard against your own biases and augment your risk management capabilities with independent auditing. Often companies do not give termination of contracts enough bandwidth. It is important that they do. For audits and for any incidents that require root cause analysis, investigations, regulator, and government scrutiny, termination is important. There should be clearly defined termination steps for third-party that are followed, which should include termination of digital and physical access. These should be fully documented with a clear and detailed explanation of the reasons for termination.

Organizations now understand that third-party risks are not well understood, and this exposes them to risk. Organizations with the best compliance records have something in common; they take a third-party risk lifecycle approach. A lifecycle approach ensures maximum possible risks are covered. The third-party risk lifecycle has three broad phases: Planning, Onboarding, and Monitoring. While specific activities within each phase can differ based on sector, level of regulation within it, and value chain within which a company operates, the fundamental principles driving each phase usually remain the same.

Planning: Is the third party necessary and why? The calculus is simple. More entities mean more risk. Alignment between business strategy and operations is critical here. What are the company’s growth plans, and how does it seek to achieve that growth? Under this umbrella understanding, then one must have a third-party plan including division by transactional and long-term third parties. Once this is decided, you must qualify third parties based on their ability to execute. Finally, due diligence is done on contenders in this stage, and justification must be internally approved along with a third-party “owner” internally from the business side, above and beyond procurement.

Onboarding: While at the planning stage, you make profiles of the company and shortlist candidates based on capabilities needed and resources available at the onboarding stage that you filter them on compliance and risk. Who has ownership, and are there any red flags there like politically exposed persons? Are they on any watchlists? Do they have the creditworthiness and financial wherewithal to honor their commitments? What is their payment risk according to globally accepted metrics and scores? Companies that pass these checks will then need to be contracted. It is critical that the contract covers payment terms and that contracts are reflective of country and sector benchmarks. It is also important that the person evaluating reports of compliance which are often provided by independent vendors, have the exposure and experience to be able to make the call on if there are any red flags and be able to escalate accordingly.

Governance: Often, there are operational, compliance, and investment costs related to onboarding, so a longer relationship is beneficial for all parties involved as it improves the ROI of the relationship. Thus, monitoring the relationship is not only useful from a risk mitigation perspective but also smart from a business point of view. Monitoring consists of regular meetings to go over compliance checklists, rules of engagement reviews and amendments, incidents and events discussions and compliance training, etc. A lot of companies do not include the digital domain in compliance. This can have serious consequences. Monitoring must extend to enterprise security postures, data sharing, and related providers. A best practice at the governance stage is to guard against your own biases and augment your risk management capabilities with independent auditing. Often companies do not give termination of contracts enough bandwidth. It is important that they do. For audits and for any incidents that require root cause analysis, investigations, regulator, and government scrutiny, termination is important. There should be clearly defined termination steps for third-party that are followed, which should include termination of digital and physical access. These should be fully documented with a clear and detailed explanation of the reasons for termination.

Third-party risk lifecycle management works

Third-party lifecycle management is a self-fulfilling approach. The more you do it, the more third parties are aware of your vigilance and respond to it, the more actual risk decreases. We often see that companies following minimal third-party risk compliance because there have been no consequences, and that is what their peers are doing. Compliance is no longer a cost. Doing compliance well is a competitive advantage which tells over the years. Companies need to aspire to be the best in the sector and industry. Compliance with third-party is dramatically increasing, and more and more regulators are coming out with specific regulations for it. Doing it now will give you a head start and a solid foundation in the era of the “Extended Enterprise”.

Responding quickly and comprehensively to any issue being investigated by regulators and government agencies plays a large part in the size of the fine or not getting fined in the first place. A robust third-party risk lifecycle management program ensures that you do exactly that.