“Efficient, effective, risk-centric, and risk-adjusted third party lifecycle and risk management is a new and distinct way of doing business. How your company approaches any major change like this one is up to senior leadership.” (p. 162)
Third Party Risk Management: Driving Enterprise Value by Linda Tuck Chapman (The Risk Management Association, 2018) tackles one of the topics that procurement organizations discuss most – how to prepare for, handle, and mitigate the risks that result from our company working with third parties. Although it is not declared on the cover, the book is largely focused on the financial services industry. That said, the vast majority of the information will apply to your company regardless of industry or sector.
Before I move to the generalist points in the book, it is interesting to note the impact that regulation has on the financial services industry’s approach to risk management. In theory, regulation and oversight should reduce the levels of risk, but anyone who has ever had to satisfy the public sector knows that theory and good intent do not always deliver in practice. I love the following quote pulled from the chapter on Building a Strong Risk Culture: “Regulations are intended to ensure that all financial institutions are strong through every cycle, continuously operating in a manner that is consistent with the principles of safety and soundness. To achieve this, the regulatory burden is a heavy and expensive one, fed by a vast network of interconnected financial services regulations in force today.” Indeed. And as procurement professionals, we know that the weight and cost of that burden either has to be handled by reducing other operating costs or increasing prices, neither of which is ideal for competitive advantage.
On to the more general take-aways…
The lesson of intent v. outcome from financial services industry regulation is one that we can all learn more. When approaching risk, we must think about what is the same and what is not. For instance: established compliance frameworks do not necessarily indicate that a company has a “risk culture” (or create one). In the same way, governance/compliance do not necessarily ensure accountability. Don’t miss the “Three Lines of Defense” framework on page 15. It covers internal and external risk, organizational oversight, and the role of senior management and the Board.
Each chapter includes case studies and sections dedicated to “What You Need to Know” or “What Your Institution Should Do”. This book and its author are clearly emphasizing action in the face of uncertainty. Despite the complexity associated with enterprise risk, sometimes the simplest action will have the most significant impact. For instance, Chapman points out that “Surprisingly, not everyone checks [supplier] references before making an award.” (p. 37) Gulp. Guilty as charged on that one. This serves as a great example that before we push for complex strategies, we should make sure we are fulfilling all of our straightforward responsibilities.
The absolute highlight of the book is the case study titled: “Larry’s Laptop”. Anyone in procurement that has ever worked with a small supplier has met a ‘Larry’ and probably dealt with the implications of his laptop, too. The basic story is this: A large company is talking to a small one that is skilled and capable of meeting their business needs. The large company asks, ‘Where will our data live?’ to which the small company answers, ‘On Larry’s laptop.” Given the context of risk management, this is clearly not sufficient. The question is when in the sourcing or contracting process the large company discovered that they had a third party risk program – before the alternatives were dismissed or after?
Risk is such a complex and high priority business topic. We often make the mistake of thinking that our plans and responses have to be equally large and complex. As Tuck Chapman points out, there is a place for strategic pragmatism: starting small in the face of even the biggest risk.