When building the foundations of a formal third-party risk management program, it’s critical to factor in the needs of your clients—both internal and external. Here’s how you can deliver against their expectations.
A restaurateur friend recently told me that nine out of 10 customers pick his catering services over other catering companies because he sources organic foods from responsible farmers. This healthier approach appeals to his customers, who are more conscious of their well-being. And just like in the restaurant business, as a third-party risk management (TPRM) program manager, you have clients who are looking for reassurance and “healthy” business practices.
Those clients could be internal (other departments or stakeholders) or external (other organizations who want to do business with your organization).
A formal TPRM program can be that peace of mind that your internal and external clients are looking for. Of course, these programs don’t happen overnight—it often takes years to reach full program maturity. It takes even longer to turn the TPRM/assurance practice in your organization into a market differentiator. But having your VRM program both protect your organization and help bring new business to your company is the ultimate goal of TPRM.
"Find the business leaders who can champion adoption. You need to increase awareness and integrate third-party risk management practices into day-to-day processes."
Six steps toward a market-differentiated TPRM program
As the TPRM program manager, what steps are needed to make this happen? Sure, implementing standard product management tools is a good start, seeing as your TPRM program is just a complex product that helps operate your business in a more secure way. But if you really want to build a market-differentiating TPRM program, there are a few things you should start working on today:
- Get stakeholder buy-in early. Identify critical stakeholders and enlist them to support the ongoing success of the program. Find the business leaders who can champion adoption. You need to increase awareness and integrate TPRM practices into day-to-day processes. Board-level involvement is essential for stakeholder buy-in. According to a report by EY, third-party risks aren’t yet making it onto board agendas in most organizations, but this is a trend that is set to change.
- Plan for the future. Create a three-year roadmap for your program based on input from management and program stakeholders; review your roadmap every 12 months.
- Create SMART goals. You need specific, measurable, achievable, realistic, and time-bound (SMART) goals that support the roadmap (e.g., building out your stakeholder group and minimizing risk by reconciling service providers into a smaller group), along with quantitative measures to evaluate program success. Review these goals every six months and revise accordingly.
- Share your plans and progress. Partner with internal marketing and communications teams to communicate the business value of your program. Internal clients will become aware of your value-add risk assessment service, which helps the organization make better, less-risky purchasing decisions. Potential or existing clients will see that they’re served in a safe and secure manner, and this will reinforce the integrity of your organization.
- Use feedback for continuous improvement. Provide a channel such as a dedicated mailbox or email address for clients to provide feedback on your program performance or additional requests to support the business needs of your stakeholders.
- Become the TPRM expert. Be the organization’s change agent by bringing industry insights to your internal business clients to help them make better decisions. Provide ongoing engagement, discussion, and training on TPRM to create a risk-aware culture within your organization.
These are not insignificant tasks. Each item on this list requires a strong, ongoing commitment to be successful. This is why automation of the daily risk management tasks such as assessments, issue management, and risk reviews is critical—so you can free up your time and focus on maturing and formalizing your program.
Finding the right balance between automation and organizational change management (transforming your risk culture) is the foundation of a successful VRM program. Once you achieve this, you can add a comprehensive section in your RFPs that highlights your TPRM program activities and risk management practices. Now you’ve got the Holy Grail: a VRM program that protects your organization and helps bring new business.
Third-party risk management essentials
This eBook explores the:
- Basics of third-party risk management.
- Difference between TPRM and vendor risk management.
- Process of picking a risk management framework that best fits your organization.