Third-party risk management (TPRM) is currently managed in a disparate way by many teams across many businesses. This can mean that organizations struggle to understand where risks lie in their third-party networks.
Supplier performance has become much harder to gauge, inflation is harder to contain, and geopolitical disruption harder to predict. As we’ve seen in recent years, challenges can catch everyone unawares.
Businesses are having to be much more cautious in their approaches to third-party risk, moving towards a ‘just-in-case’ model, which anticipates and prepares for disruption. In addition, governments are introducing further regulations in supplier due diligence and environmental and social governance. Compliance teams and those responsible for managing third-party risk are facing increasingly complex demands.
New qualitative research from Moody’s Analytics KYC has focused on this TPRM landscape, looking at the broader context in which firms are undertaking supplier due diligence; how they approach TPRM today; and how risk is measured. The findings are based on in-depth interviews with experts responsible for risk, compliance, procurement, and supply chain management within 41 leading multinational organizations.
The research identified three key pillars of third-party risk management:
TPRM is currently managed in a disparate way by many teams across businesses. One issue is the sheer number of terms used to describe the same processes. It may be harder to create unity when there are no standard terms and definitions. Knowing how to describe the process - which can be called anything from supplier risk management to vendor risk assessment and integrity checking - is important, as is knowing exactly who is responsible within a business for the processes.
Moody’s research found that where companies have fewer suppliers in their network, the process is likely to be fragmented and often handled locally, with limited professionalism. Often, categories overlap, and different business units need to cover multiple common areas. This can make it difficult to categorize precisely or assign responsibility in a systematic way.
Conversely, those companies that had many thousands of suppliers over more geographies were more likely to centralize management, invest in specific systems, and employ dedicated professionals to the process.
The research also showed that legacy supplier management systems are fast becoming outmoded and are not fit for purpose, while the data required for effective third-party due diligence and supplier risk management can be inadequate.
However, opinions show that organizations do understand the importance of TPRM processes and orchestrating them more professionally, which is leading to a desire for increased investment in people, processes, and technology.
Firms are struggling to understand where risks lie in their third-party networks, and they don’t necessarily have the visibility into the ownership structure and operations of firms in their supply chains, especially those lower down in a tiered network.
Globalized supply chains have their advantages, but they create an extra layer of complexity for due diligence and logistics. Bringing on a new supplier for instance can be time-consuming, with added factory inspections and the implementation of new systems and monitoring procedures. Understanding exactly where high-risk cases exist enables organizations to make better risk-based decisions. But risk management is hampered when the approach isn’t unified with standard processes, systems, and personnel to tackle it.
There are many reasons why firms want to unify their approach to TPRM and get greater visibility of risks. It’s the right thing to do - robust risk management helps fight financial and environmental crime. It can help businesses gain competitive advantage, with more resilience in the supply chain. However, ultimately, risk management ladders up to reputational risk that can take years to build and a second to destroy.
When things go wrong in a supplier network, they can have far-reaching implications for organizations reputationally and therefore financially. In today’s world, where information is available 24/7, any sort of scandal can be damaging to a brand and severely impact its bottom line. Those businesses that unify their approach to TPRM and gain visibility of risk have more power to mitigate it and that enables them to protect their organization’s reputation.
For a copy of the research report and all its findings, please visit: www.moodys.com/kyc/tprm
Moody’s Analytics can help organizations with each of the three pillars identified in the research.
Workflow orchestration helps unify supplier due diligence, onboarding and risk monitoring – essential to TPRM.
Process unification and access to company data allows organizations to get greater visibility of risks associated with third-parties, both large and small, anywhere in the world. And, ultimately, this unification of processes, people, and technology, which creates greater visibility of third-party risk, enables organizations to comply with regulations, set an ESG standard, and protect their reputation.