Over the past few weeks, I’ve been working with a client to build a creative solution to identify and mitigate risk arising from engaging with third parties (suppliers, business partners etc.).
As part of that work, my team and I were asked to conduct ‘scenario testing’ of the third party risk management framework using real life case studies of risk events which had appeared in the news over the past few years.
This turned out to be a truly invaluable exercise:
Together, we realised that even with robust risk assessments, identification, remediations, processes and controls in place – organisations were still being hit by third party risk events – whether it was from individual bad actors, technical failures or plain old oversights by the third party.
We concluded that whilst robust third party risk management is essential to reduce the nature and extent of these exposures – it seemed inevitable that at some point in the future a third party risk event would impact the business which no control or system (no matter how good) could prevent – it was inevitable.
Being unsatisfied with that as an answer, we set about to try and figure out a way in which we could prevent the inevitable.
Why third party risk processes and controls aren’t enough
Unfortunately for us, a HBR article (penned by none other than Condoleeza Rice and Amy Zegard) on political risk had concluded much the same: you can’t foresee every risk event and you can’t always prevent exposure.
But Rice and Zegard did offer some hope, presenting a framework to increase the effectiveness of risk identification activities. In many ways their proposal is similar to the operation of good third party risk processes and controls which ask challenging questions, produce consistent, risk-appetite-aligned responses and leverage real time data and leading indicators to conduct on-going risk monitoring.
But whilst these are essential, they only go so far – and aren’t always enough to sniff out and address the subtle nuances of in-life delivery risk. For example, how might a change to third party leadership or the introduction of a mobile-app (to replace a paper based process) affect the organisation’s risk profile?
To solve that problem (and as Rice and Zegard point out), we should take a leaf out of Lego’s book.
Lego’s building blocks
I thoroughly recommend a detailed read of the Lego Enterprise Risk Management (ERM) case study – whilst it focuses on ERM, as opposed to just E-ERM (Extended Enterprise Risk Management, or ‘TPRM’, Third Party Risk Management) – there are a number of interesting and provoking ideas in Hans Læssø’s thinking (Lego’s Director & Senior Manager of Strategic Risk Management).
Whilst the original article is worth a read, my take-aways from a third party risk perspective includes the following imperatives for those seeking to revolutionise their risk practices:
- Collaborate with stakeholders (customers, third parties, sub-contractors, regulators and internal users etc.) to co-create the risk log and mitigating strategies.
- Expand ‘risk saliency’, so that functional groups (such as legal, tech risk, finance) consider risks and issues ‘in the round’ and not just within their immediate silos.
- Where possible, make risk ‘business-led’ through demonstrating linkage to value, as opposed to compliance overhead.
- Leverage data and model-based insights – whilst Hans talks about applying Monte Carlo simulations, we should be talking about risk sensing and real time application of risk indices to inform third party risk conversations.
- Quantify exposure through a meaningful metric. At Lego, Hans uses the principle of ‘net earnings at risk’ to provide a tangible foundation for the business to quantify risk and evaluate its decision making. A similar approach could be valuable, perhaps using (i) share price (a particularly insightful metric given its sensitivity to repetitional risk events), (ii) contract value, whereby contract owners can compare the size of their exposure, relative to the size of spend (hopefully it’s less than 100%), or, (iii) minutes of operational outage (i.e. if the third party fails, for how long could the business be ‘down’ for?).
All of Hans’ ideas are as part of a broader framework of accountability, monitoring, training and reporting – but the real conclusion for me is that he has moved the risk conversation far away from second line policy and framework, and right into the hearts and minds of those in the operation.
By making third party risk ‘real’ for those at the coal face (who have the best access to risk indicators and the best understanding of the services / products and their associated risks) we can increase our ability to identify third party risk events before they occur.
Responding to the unknown inevitable
For most organisations, it’s probably fair to say that at some point in the near or distant future, they will experience a third party risk event – directly or indirectly. To this extent we can say that third party risk management frameworks must be able to ‘respond to the inevitable’.
Rice and Zegart provide another useful example of Royal Caribbean’s response to a risk which was unknown (in its timing and scale), but also inevitable.
In short, Royal Caribbean got slated in the press because their ship docked in Haiti (off-loading a few hundred rum-sipping tourists) just after the earthquake which left 200,000 people dead and countless more homeless.
Whilst the ‘third party failure’ here was Mother Nature herself, we can still draw many parallels from Royal Caribbean’s successful response to this unknown, but inevitable risk event.
For relevance, I’ve converted Royal Caribbean’s response into a ‘generic’ activity that could apply to any risk event – and highlighted what an organisation would need to have ‘ready to go’ to execute on that activity.
|What did Royal Caribbean do?||Generic activity||What you need to have ‘ready to go’|
|Acutely aware of their obligations and contractual and social responsibilities, and able to make a timely decision to dock in Haiti.||Quickly understand who has what accountabilities, obligations and responsibilities under the contract to inform the nature of any public response.||
|Leveraged plans for responding to similar risk events and applied to an unforeseen event, mobilising key areas of its infrastructure.||Quickly understand if this issue was being tracked (i.e. is it a black swan event, or is this a common failure?) and what thinking has been done to date.||
|Quickly engaged a clear plan forwards and issued communications to internal and external stakeholders, including a consistent PR approach.||Help stakeholders understand what to do next and demonstrate (rather than just describe) the efforts being taken throughout the event towards resolution.||
|Engaged with key political and humanitarian organisations to help the relief effort.||Demonstrate that resolution of the risk event (as opposed to blame) is the priority and how the organisation is taking charge of the issue, through co-ordination and resource allocation.||
|Leveraged its network of relationships and community roots to deliver a compelling counter-narrative.||Have ‘external stakeholders’ speak up on the issue, explicitly or implicitly defending the organisation’s approach or response to the risk event.||
|Donated to charities, established local infrastructure and built further partnerships.||Demonstrate proactive support of the ‘clean-up’ and restitution process.||
As a result of Royal Caribbean’s activities, the negative news stories fell silent (google it for yourself and see how many articles have been deleted), the company avoided a PR nightmare and the potential customer backlash.
In many ways, Royal Caribbean was able to improve its reputation through demonstrating competent, yet compassionate management of a risk event and strengthen its social license.
Some of this thinking can be easily dismissed as a theoretical nicety, used by organisations which have the luxury of time. But I fundamentally disagree, there are some basic learnings from these examples that we can challenge ourselves with.
Let’s imagine that the supplier which provides the platform-as-a-service infrastructure which supports our business’ mobile payments application fails – meaning our business can’t take payments, and we can’t serve our customers.
Learning from the examples of Lego and Royal Caribbean, what might we want to be able to show our stakeholders (the market, our customers, internal users and others) about how we are trying to identify and respond to risk events – based on current resources, are you able to do that?
Third party risk isn’t just about dashboards, processes and controls – it is about making sure all parts of our organisations have the incentives, tools and ability to identify risk events before they occur and deliver a meaningful response and remediation to stakeholders that goes beyond an apology and a cheque in the post.
Read more at www.sykessays.com