Author: Rob Brickman
My inbox is always jammed with white papers and invitations to webinars and conferences on the latest technology, security threat or imminent global crisis. Each one calls out new winds of transformational change that are swirling around our organizations. Each implores us to take urgent, immediate action or suffer disastrous consequences (like lost competitive advantage or foregone opportunities).
Purged of hyperbole, this much is true; cloud technologies, pervasive data, machine learning and cognitive computing, like many previous waves of innovation, have the potential to profoundly change our business models, reduce operational costs and enhance productivity. But they do so with hidden risks.
It’s All About Trust and Hidden Risks
Rachel Botsman, author of “Who Can You Trust?” has wisely pointed out that “the currency of the new economy is trust. Money is the currency of transactions. Trust is the currency of interactions.” In the fervor to create value from the new economy, organizations often miss three critical, trust-related considerations:
- Most new business models force us to rely on third parties, including some which are untested in supporting enterprise-level needs.
- Reposing trust in third parties can come with unknown and unquantified operational, financial, regulatory and compliance risks.
- Studies of outsourced relationships show that most organizations do not manage third party contracts and their attendant risks effectively enough.
For most organizations, relying on third parties is nothing new. For decades, companies have entrusted others to manage onshore and offshore logistics, professional and engineering services, IT infrastructure, customer support and dozens of other key business functions. Over the past decade, new pressures to reduce cost and enhance quality and consistency have incented buyers to shift to third-party solutions that use “as-a-service” models, AI, robotic process automation and machine learning.
New Technologies, Old Threats
Significantly, the third-party operational issues that buyers struggle with have remained remarkably consistent over time. I recently did a social media scan of buyer issues, and many of the challenges were identical to ones I first saw over a decade ago. Some of these might be familiar to your organization:
- “We have challenges coping with a multi-vendor environment”
- “Our SaaS provider has no support organization. It took six emails and three submissions through their service management tool to fix an SLA miss.”
- “Our provider doesn’t make exceptions and wouldn’t do a customized [Service Organization Control] report, which leaves us exposed on new filing requirements from our regulator”
- “Our working relationship was fine when they wanted the deal, but now it’s toxic”
- “The vendor has missed the past two monthly operational reviews and there are errors in its reporting on SLOs, SLA’s and KPIs. We’re fed up but it would take six months to transition to another vendor”
- “Our vendor doesn’t adapt well to our changes in strategy”
Four Basic Questions – A Foundation for Effective Third-Party Management
So how do we anticipate and mitigate third-party risk? Whether you rely on third parties for traditionally outsourced functions or in support of transformational business models using new technologies, start by asking four basic questions:
- How well do we monitor our providers’ performance and delivery of services?
- How well are our providers complying with the contract and managing change?
- Are we realizing the benefits we envisioned and are we aware of all material risks?
- How committed and aligned are providers to our organization’s evolving needs, values and goals?
These basic questions are a solid foundation from which to assess the maturity of your third-party risk management. A fully mature organization typically builds a structured, effective and adaptable third-party risk framework consisting of business processes, policies, plans and controls. Properly designed and implemented, a risk framework will:
- Reduce enterprise risk
- Drive greater operational effectiveness
- Lower the costs of services provided and;
- Increase the providers’ innovation, responsiveness, transparency and commitment to your organization’s success.
How Can TPG help?
TPG offers unique insight, experience and value in helping clients manage third-party risk. We start with rapid assessments of process maturity in managing third-parties, and then address gaps and formulate policies that protect the business. We bring our structured framework for managing third-party operational risk, including over 40 pre-defined processes, policies and plans that should be in place for effective oversight. If you’re struggling with third-party relationships, please get in touch with me at firstname.lastname@example.org