Turning on the news isn't much fun these days. Companies are failing, fraud abounds, data breaches and identify theft are daily news items. Business leaders everywhere are waking up to the importance of sound risk management and good governance. Don't let unexpected bad news about critical third party relationships catch you asleep at the helm.
An excerpt from Supply Excellence (http://www.supplyexcellence.com/blog/) says that "New data from Standard and Poors pegged the corporate bond default rate for January at 4.96% — a 377% increase from year ago levels. Why should you care? Default rates are a leading indicator for business bankruptcies. The bad news: S&P expects the picture to get much worse. “We expect the speculative-grade default rate to escalate.....could reach as high as 18.5% [by December 2009] if economic conditions are worse than expected. Such figures portend far more business and supplier bankruptcies than previously thought.”
That means that third party risk management is more important than ever. The findings in recently published BITS Financial Services Roundtable Vendor Management survey ( http://www.bits.org/p_publications.html) highlights the immaturity of third party risk management as a discipline. This presents a challenge when designing a risk governance program but also offers freedom for creative and knowledgeable practitioners.
If you consider the lifecycle of all third party relationships, you will note that every relationship starts with an origination phase, evolving to a monitoring phase once selection is complete, and eventually ending with a termination phase. While key controls can be put in place to mitigate risk, each phase should be resourced with an appropriate level of effort to adequately identify, assess and manage risk.
What does it take to manage risk at each stage of the lifecycle?
Relevant and timely due diligence is important throughout the origination and monitoring phases of the lifecycle. Due diligence refers to data gathering and assessment processes that allow you to quantify the level of risk across a range of spectrums.
Due diligence includes analysis of the third party's condition, stability, ability to fund operations and long-term viability. It also includes a background checks and an analysis of the third party's business, history and key officers which includes an assessment of their values, market competitiveness, operations, ligitation history, and reputation. In other words, are you entering a relationship with an organization with values that align with your company values, have a good reputation and the likelihood of longevity?
If the company will have access to regulated information such as customer or employee personal data or proprietary company information, due diligence will include a detailed assessment of their information security controls, environment, policies and practices. In addition to formal assessments, there are many other forms of due diligence including reference checks, site visits, demos, a review of relevant processes, policies and key personnel, and monitoring the internet for company news.
For many companies, due diligence is a one-time event. Rapid changes in the economy are causing companies to fail at an accelerating rate. These formal assessments should be scheduled events, with increasing frequency and intensity according as the overall risk level of the relationship. Don't be the last one to find out that an important relationship is over.
According to John McCarthy, Forresters "Vendor management no longer represents a contracting function in procurement; rather, firms have plans to create full supplier relationship life-cycle governance capabilities" (http://www.forrester.com/Research/Document/Excerpt/0,7211,42546,00.html). In tight economic times, it is tempting to reduce or defer investments in third party management resources.
For progressive companies who understand the value of proactive management. There are many tools at their disposal to "inspect what you expect". Risk management and governance are equally important in the origination and monitoring phases of the relationship's lifecycle. These include reviewing the results from metrics in your Service Level Agreements, detailed invoice reviews and audits, customer satisfaction surveys, their disaster recovery and business continuity plans, insurance certificates that support your contract, sub-contractor controls, offshoring that has occured during the period, key personnel servicing your account, and periodic business reviews or a historical snapshot of performance over a specific period.
During the monitoring phase, it is a good practice to assess the services to ensure they still meet the needs of your business leaders now and for the foreseeable future. You should also review the contract from time to time to ensure that terms are being met by both parties, service changes have been legally amended, and it hasn't expired.
Planning for eventual termination is important during the origination phase but often this important aspect of the relationship receives little attention. It isn't too late to start planning, particularly if the company is providing "mission critical" services.
All of this sounds so simple logical, so why isn't it happening? Most companies are just waking up to third party risk management as nasty surprises - company failures, fraud and data breaches - become daily headline news.
Important relationships that fall apart will leave companies with unexpected, unmanaged risk.
Don't be the last to know.
Linda Tuck Chapman is Managing Director, Ontala Performance Solutions Ltd. www.ontalasolutions.com. She can be reached at ontala@rogers.com