Risk management continues to dominate business conversations this year – and with good reason. While risk is inherent in business, recent events revealed that many companies lacked the means to adequately manage third-party risk. Despite the digital transformation efforts companies have undertaken, many companies' obligations related to contractual, regulatory, financial reporting, and environmental requirements are still often managed manually. This creates informational silos that make it difficult for organizations to form a complete picture of potential risk and compliance exposures throughout their supply chains. As a result, companies lack the visibility to proactively manage these obligations and end up taking a reactive approach to identifying and addressing third-party risk.
As industry and government regulation increases and pressure mounts to deliver quality goods at a competitive price, companies recognize the need to approach their risk management initiatives differently.
Because risk is present in every business function, organizations need to adopt holistic third-party risk management practices that combine people, processes, and technology to drive truly transformative change.
Establishing a Comprehensive Third-Party Risk Management Program
Risk management is a team sport. Building a comprehensive third-party risk program begins with having the right people at the table, including representatives from finance, procurement, and legal. Working together, these stakeholders can carry out a holistic risk assessment that captures all facets of the business and develops mitigation standards.
Once the assessment is complete, it's vital to develop a detailed master plan that includes all necessary business functions so there is consistency in risk management processes across the organization.
Like most business improvement efforts, senior management support and program leadership – combined with training and education for roles and responsibilities – help ensure success.
But if this past year has taught us anything, it's that even the best plans can fall victim to forces beyond our control. Companies need to be flexible and adapt their third-party compliance programs as needed to meet ever-evolving regulations, market conditions, macro-level supply chain changes, commodity market situations, geopolitical considerations, and multi-layer other-party business relationships.
Proactive Third-Party Risk Management Begins with Contracting
Risk is often introduced into an organization during the contracting process, which makes it the ideal place to start when executing new third-party risk management approaches. Manual contract management processes can't provide companies with the visibility necessary to proactively identify and manage contract risk on an ongoing basis. With pressure to reduce cycle times and quickly address supply chain disruptions, companies can enter into agreements that don't fully account for the business or regulatory environments involved. You may have even encountered some of these common contracting risks in your own organization.
- Fragmented vendor, channel, or customer onboarding processes that hinder compliance with strict "Know Your Customer" and anti-money laundering regulations.
- Siloed information across multiple departments leading to inaccurate risk assessment and risk categorization.
- One-off risk assessments that fail to continuously monitor third parties for performance against contractual obligations, leading to leakage and post-execution noncompliance.
- Limited visibility and insight into obligations, commitments, and renewals, leading to potential penalties for missed deliverables, overlooked discounts and rebates, or unwanted renewals.
Contracts are the foundation of commercial relationships, touching virtually every area of the business, which is why implementing an organization-wide contract lifecycle management (CLM) system can make a company more resilient and risk-tolerant. CLM software, powered by artificial intelligence, can offer stakeholders the necessary insights to identify and mitigate third-party risk during negotiations. And organizations can build rule-based relationships between contracts (e.g., MSA-SOWs) to ensure enforcement of terms and roll-ups of SLAs and financials, as well as see how the performance of a contract may impact other areas of the value chain to drive better alignment of terms.
CLM enables a company to utilize innovative risk management approaches to better score third-party risk and synchronize data sources to drive change throughout the organization. Organizations can combine a CLM system with existing data sources and processes to get smarter about risk management, embedding risk identification, assessment, mitigation, and reporting within the context relevant to the business.
The world looks different today. Companies still face unprecedented risk and market volatility, but they're also more efficient and have a greater awareness of where the gaps are in their business. Forward-thinking organizations know that the key to proactive third-party risk management is adopting an organization-wide, integrated approach.
If you're ready to learn how to risk-proof your business, access our whitepaper, "Managing Risk with Contract Intelligence."
Based in San Francisco, Nathan Dreyfus is a principal in the Business Advisory Services practice. He specializes in contract and licensing compliance services, helping organizations implement, execute and monitor their contract-based relationships. His experience focuses on creating and implementing contract compliance programs. In addition, Dreyfus' experience includes internal audit, Sarbanes-Oxley, business process improvement, system implementation (including ERP systems), segregation of duties analysis, and IT general computer controls, procedures, and policies.
Based in New York, James DePalma is a Senior Manager in the Transformation Advisory Practice. James is a leader of Grant Thornton's Contract Management Offering. He specializes in helping organizations become more efficient across their Sourcing, Contracting, and Procurement Processes.