Third-Party Risk Management: Insights and Strategies

In today's interconnected business landscape, managing third-party risks has become crucial for organizations of all sizes, particularly for mid-size companies balancing growth with resource constraints. We spoke with Tatyana Kalita, Senior Risk Management Consultant at Coreio, to discuss the intricacies of Third-Party Risk Management (TPRM) and share valuable insights for safeguarding your organization.

With over two decades of experience across Europe and North America, Tatyana specializes in designing and delivering efficient, practical risk management solutions for various industries. In this interview, she addresses key challenges faced by mid-size organizations and offers actionable strategies for effective third-party risk management.

Q1: What is Third-Party Risk Management (TPRM), and why is it crucial for modern organizations?

Tatyana: In today’s highly interconnected business environment, organizations rely on a myriad of third parties to deliver services, manage operations, and support innovation. While these relationships drive efficiency and growth, they also introduce significant risks that can impact operational continuity, financial stability, and reputation.

In the risk management discipline, Third-Party Risk Management, or TPRM, is the systematic process of identifying, assessing, and mitigating risks that arise from external vendors, contractors, and partners. Translated into layman’s terms this simply means that an organization should know what third parties they have, what services they provide, how important these services for the organization and how the organization would be impacted, should something go wrong with these third parties.

For example, a 2023 study by Boston Consulting Group and MIT Sloan Management Review found that third-party AI tools are responsible for over 55% of AI-related failures in organizations. This statistic highlights the importance of managing third-party risks effectively, especially for mid-size companies that may not have the same risk absorption capacity as larger enterprises.

Q2: What are the common challenges organizations face when implementing TPRM?

Tatyana: Implementing TPRM comes with several challenges. The primary hurdle is often the lack of visibility into all third-party relationships, especially as organizations grow and their vendor networks expand. This can make it difficult to maintain a comprehensive view of all the risks associated with each partner.

Other common challenges include:

• Resource constraints: Comprehensive risk assessments and ongoing monitoring require significant time and expertise.
• Regulatory complexity: As guidelines and standards evolve, organizations must continuously adapt to stay compliant.
• Integration issues: Incorporating TPRM processes into existing risk management and IT systems can be complex and resource-intensive.

What’s particularly challenging is when organizations face multiple obstacles at once, causing them to feel overwhelmed and unsure of where to start. This often leads to delays, which can snowball into even bigger issues down the road.

Q3: How to overcome these challenges and avoid implementation delays?

Tatyana: When facing multiple challenges, the key to overcoming delays is to start with a clear understanding of what an organization wants to achieve in the end. Does the company want to:

• comply with the bare minimum regulatory expectations and have a high-level understanding of the key third-party risks that the organization faces;
• develop a well-documented process to really understand risk exposures that come from third parties, be able to develop mitigation strategies for various flavours of third-party risks and continuously monitor the company’s risk exposure; or
• become a trailblazer in the third party risk management discipline.

In most of the cases, medium-sized organizations want to focus on two very practical things: be compliant with the minimum regulatory requirements and at the same time understand what their most significant risk exposures are. This approach is largely impacted by multiple examples of third-party breaches that have eroded bottom lines and reputations of serviced organizations.

Once the practical goal is set, it should be broken into manageable milestones supported by realistic timelines. By focusing on incremental progress, organizations can prevent overwhelm and ensure steady progress. Utilizing tools and automation where possible can reduce manual efforts and free up resources for more strategic activities.

Additionally, building cross-functional teams and maintaining regular communication can help ensure that the workload is shared and progress remains on track. Achieving small wins and adhering to a structured roadmap helps build momentum, allowing teams to avoid delays and keep moving forward.

Here is an actionable approach:

• Adopt a phased risk-based approach: break the TPRM implementation into manageable steps. This prevents overwhelm and ensures steady progress.
  • Focus on high-priority areas first;
  • Take a pragmatic approach to delivery of the third-party risk management process, e.g., short-term we need to develop tiers of suppliers and assess all high priority technology-related suppliers.
• Implementation resources: agree whether the third-party risk management framework, process, tools design and implementation will be performed by using existing staff, utilizing external support, e.g., a consultancy, or the combination of both.
• Develop a clear roadmap: create a structured plan with short, medium, and long-term goals. This helps maintain focus and demonstrate progress.
• Leverage technology: Utilize automation and risk management tools to streamline efforts and reduce manual workload.
• Build cross-functional teams: share responsibilities across departments to distribute the workload and ensure diverse perspectives. When utilizing consultants, include them into your teams to ensure faster adoption of the third-party risk management process
• Regular communication: Maintain transparency by frequently updating stakeholders on progress and challenges.
• Start small and scale: Begin with pilot projects or focus on critical vendors. Use lessons learned to refine processes before full-scale implementation.

By following these steps, mid-size organizations can make steady progress in their TPRM implementation, even with limited resources.

One last thing I want to mention – this actionable approach should be underlined by the “fit-for-purpose” mind set, meaning that the third-party risk management process should be commensurable to the size of the organization instead of blindly following the best industry practices.

Q4: Can you share a customer story where this approach was successful?

Tatyana: Certainly. In April 2023, OSFI (Office of the Superintendent of Financial Institutions) in Canada released revised Guideline B-10: Third-Party Risk Management, which significantly enhanced and increased regulatory expectations for managing third-party supplier arrangements.

One of our clients in the financial industry faced tremendous pressure to meet these new compliance requirements. We implemented a 4-step approach to address their third-party risk:

• Data gathering & current state assessment: we began by collecting all relevant data on their third-party relationships, including contracts, performance reviews, and compliance status. This comprehensive assessment helped us identify gaps and areas of concern in their current third-party risk management practices.
• Third-party risk framework, process and tools development: : based on the data gathered, we developed a third-party risk management process, process and tools... This process outlined clear steps for monitoring, assessing, and mitigating risks associated with critical vendors and partners. Then we developed an implementation plan that prioritized the highest-risk areas.
• Pilot and lessons learned: we selected one critical business unit and completed third-party risk assessments for all their key suppliers. Enhancements from this pilot were embedded into the original process and tools.
• Knowledge transfer: Once the third-party risk management process and tools were finalized, we ensured that the client’s staff was trained on the process and could maintain it moving forward.

This approach allowed the client to:

• Meet compliance deadlines
• Strengthen overall risk management capabilities
• Gain clearer visibility into vendor risks
• Establish a framework for continuous monitoring and improvement

The key to success was breaking down the complex task into manageable steps and focusing on critical areas first, which is particularly effective for mid-size organizations with limited resources.

Conclusion: A Comprehensive TPRM Framework

An effective third-party risk management framework ensures continuous risk management and performance monitoring throughout the entire vendor relationship lifecycle. Here's a streamlined approach:

• Planning & risk tiering: analyzing business needs, defining the engagement profile, and determining the inherent risk and criticality of potential third parties.
• Due diligence & selection: conducting risk assessments of proponents, performing due diligence, completing risk evaluations, and establishing controls.
• Contracting: negotiating contractual controls, determining residual risks, identifying concentration risk exposure, and completing contract signing and onboarding.
• Ongoing monitoring & management: managing third-party performance, monitoring controls, leveraging market intelligence, and offboarding third parties when necessary.

By adopting this structured yet flexible approach, mid-size organizations can effectively manage third-party risks, maintain compliance, and ensure long-term operational resilience without overwhelming their resources. Remember, the key is to start with critical vendors, learn from the process, and expand your TPRM program as your organization grows. 

Ready to Strengthen Your Third-Party Risk Management?
Navigating third-party risks doesn’t have to be overwhelming. Whether you're building your TPRM framework from scratch or refining your existing process, Coreio can help.

Let’s discuss how we can tailor a solution for your organization.