The dreaded data breach has organizations prioritizing third-party risk management in the procure-to-pay workflow. But when it comes to managing suppliers — and the potential threats they may present to the enterprise — the risks reach far beyond IT-related problems.
The importance of the diversification of third-party risk management efforts became painfully clear amid more than a year of supply chain turmoil. Between shifting business models and an effort to diversify those supply chains, organizations have brought on new third-party partners and recognized that data leaks aren’t the only potential headache.
As Brad Hibbert, chief operating officer and chief strategy officer at Prevalent, recently told PYMNTS, businesses are beginning to understand that their third-party risk management strategies need to take a wider view of their partner ecosystems. That not only means looking at factors beyond the risk of a data breach, but also taking a more continual and proactive stance to addressing various threats before they occur.
When everything from security protocols to late B2B payments can shed light on the risk a vendor poses to a company, it’s vital for professionals to have access to on-demand data even before any contract is signed, he said.
Beyond IT
One of the first missteps a company can make in its procure-to-pay risk management strategy is to lean too heavily on an IT focus.
“Traditionally, many organizations have focused on IT vendors, and as they think about providing access to or outsourcing processing around data, they’ve tended to focus on IT security controls,” said Hibbert. “COVID has really caused organizations to step back and try to take a more holistic approach.”
While data security and privacy are key to a comprehensive risk management program, there are plenty of other factors that shape a risk profile, particularly as organizations are taking a more diligent approach to strategic sourcing. Perhaps a business has key objectives in place for environmental and social governance policy, or supply chain resilience. Choosing suppliers is a process that must include analysis of whether a vendor will support those initiatives or will present a threat to them.
What can make a comprehensive risk management approach more challenging, however, is that businesses also understand that they need to expand their strategies beyond internal departments.
“There are a lot of individual teams that interact with a third party throughout the relationship,” noted Hibbert. “There’s sourcing and procurement, contract management, legal, compliance and security. All of these people touch the vendor in different ways, but they’re only looking at risk from their own, very targeted dimension.”
A more holistic approach, he said, involves cross-department collaboration, so the enterprise can take a unified approach to risk assessments and mitigation efforts.
Not A One-And-Done
Also representing a significant departure from legacy vendor risk management workflows is the need for businesses to adjust the timing of third-party risk assessments.
Historically, a company may have signed a contract with a supplier, sent a questionnaire and assessed its risk profile right at the beginning of the relationship — never to reassess again. Today, it’s vital for firms to take a more proactive stance with risk and assess a vendor before any contract is signed.
What’s more, noted Hibbert, organizations are also now tasked with the continual monitoring of those risks. That includes consistent contact with a vendor, as well as the ability to keep tabs on what’s happening in the market via news stories and other sources. Unfortunately, this is often where many firms can struggle.
“They don’t do the pre-contract diligence, or they’re not doing a post-contract diligence — so they do everything up front, but once the contracts are signed, they’re not monitoring that vendor for ongoing risks,” he explained. “That’s the area that many organizations are missing today.”
Widening the scope of data analyzed — and expanding the frequency of that assessment — is certainly a challenge when companies are used to managing risk data on spreadsheets for hundreds or even thousands of third-party partners and suppliers. But if one of those vendors files for bankruptcy, is making late B2B payments to its own suppliers or has some type of technology in place that has just been revealed to have a security vulnerability, organizations must have insight into those events that change their risk profile.
The old strategies of procure-to-pay risk management no longer suffice, and a one-time data collection effort is far from enough. Businesses need access to data on demand, and as quickly as possible for the most robust approach.
“Taking a more holistic, end-to-end approach to the whole third-party lifecycle is something we’re seeing organizations strive for,” said Hibbert.