This article, which takes a post-pandemic look at third-party risk management, ties to a recently recorded webinar titled How to Quarantine Your Third-Party Risk.1 Our two organizations -- World Commerce and Contracting Association (WC&C) and Determine, a Corcentric Company2-- broadcasted the webinar on April 13, 2020.
Until recently, we thought about risk very differently when it came to contract management and relationships. The Forrester Disaster Recovery Journal3 Global Business Continuity Preparedness Survey had reported that 71 percent of businesses in 2018 had assumed that their greatest risk was a natural disaster or extreme weather. Only three percent expected an epidemic or pandemic. And we all know how that turned out! The World Health Organization (WHO) declared a global pandemic in March 2019.
During our webinar we suggested that you start by:
- reviewing issues businesses are today experiencing with third-party risk by defining it as a framework for how people in procurement, project management, and finance must now work together to manage risk;
- demonstrating the very clear benefits of using a collaborative approach in aligning contracts and supplier information on a common platform – with or without the burden of a pandemic; and
- planning your risk management with the optimum framework for risk mitigation and working with an experienced technology partner to quickly protect (quarantine) your third-party risk.
Then, having done that, move forward with a robust growth strategy that surrounds how you can assess your current processes and structure an enterprise-wide model to achieve optimal third-party risk management. The strategy works even if your organization is facing dead stop constraints spawned by the pandemic.
So, how can you identify, manage, and mitigate third-party risk?
First, align contracts and supplier management functions to achieve three main goals:
- achieve business continuity;
- manage cost optimally; and
- manage working capital smartly.
Next, build the framework without overlooking the effects of force majeure
In the rush to identify vulnerabilities in contracts when the pandemic began, many companies reviewed their force majeure clauses4 to determine how they should be interpreted, depending on region, industry, and client. With third-party risk, however, it becomes important to compare the force majeure clause with the terms in your standard clause library. However, force majeure, in many ways represents adversarial issues spawned by the pandemic, but many business managers see the issue as much more about how customers and suppliers work together to minimize risk and disruption.
For the above reasons we need to look at all of the individual contractual provisions and clauses, such as key exclusions. By applying the logic of effective risk management, you can manage third-party risk in a supply chain very efficiently. For example, read through the following Risk Management Framework. It is easy to understand and to use for analyzing risk mitigation. This framework -- identify, evaluate, respond and monitor -- is explained below:
RISK MANAGEMENT FRAMEWORK ANALYSIS
Identify - look outward:
- Establish scope of assessment.
- Understand business objectives including legal, regulatory, and governance aspects.
- Identify risks.
- Describe causes, impacts and existing controls.
Evaluate - use some standard methods to observe the risk:
- Assess the cost impact of the risk and the likelihood that the risk will occur.
- Calculate the financial value of the risk (impact X likelihood5)
- Carry out valuation for net (with controls) and target risk exposure (with controls and mitigations).
Respond – observe the controls and mitigations you already have in place:
- Determine if the risk can be better managed.
- Where appropriate, put forward mitigation (with owner and end date).
- Assign Key Risk Indicators (KRIs) for risks and Key Performance Indicators (KPIs) for controls and mitigations.
Monitor: look at overall management and assessment
- Assign an overall management assessment status
- Review KRIs, KPIs, losses and “near misses”
- Track progress of mitigation
When establishing a framework, remember that the best practice is to align the risk with the department or operation that is most capable of mitigating it. While it is tempting to push all the risk to your third parties, in the long run, that is the absolute worst thing to do. Allocating risk must be done analytically based on where the risk is best distributed. And the only way possible is taking a holistic approach via automation, which connects all of these areas and enables you to identify specific locations, provisions, industry requirements, etc.
Planning for risk in category areas
Scalability6 in being able to test for security and remote access has accelerated as a risk this year at warp speed, but this often leads to business chaos, especially within Information Technology (IT). So, a better way to move forward is to use the framework above. With it, you can make sure your systems are flexible, and you can determine how easily you can adapt your process to identify, evaluate, respond, and monitor. It is especially crucial to distinguish the category areas that will require greater attention. At Corcentric, the most at risk category areas experiencing scalability crises due to the pandemic include the following:
- Facility management
- Professional services
- Travel management
- Health care providers
Questions for at-risk categories to consider
- How easily can we provide personal protection equipment (PPE) materials to providers who still need to go to work at remote-from-home facilities?
- What is our contingency planning for granting access to facilities in times of crisis?
- How do we meet the demand for equipment, repairs, and parts that might cost more than our supplies? And how are we managing the logistics of moving these items when complying with more stringent requirements?
- How do we find new ways of screening drivers?
- How do we screen medical and health care providers who may need to go to these facilities? And how do the screening measures we use impact the types of information we need to collect surrounding those providers?
- What is our mitigation plan for those who really need to travel?
- How will we manage the increase when the limitations flatten out?
For all the above category areas, we face a scalability concern -- one that stretches the capability of the providers, especially when the availability of personnel is in question. Clearly, a prevalent pain point has been the limitations to accessing the portfolio of contracts. Automation has been the game because it can access the portfolio of contracts using automation technology that provides complete accessibility and visibility while maintaining security.
Procurement and contract managers need to understand and interpret what the clauses mean as they apply to specific categories such as suppliers and legislative and regulatory doctrines – depending, of course, on the industry they apply to. Category areas throughout all industries must quickly identify the contracts impacted as well as the significance of the contract language.
Unifying a single source of information with data
From these challenges we have learned that it is crucial to unify information— i.e., meta data, master data, and business processes—into a single source of information. And then you want to be able to analyze and organize the information so that the organization can make informed decisions about strategic sourcing, contract management, customer relationships, and communications to suppliers.
Third-party providers in technology and digitization go far beyond what the organization itself can manage. They help to maintain flexibility in your supplier and contract management that not only enables you to deliver expected response in the shortest amount of time, but reduces risk over time by maintaining continuity.
Successfully reducing risk really requires implementing processes and automation that can help you achieve specific business processes across the procurement and supply chains. When you have eliminated or lowered the risk, three benefits should emerge:
- a reduction in duplicated effort;
- greater productivity in areas like legal, procurement, finance, and supplier management for both internal stakeholders and third parties; and
- one identifiable source of data that ties processes into sourcing, procurement, and suppliers to simplify the IT requirements
Your organization’s third-party service strategy should be structured to prepare, mitigate, and manage response. You’ll also want to ensure that key internal and external stakeholders are involved in that process by informing them of changes like newly onboarded suppliers, new catalogs, new buyers. You will not be able to implement to this extent on your own. However, a third-party platform can produce master data, dashboards, workflow, security, alerts, User Interface (UI) and/or User Interface (UX)7 design, integration, and audit.
When structuring a single source of data, the Corcentric Platform provides a working example of some elements that you should be aware of:
- Provide a common data model for suppliers and relevant contract information.
- Set up a single repository for third-party data such as a source of truth for all supplier information including bank accounts, location, certifications, and quality performance metrics.
- Create configurable or extensible workflows such as the ability to route third-party requests to the right employees.
- Ensure information requests are event-driven.
- Make sure you validate Supplier Information Management (SIM) and Contract Lifecycle Management (CLM), because counterparty contract creation must be validated against third-party supplier profiles.
- Do not use contracts that lack proper certifications or fully onboarded suppliers.
- Ensure enterprise integration is effective by leveraging a Cloud platform to integrate with other enterprise systems.
Quarantine third-party risk with a secure Cloud platform
Part of risk management is deciding which insurance, operational, or financial risks to mitigate. It is too costly to try to account for everything from the perspective of the organization on its own. Instead, find a third-party provider that effectively becomes the hub for data, stores the right information in the right place, and tracks lifecycle management between suppliers and contractors. When you can gather and store information in the right places, you can quickly make informed decisions about such things as:
- determining the position of suppliers plus the goods and services you expect them to deliver. This includes certifications like Certificate of Insurance, W9 (the U.S. Request for Taxpayer Information) and corrective action plans;
- implementing rules or adding pieces of information about at-risk suppliers;
- obtaining ad hoc certification -- as in the case of COVID-19 -- to decide whether you need to consider additional suppliers or review the contract;
- understanding the lifecycle of the contract, including when (or if) to dispute, when to amend, when to terminate.
Essentially, partnering with an established provider for CLM mitigates risk throughout the life of the contract and not just in times of crisis. For example, the Determine platform offers an obligation within the contract management module that collects information on the contract so you can enable the user to deploy a questionnaire that promotes improved decision making. The key is to collect information in the right place and at the right time and enable access to it from anywhere in the organization.
Risk management is an analysis of the likelihood of an impact and your response to that. To mitigate against all risks is not something you’ll be able to do on your own. Part of risk management is not only determining which operational, commercial, and financial risks might threaten the health of the organization, but it is about implementing controls to monitor and respond. By starting with the right framework for risk mitigation and partnering with an experienced technology partner, an organization should be able to quarantine its third-party risk and move forward with a robust growth strategy quickly and effectively.
- How to Quarantine Your Third-Party Risk
- World Commerce and Contracting Association and Determine
- Disaster Recovery (DR) Journal – Forrester Surveys.
- Force majeure contract clauses “free both parties from liability or obligation when an extraordinary event or circumstance beyond the control of the parties, such as a war, strike, riot, crime, epidemic…prevents one or both parties from fulfilling their obligations under the contract.” See Wikipedia
- Impact X “means that the total amount of risk exposure is the probability of an unfortunate event occurring, multiplied by the potentialimpact or damage incurred by the event. If you put a dollar value on the impact, then you can value the risk and in a simple way compare one risk factor to another.” Ref. article from CIO US Digital Magazine titled Risk = Likelihood x Impact.
- Scalabilitymeasures a system's ability to increase or decrease in performance and cost when demands made by application and system processing increase or decrease. See also article titled Scalability issues for dummies, Alex Barrera, Wordpress filed under: Business, Technology
- UI/UX: Ref article Feb 24, 2019, by UX Planet titled, What is UI design? What is UX design? UI vs UX What’s the Difference?
ABOUT THE AUTHOR
Constantine Limberakis is focused on creating brand awareness and promoting new ideas around the digital transformation of business. A thought leader in the area of procurement and supply management, Constantine has been nominated as a SDCE Pros to Know in 2013 and 2015. With close to 20 years of experience, he’s played a variety of strategic roles in management consulting, product marketing, business development and market analyst research. Constantine holds a BA in History from the University of Illinois at Urbana-Champaign, and an MBA in Finance & Marketing / Masters in Public & International Affairs from the University of Pittsburgh.
Determine, a Corcentric company, is a leading global provider of SaaS Source-to-Pay and Enterprise Contract Lifecycle Management (ECLM) solutions. The Determine Cloud Platform provides procurement, legal and finance professionals analytics of their supplier, contract, and financial performance. Our technologies empower customers to drive new revenue, identify savings, improve compliance and mitigate risk.