Third Party Risk Management – What’s it Costing Your Business?
We recently had the honor of being the only non-attorneys presenting to a room full of attorneys during one of their in-house CLE sessions entitled “Covering Your Assets – Risk Management for Lawyers”. The presentation addressed what was referred to as the biggest concern of today’s CEOs - outcomes deviating from those outcomes that are expected. Our co-presenters also talked to risk finance methods and to how in-house counsel can advise their companies to mitigate the cost and impact of risk.
The audience we were speaking to were looking at the cost of risk strictly in terms of loss controls, finance and legal issues. However, the cost of risk in the context of third parties must take into consideration the regulatory impacts, reputational damage and ultimately, the company’s bottom line when supply chain, vendor and other third party problems occur. Today the cost of third party risk must be considered beyond what may be in the remit of in-house counsel.
As companies continue to do more, and more strategic business with third parties, they need to start looking at the real costs associated with managing third parties and the risk associated with them.
Firstly, cost must also include the cost of managing those relationships as these elements contribute to understanding and managing the risk associated with the relationship – onboarding, assessments, due diligence, monitoring, audits, training the third parties. It also includes updating and managing third parties information, conducting performance management, and handling contracts, renewals and terminations.
Secondly, the way in which most companies are currently managing these tasks may be increasing risk and costs, versus reducing them. Our experience shows many departments are managing a part of the relationship in isolation, resulting in hidden costs, duplicate effort (and costs), and increased risk; risks for specific elements of certain relationships are being managed, creating a false sense of security.
Finally, there are the costs to a company’s back office team– how many vendor invoices does your AP team receive each week for which they have no vendor record and can’t match to a PO, SOW, and approved vendor? What’s the cost of cutting checks versus wiring payments?
As companies continue to do more, and more strategic business with and through myriad third parties, they need to start looking at the real costs associated with managing (or not managing) those third parties and the risk associated with them. With the old adage of “bad things happen to good companies” wearing thin with the c-suite, there is an opportunity to redirect this conversation to something more constructive, namely: do you know how much money third party risk management is currently costing you? And, conversely, do you know how much you’re spending by not managing third parties and third party risk?
Independent Research firm Mainstay, in collaboration with Hiperos, has completed a study in which they identify the real cost of third party risk, as well as ways to control costs by reducing third party risk.