Risk Management – a high level description
Risk management is a process. The goal of the process is to understand risks and take (affordable) steps to reduce risks.
The risk-management process involves iterative steps that begin with identifying risks:
Third-Party Risk Management
Third-party risk management (TPRM) is the component of risk management that deals with the risks third parties such as suppliers and clients bring to your business. Large enterprises have formal TPRM rules and procedures that govern the way they go about dealing with other businesses. Under formal TPRM, vendors receive particular attention. The goal is to ensure clients and other counterparties comply with TPRM requirements.
During the last few years, we have seen increased levels of TPRM activity, with requirements spreading from large enterprises to smaller businesses, i.e., small to mid-sized enterprises (SMEs).
What can you expect when other companies apply third-party risk management to your business?
As a starting point -as an introduction to TPRM – consider the questions the company(ies) that supply your business insurance asked you to sign off on at your last renewal. Compare those questions with the questions you experience at your next renewal. Insurance company questions touch on the various areas of TPRM. However, insurance company questions often ‘standalone’ while TPRM questions result in more detailed questions aimed at proving your statements are accurate. TPRM digs deep into the details of the way you perform governance and compliance as you do business.
Here’s a high-level sampling of TPRM “governance” topics, where the party requesting information will expect clear answers, supported by proof of documented policies, plans, and detailed procedures:
- Corporate information – legal name, corporate address, website, contact information, etc.
- Policies – privacy, security, cyber-security, human resources, data handling, intellectual property, non-disclosure, and other policies
- Plans – business continuity, disaster recovery, IT, and other plans
- Procedures – detailed operating information that confirms processes and operating tools/manuals/training are in place to cover all aspects of all policies and plans
Taking a Small Step Forward in 2023
Review your supplier base and your client base from a third-party risk management perspective. Consider basic questions like, “Is this client/supplier increasing the requirements it expects us to satisfy?”