TPRM operations, when done in the right way by factoring all angles, become an activity involving multiple teams following multiple approaches, processes, SOPs, and SLAs. In my experience, conclusive data and information are crucial for all teams to work in tandem. Information is documented and stored in more than one format based on the way it is gathered. Teams often run into challenges when data is to be consolidated, which could be leadership reporting, deriving trends, getting your arms around legacy third parties in your organization, re-assessments that result from third parties extending into new geographies, adding services/products, and terminating/renewing the contract.
Business, Procurement, Legal, TPRM, IT, Finance, security, Healthcare, Life science (there could be more) need to agree on a methodology to document and share data when it comes to assessing the risk and security posture of third parties. It’s a top down approach where the TPRM steering committee, in coordination with other heads of the team, come up with an approach that works for all. This reduces the probability and possibility of having inconsistent data. TPRM leaders/function heads need to come up with SOP’s for activities that stretch across teams and define internal SLAs, which translate into seamless operations and a healthy atmosphere.
Some key points to be taken into consideration are:
- Procurement is mostly the owner of all third-party information and contracts. Technology/tools should be integrated in a way to ensure structured information flows to all teams
- Between teams, agreeing on a governance structure and having a single repository of assessment, risk, and contractual data on third parties will ensure less friction and debate on the availability and accuracy of data. This will help all teams involved derive statistics and trends, which is super useful for senior management and the board
- Socialize and publish the SOPs across teams to ensure new members are aware of the protocols and agreed-upon SLAs
- Conduct short workshops to update any major changes in the operating procedures and any critical changes due to circumstances
- Encourage sharing information you receive from third parties, such as artifacts and documents, so multiple teams don’t approach third parties requesting the same or similar information
- Leaders should promote a healthy feedback mechanism where teams can make and adopt suggestions.
All teams involved are working towards a single objective, to minimize and address third-party risk. This message needs to be loud and clear.