In the current COVID-19 pandemic landscape, organizations are faced with an unprecedented duality: of managing the transition to a “new normal,” while also reimagining the future of work and business.
Third-party risk leaders must take this opportunity to take on board recent learnings of how to manage third-party relationships and maintain risk-controlled operational continuity during the pandemic. Simultaneously they must challenge themselves and their current third-party risk management (TPRM) programs to improve resiliency, increase effectiveness and drive transformation while reducing cost.
For the TPRM function to transform, and reimagine the alignment of enterprise-wide risk to future business strategy in a post-pandemic world, it requires thinking in three key areas.
1. Strategic review of third parties
A strategic review of third parties considering lessons learned in the pandemic is critical to operating in the new normal and preparing for more uncertainty in the future. And balancing the risks and benefits of using third parties is key, and TPRM will play a critical role.
The third-party operational trade-offs of resilience, efficiency and cost should now be considered and aligned to an organization’s strategy and risk appetite. This could potentially result in a redefinition of what organizations consider as truly strategic third parties – including the specialty of the service provided, geographic location, risk exposure and exclusivity of the relationship.
In-house control over operations during uncertain times may be desirable, but outsourcing can offer its own benefits, so leaders need to weigh up both short-term and long-term benefits and risks.
For example, organizations are now considering the cost advantages of having significant Indian outsource operations against the recent infrastructure and security challenges presented by remote working during lockdown. A common response has been to begin moving more critical or high-risk services, such as customer-facing services, to near- or on-shore outsource providers, or bring them in-house completely.
An organization’s ability and desire to take on risk is of course impacted by recent events, so risk tiering should reflect this new perspective and diligence activities applied accordingly. Critical definition may also be expanded to include third parties that are strategically important and/or niche and hard to replace.