See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/339237968

Third Party (Vendor / Supplier/ Partner) Risk Management Framework for

Digital Maturity And Requirements of Global Compliance Background of The
Problem

Conference Paper · February 2020

CITATIONS READS

0 569

1 author:

Neeraj Parashar
Tech Mahindra
12 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Regional Planning & Economic Growth View project

Business Transformation View project

All content following this page was uploaded by Neeraj Parashar on 13 February 2020.

The user has requested enhancement of the downloaded file.

Third Party (Vendor / Supplier/ Partner)
Risk Management Framework for Digital Maturity
And Requirements of Global Compliance
Background of The Problem
Owing to global business architecture, organizations need to engage with partners, suppliers and
vendors across the globe. A strong global value chain no matters in product or service based industry
domains is the strategic competitive advantage that companies are looking forward to building and
cherish to sustain digital disruption and maturity.

Business contracts and vendor engagements earlier are not structured or compatible to the principles
of digital business environmental and the dynamic needs of the business. Changes in external and
internal business environment like stringent privacy laws, massive penalties on non-compliances,
surfacing new risk scenarios, and ability of upstream and downstream partners, suppliers and vendors
(are all considered as vital stakeholder of the business) to create business disruption.

Similarly new business architecture like in the shared database as in Blockchain, it is imperative to have
the internal value chain align to demands of real-time processing.

This requires organizations to own a robust and scalable risk management program that can allow
business to run in nearly in autopilot mode. Tech Mahindra offers comprehensive risk management
framework to align all third party service providers different on parameters of geography, service type
and engagement level to come on common board for governance and monitoring to fulfil compliance and
manage risk.

Major Risk and Challenges

■ Non-compatibility or inadequateness of vendor or third party risk program or risk management
system.
■ Requirements of GDPR and local privacy laws under the role of data controller and processor and risk
associated with data subject rights and flow of personal data.
■ Requirements of digital ecosystem i.e. real-time transaction processing, reporting and cognitive
decision making.
■ Reputation and goodwill associated with customer & user experience, and business performance.
■ Creation of enterprise risk portfolio of all identified risks, baseline their rating in line with global
standards, so that appropriate treatment can be planned.
Tech Mahindra Approach To Vendor / Partner Optimisation
For Digital Ecosystem

Phase 1: Risk Planning

Ownership - Client share data with TechM

Objective
■ Seek dimensions from internal functional groups.
■ Add dimension as per global patterns
■ Develop weighing pattern of these dimensions in agreement of stakeholders and category tagging
■ Classify ownership of dimensions
■ Seek qualifying parameter & evidence of qualification

Key Activities
■ Conduct stakeholders interviews for reviews inputs
■ Assses other primary & secondary data, documents and other submitted information.
■ Propose against gaps and missing areas
■ Seeking agreement on dimensions for inherint, SME and other areas to be finalzied for risk
assessment for supplier stake.
■ Refer historic performance of the supplier from the system

Deliverables
■ Dimension Details for each individual purchase / supply type
■ Weightage of parameter freeze with all exceptions / factors
■ Flagging system in case of deviations and exceptions
■ Additional dimension identified
■ Agreement of functional groups, TPRM Group and TechM risk review team

Phase 2: Risk Review & Assessment

Ownership - TechM Process Internally with external references

Objective
■ Complete the assessment against the source factors given to complete the risk review
■ Assess the risk impact on the business, customer and other factors covered in the review document
■ Rate the issue factors in the dimension area as per rating scale given in the tool archer
■ Create a view of Risk Summary.
Key Activities
■ Append the data recived from the supplier interaction / interview / questionnaire or other means
in the tool
■ Ask for supplimentary information in missing or not clear from the given interaction report
■ As per the likelihood, assess the risk against frequency, occurence and detention and also evalute
the impact on business and give a rating as per SOP parameters and mark it in risk register with
cost details etc.
■ valuate the initial controls against the identifed risk areas by the supplier as per SOP.
■ Seek Client measures to control the open risk issues
■ Rate/Escalate or Reply to supplier for clarification in the tool

Deliverables
■ Publication of risk summary
■ Details of cost and other investments seperately as per the control plan submitted by supplier
■ Flagging of areas which are non-compliant and control plan needed on such issues

Phase 3: Mitigation
Ownership - TechM seeks issues plugged from Third Party controls
Objective
■ If final risk summary accepted by the functional groups for next level, getting control plan on list of
issues from the supplier
■ Seeking control plan from other other stakeholder groups, if required like areas of legal and other
grey areas of reporting compliance.
■ Seeking the consolidated residual risk rating lowest for the supplier

Key Activities
■ Based on the final risk summary, communicate / ask supplier to submit control plan against the issue log
■ Once supplier submits the control plan against the issue log, reviewer reasses the risk in the tool as
per newly submitetd status
■ Complete the assessment, seek clarification from supplier via proper channel, if required
■ Complete the rating process in system as per SOP and inscope dimensions
■ Completing the supplier rating in system with flagging areas to be governed and monitered in the
post contract phase.
■ Map the supplier contract proposal against the enterprise framework as per category details and gaps.

Deliverables
■ Publication of Residual Risk Rating
■ Seek a decision from Client on contract for go/no go.
■ Publish supplier proposal against the target frame agreement in focus
■ Publish risk impact assessment report from system to the stakeholders based on residual ratings
Phase 4: Governance & Monitoring
Ownership - Post Contract reviews , reporting done by TechM
Objective
■ As per system calendar capture, process and publish contract performance data
■ Identify red, amber & green areas
■ Seek clarifiation from supplier in system and update MoM of review
■ Raise flag in case of deviations, new issue identified and contract voilations
■ Protect the interest of Client group

Key Activities
■ As per review schedule seek data of contract performance, exceptions and comments (NPS etc.)
■ As per agreed format & stakeholder identifed, produce the contact review & audit report.
■ Seek clarification and control plan for open issues areas from supplier, in case of exceptions &
dimension added/ changed
■ Raise flag to impose penalties, invoke exit plan, termination proceedings etc.
■ Update the status of contract in system with comments, SLA adherence and other achievements
and misses

Deliverables
■ Update the risk tool against the contract performance
■ Update the learning tool / risk register and other supplier / issue reference sources
■ Seek standing rating of supplier
■ Update stakeholders if new dimension are relevant to be added and changed to contract reneual.

Frame Agreement Approach

CASE IN POINT: VENDOR, PARTNER OR SUPPLIER RISK
OPTIMIZATION PROGRAM AS PER TECHM RISK FRAMEWORK

Business Problem
Organization is a leading banking service provider in UK, it is looking to develop a robust and scalable
risk management center of excellence to have to proactive mechanism to manage operations, market,
compliance, cyber and regulatory risk with timely and effective system to identify and mitigate all
known issues.
The program expected to deliver enterprise business agility by seamless change management and
culture building to cover reputation, financial risk.

RCA and Approach Identified

■ Detailed interviewing the internal
stakeholders and functional groups
■ Digitization of existing contracts and
seeking cluster analysis
■ Gather historic data of risk registers,
losses, penalties paid, red areas &
enterprise vulnerability assessment against
the defined parameters of standards
/dimensions.

Solution Given & Cost Involved

■ Develop Comprehensive Frame Agreement with mandatory / optional compliant factors.
■ Functional group educational program for sending requirements and entrusting compliance
fulfillment, structured requirement gathering process and risk impact potential
■ Workshop based process / customer streamlining to capture SME dimensions, bottlenecks and
priorities.
■ Deployment of best practices against loss reduction, cost avoidance, economic order quantity based
efficiency and effectiveness order processing and payment conditions.
■ Spend analytics to address major cost centers and zero budgeting inputs.

Scope and Timelines

■ Scope – Covering all product lines, business functions and group companies and supplier on
boards, contractors , vendors and cost centers
■ Timelines – Delivery on turnkey basis, need to seek maturity in 18 weeks.
Major Challenges
■ Need vs. Want factors and dimensions
■ Availability of data for due-diligence of supplier performance against all the dimensions
■ Disparate contracts with variety of conditions
■ Absence of enterprise learning management system based on historic supplier performance
■ Lack of governance of non- SME dimension of all contracts

Benefits Secured
■ Consistent & sustainable ecosystem, enterprise resilience against control execution, governance
& transparent reporting.
■ Maturity with enterprise learnings, agile change management
■ Reduction of loss, cost avoidance and cost control with stricter implementation of parameters
from planning, DD, review and control and execution phase.
■ Reduction of Headcount with 70% of the process is governed on a common platform and real-time
decision making, processing and governance

References
1. ISAQA Technical Security or COBIT 5
2. SSE16 Standards

About Author
Neeraj Parashar

Neeraj Parashar is Practice Head of BFS, Global Risk & Compliance,

Digital and Design Lab for Tech Mahindra, and has worked as Global DPO
for Tech Mahindra.

He has completed PhD in Digital Performance Management Standards,

and MBA (Information Systems and Marketing) from IMS, Indore, M. Phil
in Economics, Certified DPO, Six Sigma MBB, Lean Master, PMP, CIO Said
- Garter Certified Professional and an alumnus (Diploma in Software
Engineering) of Carnegie University of Pittsburgh, USA. With over 20
years of experience of consulting (operational, architecture and advisory)
in managing delivery of Digital, Analytics, Cognitive and RPA based
organization excellence projects.

Email: neeraj.parashar@techmahindra.com

About Tech Mahindra

Tech Mahindra represents the connected world, offering innovative and customer-centric information technology experiences, enabling
Enterprises, Associates and the Society to Rise™.
We are a USD 4.9 billion company with 131,500+ professionals across 90 countries, helping 946 global customers including Fortune
500 companies.
Our convergent, digital, design experiences, innovation platforms and reusable assets connect across a number of technologies to deliver
tangible business value and experiences to our stakeholders.
Tech Mahindra is the highest ranked Non-U.S. company in the Forbes Global Digital 100 list (2018) and in the Forbes Fab 50 companies
in Asia (2018).

View publication stats