Your responsibility,

but not in your control:

THIRD PARTY
RISK MANAGEMENT
Your responsibility, but not in your control: third party risk management
An outsourced third party risk
management (TPRM) service
creates a fully-informed
risk discussion
F
ew corporate leaders would consider
ignoring the dangers of failing to
manage third party risk. But exactly
how to successfully manage it is a far
trickier question.
Companies increasingly reap the benefits of
outsourcing non-core functions to external
providers – this allows them to focus on
the areas their organisation knows best
as external specialists handle the rest.
But while they are an operational necessity
and a commercial reality, third party
relationships create vulnerabilities.
External suppliers can access customer data,
intellectual property and financial information.
Cyber crime, GDPR and modern slavery rules,
which hold companies responsible for actions
of any party doing business on their behalf,
add to the risk.
“According to Deloitte’s 2020
TPRM report, the financial impact
of a failure by a third party or
subcontractor has at least doubled
over the past five years”
2
Clients are increasingly expecting high
environmental, social and governance (ESG)
standards to be met and reported.
According to Deloitte’s 2020 TPRM report,
the financial impact of a failure by a third
party or subcontractor has at least doubled
over the past five years, according to almost
half of respondents.
Third party data breaches over the past
year have included several high-profile cases
such as Sandworm and SolarWinds and
ever-increasing regulation continues to make
managing third party relationships tougher
and more risky.
Fines can easily add up to millions of dollars.
Not only do organisations face initial costs of
non-compliance but also investigation costs
and post-fine monitoring costs. Then, of
course, they must contend with any ongoing
damage to a painstakingly-constructed brand
– and a consequent hit to the bottom line.
In this paper, we look at the dangers, the
solutions and the broader considerations you
must contend with when it comes to building
an effective third party risk management
(TPRM) programme.
Your responsibility, but not in your control: third party risk management
The dangers
W
hat complicates in-house
third party risk management
strategies is that the discipline
is still evolving and not a full business
function in its own right yet. This ambiguous
corporate status means third party risks
gain less organisational attention than more
established security issues.
In small/mid-sized organisations the
responsibility may fall on one person
who is unable to keep up with the whole
portfolio of risk categories such as
financial, technological, sanctions, location,
reputational, legal and environmental social
and governance (ESG).
“ While cyber risk is often the single
most important category, it is
dangerous to ignore others, such as
supply chain and business continuity”
3
This lack of clarity has unwelcome
consequences for organisations as a whole
and for procurement specifically. The TPRM
function usually sits under procurement in
larger organisations. In smaller ones it might
land under IT, security, compliance or legal.
“In many small/mid-sized organisations, if
you look on the buy side for example, TPRM
is usually left to one or two individuals and
they are also typically responsible for cyber
risk,” says Peter Pernebo, Global Head of
Third Party Risk Management Solutions,
KY3P®, at IHS Markit.
This can often slant the perception of risk
in favour of cyber security. While Pernebo
says cyber risk is often the single most
important category, it is dangerous to
ignore others such as financial risk,
sanctions, legal, regulatory, supply chain
and business continuity. >>
Your responsibility, but not in your control: third party risk management
>> When the uncertainty over which function
is responsible for ownership becomes too
great, the responsibility can simply “fall
between the cracks”. Management of the
risk spreads out in functional silos, with
little communication between the lines.
The danger for procurement or TPRM
leaders is that while they may never have
had responsibility assigned, they may find
themselves landed with the blame when
TPRM goes wrong.
Many organisations, then, are inadvertently
adopting an ad-hoc approach to managing
third party risk and too often it proves
ineffective.
Under half (44%) of respondents rated their
institutions as extremely or very effective
in managing third party risk, according to a
Deloitte study from 2021. The vast majority
4
71%
of organisations said their
third party network contains more
vendors than three years ago
(83%) of executives told a 2019 Gartner
survey that third party risks had been
identified after initial onboarding and due
diligence – indicating that existing methods
often failed to identify high-risk partners.
And an increasingly complex vendor
landscape is another threat to compliance.
In the same survey 71% of organisations
said their third party network contains
more vendors than three years ago. Nearly
a third (60%) said they were already
working with more than 1,000 third parties
and expect these numbers to continue to
grow as business ecosystems expand.
Your responsibility, but not in your control: third party risk management
Outsourcing TPRM –
an effective solution
W
hile many organisations are
reaping great benefits from
externalising non-core services,
many are failing to do the same with the
management of the associated third party
risk. This is putting them in a position where
penalties and reputational damage can
outweigh the benefits of a broadly successful
outsourcing strategy.
Outsourced third party risk management
can do the same job for many organisations
that externalising other services
accomplishes – leaving them free to
concentrate on core business.
IHS Markit provides services to meet this
need consisting of the digital Know Your
5
Third Party, KYP3®, platform and a managed
service to provide complete coverage of
third party risk management. The service
handles the entire process of third party
risk management from new vendor requests
to onboarding and due diligence through
lifecycle oversight and termination.
Peter Pernebo stresses that a managed
service provider like IHS Markit cannot take
risk ownership for an organisation. To do so
would be neither practical nor acceptable
from a regulatory point of view. The idea is to
offer a solution tailored to client needs with
full visibility, allowing the client to make its
own decisions about risks without the burden
of managing and running the day-to-day
minutia of the process.
Your responsibility, but not in your control: third party risk management
We need to talk about scale
A
t the heart of many companies’
problems when it comes to creating
a comprehensive in-house service is
the issue of scale. An in-house third party
risk management service needs to span the
key areas of vulnerability – data breaches,
the possibility of operational failures,
financial instability, reputational impact,
cyber crime and so on.
Pernebo says the problem for many
organisations is that to cover all of these
risk categories it might need a team of up
to half a dozen or more specialists.
“ An in-house third party risk
management service needs to
span the key areas of vulnerability”
6
It then also needs a manager to own and
oversee the entire process, making sure
the programme is making progress, that
onboarding of new suppliers is happening as
quickly as it should and everyone in different
risk centres carries out the right due
diligence on vendors.
“Often smaller to medium organisations just
don’t have the money or the will to invest
in such teams for doing due diligence and
surveillance,” he says.
Pernebo has witnessed that generally only
large corporations have the resources to
create this capability. The most mature in-
house third party risk management services
are in large banks and financial services and
pharmaceutical giants. >>
Your responsibility, but not in your control: third party risk management 7

>> And even this is sometimes not enough to

avoid non-compliance – see the $400m fine
handed out by US OCC to Citibank for risk
management deficiencies, and the £20m
fine by the UK ICO for British Airways for
GDPR non-compliance.

Yet small/mid-sized organisations can still

have complex and extensive supply-chains
and critical vendor relationships that require
extensive management. Demands on this
often inadequate and overworked third
party risk management team come from
several directions.

On the one hand senior management
may need an update on the risk status
of any vendor at short notice; regulators
may require proof that third party risk
is being properly managed. Both of
these eventualities require the kind of
transparency that only effective and
comprehensive TPRM coverage can provide.
“It gets really hard to provide accurate
enterprise-wide analytics if you have to
do more than simply provide a list of your
“Yet small/mid-sized organisations
can still have complex and extensive
supply-chains and critical vendor
relationships that require
extensive management”
vendors and their spend,” says Pernebo.
“Many companies are falling short because
they’re not able to provide regular reporting
without a massive effort.”
$400m
fine handed out by the US OCC to Citibank for
risk management deficiencies
And there’s an increasing urgency to
have a global view: “A surprisingly large
number of organisations don’t have that
especially when you go outside the financial
services industry,” says Pernebo. “It’s very
regionalised. Companies know what they
are doing in the UK, maybe what they’re
doing in France and in Argentina but once
you put that together they don’t have
visibility over how they are using vendors
across multiple jurisdictions.”
Not only does this mean seeing a full risk
picture is tricky but it also gets in the way of
consolidating suppliers. “You end up buying
the same service from three contractors
in three different countries, or maybe even
three times from the same contractor!”
says Pernebo.
Your responsibility, but not in your control: third party risk management
A question of talent
A
ssuming that an organisation is
willing to create a fully-functioning
TPRM team it is soon likely to run
into another issue – a shortage of the
appropriate talent and the high cost of
recruiting and retaining it.
In Accenture’s 2013 Global Risk Management
Study 54% of executives surveyed reported
that finding risk management talent with
the right skills was a major obstacle. Half
of those polled said that weak recruiting
strategies and inadequate training
programmes made the situation worse.
Talent shortages affected business and
data analytics as well as risk technology to
regulatory change programme management.
And the talent squeeze crossed the full range
of sectors.
Anecdotal evidence in the risk industry
suggests that the situation has worsened
considerably since that survey was carried
out, although more recent studies haven’t
taken place. Increasing regulatory pressures
means demand for the best specialists has
intensified over the past decade and that it
is even harder to staff TPRM functions.
8
“There is a talent shortage in third party
risk management – as a service provider we
know that as we have had to become experts
in finding and retaining great people with
relevant skill sets in this area,” says Pernebo.
If a company is operating in a low-cost
location, there are few or no candidates
available with deep expertise in areas of due
diligence such as cyber security or financial
risk. In high-cost locations such as London
or New York, the few skilled candidates are
expensive, says Pernebo.
Retention is another challenge. In a geo-
diverse workplace the chances of staff
leaving is high. CIPS Supply Management
recently reported a survey by recruiter
DSJ Global that found only a third (36%) of
supply chain executives said they were likely
to stay with their current employer in the
next few months.
54%
reported that finding risk management talent
with the right skills was a major obstacle
Your responsibility, but not in your control: third party risk management
Procurement’s pain relief
G
iven the practical obstacles of
setting up an in-house TPRM
function, fully outsourcing to a
platform like KY3P® and an associated
managed service removes the headaches
of setting up, recruiting, overseeing and
retaining a team of risk managers.
Once a client contracts a managed service,
“all of these problems are now ours,” says
Pernebo. “When you start looking at the
economics of what we charge for the service
compared to what you would have to invest
in payroll and benefits on your side, it’s
extremely cost efficient in London and New
York and also in other locations.”
As with many kinds of outsourced services
one of the key advantages is surge capacity.
Pernebo imagines a situation where the
inevitable response to a regulator’s request
is “a massive fact-finding project inside your
organisation to go and look for the datasets
on Hungary, the datasets on Germany and
Belgium and bring them all together into
spreadsheets.”
Using legacy solutions to carry out such a
complex task is prone to error and likely to be
extremely time-consuming, he warns.
“A TPRM managed service leverages
the expertise of highly trained,
experienced professionals to develop
and deliver an efficient and industry-
leading TPRM solution”
9
“If you have to do something more than
produce a list of your vendors and their
spend which is set up in your spreadsheets
it gets really hard. The KY3P® solution gives
you that transparency of having everything in
one place,” says Pernebo.
A TPRM managed service is not a one-size-
fits-all answer but changes depending on
the organisation’s size and need. It leverages
the expertise of highly trained, experienced
professionals to develop and deliver an
efficient and industry-leading TPRM solution.
Richard Blore, CEO of KY3P® at IHS Markit,
says the company conducts due diligence
among its own third party contractors using
the same solution, essentially “taking its own
medicine”. The managed service component
is likely to interest clients who are maturing
into the third party risk management space
because they typically have few or no people
on their own staff who can give this issue the
attention that it deserves.
Your responsibility, but not in your control: third party risk management
A story in security
O
ne recent company that adopted
KY3P® was insurance technology and
services firm SE2, where the Chief of
Staff is also the head of third party risk and
is dealing with hundreds of suppliers.
In this case IHS Markit is filling out all of
the vendor information on the KY3P®
platform, making sure the appropriate levels
of due diligence are identified and conducted
via “deep dive assessments”, identifying
existing control gaps, and then placed back
into the platform for the client to review
and approve.
At the same time the managed service
team is having discussions with the client
about how they record and register vendors
and industry developments. Once the
necessary due diligence is identified, the
client either contracts for IHS Markit’s
team to execute it or to assign it to
somebody in the client’s organisation.
10
When a person in the client’s organisation
gets assigned specific due diligence, the
managed service team will make sure they
do it, says Pernebo: “If you don’t do anything
for a few days or a week we will reach out to
you and push you.”
If IHS Markit is contracted to carry out
the due diligence, then once it is done they
report on possible control gaps at the
supplier, asking the client what they wish
to do with the information: “So now we’re
taking a huge chunk of work out of your
workday as you don’t have to deal with the
vendor. You don’t have to investigate and
detect this stuff. When you have a codified
process you can see where things are going
wrong and fix them quickly.”
“What you have now is the best of
both worlds – a world-class technology
platform run by people who do that third
party risk management as their profession
and they will then be able to support the
enterprise and bring you up to a higher
standard very quickly.”
Your responsibility, but not in your control: third party risk management
In conclusion… if no one’s
at fault, you’re at fault
T
PRM leaders might only have
partial ownership of the vendor risk
management process in organisations
but can easily find themselves losers in the
“blame game” if it goes wrong. At the same
time few have the time or means to develop
a meaningful in-house capacity to manage
the risk. So externalising the service is an
ideal, cost-effective way to protect both
themselves and their wider organisations.
Using a solution such as IHS Markit’s KY3P®
platform and managed service means
that TPRM leaders now have instant and
transparent visibility to the entire process
and clarity on which areas are working well
and which require further fine-tuning.
11
What does this look like? It might mean
instant and global visibility regarding the
fact that the financial service due diligence,
for example, is not going well because it’s
always taking 60 days or more to complete,
says Pernebo.
“So now you have a metric and you can go
over to the person in charge of that process
and ask why is this taking 60 days, how can
we make it take 30 days and then 10 days?”
The important thing is that metrics is the
starting point for an informed discussion
about the levels of risk a company is willing
to assume, how well it is at measuring them
and then take meaningful actions to reduce
the risk posture for the company.
>>

IHS Markit is a global leader in

information, analytics and solutions for
the major industries and markets that
drive economies worldwide. Our company
partners with clients in business, finance
and government to help them see the big
picture with unrivalled insights that lead
to well-informed, confident decisions.
IHS Markit serves more than 50,000
key customers in over 140 countries,
including 85 percent of the Fortune
Global 500. Headquartered in London,
IHS Markit (NYSE: INFO) is committed to
sustainable, profitable growth.

Go to ihsmarkit.com/cpo for
more information.