Undoubtedly, incidents related to third-party vendors disrupt business, damage reputations, and cost organizations substantial amounts of money. As a result, organizational leadership and boards have noticed and are paying more attention to third-party risk management. However, third-party risk management (TPRM) program leaders report that despite the increasing awareness, decision-makers haven't necessarily stepped up to ensure better governance or provide more resources.
In the aftermath of COVID-19, organizations may have lost sight of the importance of adequately funding TPRM as various strategic initiatives, reorganizations, and product and service offerings all compete for budget allocations. Third-party vendors play a critical role in an organization's operations, and the budget for TPRM must be prioritized to ensure that both value and possible risk are accounted for.
Why is there a disconnect between the importance of TPRM and the allocation of budget resources? Many organizational leaders underestimate the complexity of implementing TPRM across the organization. Especially in organizations that still use manual processes for managing TPRM, business units may keep their information siloed. Some leadership teams may even assume that TPRM is the responsibility of specific business units and fail to examine synergies between business units and TPRM.
Considering the complexity of TPRM, it’s essential to ask yourself specific questions such as:
- What are the risks?
- What are the potential impacts?
- How can we mitigate them?
- How can I make my case for resources?
It might start to feel like you must paint a picture of utter calamity before getting anyone's attention. Shouting "the sky is falling" didn't work for Chicken Little, and it won't work for you, especially when asking for money for your TPRM program. So, what are you to do?
As budget season approaches, we would like to share some considerations for your TPRM budget and help you think about strategies for getting those precious dollars.
Considerations for a Third-Party Risk Management Budget
The first step is to identify who has authority and decision-making power over the resources your TPRM program needs. Before you share your requests with the rest of the organization, make your case to them. Here are some questions to consider when writing your budget request:
- Where should the money go internally? Determining where TPRM dollars should be allocated isn't always a straightforward process. When you feel understaffed, it may seem logical to request an additional headcount in support of TPRM. However, you need to be sure that adding headcount is the correct answer. For instance, you might be using spreadsheets to manage TPRM processes. When you do those tasks manually, it takes a lot longer than it would with an automated solution. Manual processes can also result in errors and rework, further complicating inefficient workflows. In this situation, investing in TPRM technology would be a better use of funds than adding more people.
- Will the money help expedite any processes? Suppose your business vendor owners complain about the long lead time required for vetting and onboarding new vendors. This is a genuine concern because your organization uses third parties to either realize an opportunity or fix a problem. The longer it takes to get those third parties up and running, the longer it takes to realize the intended benefits. Therefore, consider whether your TPRM budget can be used to alleviate the time-consuming processes of vendor vetting and onboarding.
If your organization is facing a backlog of due diligence, consider outsourcing your due diligence document collection and vendor risk reviews to a reputable third-party risk management company. Professional subject matter experts can easily review a vendor's control environment and help your organization shorten the wait time. Utilizing outsourced SMEs eliminates the need to recruit, train, and manage additional employees (salaries, benefits, equipment, office space, etc.).
Remember, identifying solutions that provide better long-term value for the organization should be your priority when identifying your TPRM budget needs.
Cost Savings and Cost Avoidance
Since the COVID-19 pandemic, the "do more with less" attitude has been exaggerated as businesses struggle to recover economically. Cost savings are front and center, but what about cost avoidance?
There can be big problems when TPRM is not executed effectively. Significant financial consequences are typically associated with vendor performance failures. Still, these costs are not often considered or planned for in the budgeting process.
A third-party failure can severely damage your organization's brand and reputation and impact customer retention and revenue.
According to KPMG's Third-Party Risk Management Outlook 2022, 73% of survey respondents stated that they had experienced a third-party incident within the past three years. Of these, 38% stated that they suffered more than three incidents that resulted in reputational damage or monetary losses. In addition, almost 50% of organizations surveyed believe the financial impact of a failure by a third party or subcontractor has at least doubled over the last five years.
How to Advocate for a TPRM Budget
Unfortunately, TPRM isn't always a priority in many organizations. It can be very challenging to ask for a budget, so you must be strategic in your request and its presentation.
Here are some strategies you can use when requesting TPRM budget:
- Leverage your data. If you're asking for more money, make sure you have a data-driven business case. Provide the facts with your request, whether it's an increased vendor population or an extended cycle time for due diligence. In other words, rather than stating that your team is overwhelmed, you should suggest that a 30% increase in vendor volumes require additional TPRM resources.
- Focus on the business priorities. Ensure that TPRM focuses on what the business needs to succeed. Knowing what's going on and what's important to the organization is key. We'll use due diligence cycle time as an example. Say your company is about to launch a game-changing product or service. Before that can happen, a specific vendor must be in place. If due diligence takes 90 days instead of 60, that's at least 30 days of revenue lost. Any backlogged work has a domino effect, delaying the timely onboarding of other vendors as well. It's important to remember that resource requests always have more impact when framed in a specific context.
- Demonstrate the value to the organization. When writing a budget presentation, make sure value is your goal. Describe your proposal's cost savings, efficiency improvements, and productivity improvements in detail.
Asking for and getting additional resources can be challenging and it requires you to do research, collect data, and reframe TPRM as something that adds value to the organization. Despite your best efforts, you may not be able to get everything you ask for. Still, you’re more likely to succeed if you present a compelling, data-driven business case. Framing the value of third-party risk management as a strategic partner and defender for your organization could help you convince management to invest in TPRM.