A common misconception is "If you have an enterprise risk management (ERM) platform, you don’t need a third-party risk management (TPRM) platform.” Not only is that not the case but it's also a very dangerous way of thinking. You absolutely need both.
Let's start off with an example before we dive into the weeds. We've attended demos for ERM platforms. And, a funny thing happened during those demos. The platforms being shown, couldn’t do a number of things, such as:
- It couldn’t store contracts and due diligence documents or attach them to a specific vendor
- It couldn’t automatically alert on dates
- It had no workflow capabilities to speak of
What the ERM platforms did do well was roll up all the identified risks and the associated risk assessments into an enterprise dashboard. But, there were other features lacking that didn’t appear to bother them, but certainly concerned us.
The problem is the platforms being shown had no third-party risk management characteristics. Third-party risk management is complex, task heavy process in and of itself. The tracking and metrics required are much more than just "identified risk,” and these are a part of a standalone program that does so much more than just risk assessments.
ERM Platform Strengths and Weaknesses
Enterprise risk management platforms are designed to do one thing very well and that one thing is enterprise risk management.
ERM Platform Strengths:
- Analyzes potential risks. These platforms give you insight into all the potential risk that organization may face in the near future. Usually, comparisons are made year-over-year with trends studied over three years.
- Spectrum of assessment types. Within an ERM platform, there’s usually the ability to have assessment types ranging from very simplistic to very exotic variations.
While there are certainly areas that ERM platforms cover well, there are weaknesses presented if you’re trying to accomplish third-party risk management within the platform.
ERM Platform Weaknesses:
- Properly storing documents is difficult. Enterprise risk management platforms are not designed to function as document repositories, systems of record or as enterprise vendor management systems. And, ERM platforms don’t have the ability to handle the due diligence associated with third-party risk management.
- The platform isn’t as secure. Enterprise risk management platforms don’t normally have a large number of users, and therefore, the security they employ is usually two-factor authentication instead of multi-factor authentication.
TPRM Platform Strengths and Weaknesses
Third-party risk management platforms are designed to gather all the vendors an organization has into a single portfolio that can be managed by the risk team. And, TPRM platforms are normally document archives for vast amounts of due diligence, with the native ability to notify anyone on multiple aspects related to vendors.
TPRM Platform Strengths:
- Better alerting. Notifications are critical to the success of your third-party risk program. You never want to have to explain why a contract auto-renewed, especially if the organization was planning on making a change in the vendor providing that product or service. TPRM platforms enhance and automate this process.
- More efficient task and process tracking. An effective third-party risk management platform can not only handle huge amounts of data, it streamlines methods for inputting and analyzing large quantities of information (by various parties, both internal and external), while efficiently allowing users to track the processes around the type of data collected.
- Stronger security methods accommodating many platform users. A strong third-party risk management platform will allow you to have a greater number of users with multiple layers of security. It’ really important to have the ability to lock down the platform quickly, if needed.
- Insightful dashboards. A solid third-party risk management platform will have dashboards that provide a grand view of all vendor activity while also having a dashboard dedicated to individual vendors to gain valuable insight into custom data being tracked, due diligence review ratings and documentation, open issues contract details and more.
Of course, every platform tends to have a weakness or two. Based on my experience, the biggest weakness of third-party risk management platforms is, depending on the tool, some education is required. In some cases, it can often take a fair amount of time to learn how to use the platform effectively.
How ERM and TPRM Should Work Together
As mentioned, enterprise risk management rolls up the risk elements for the entire organization — a non-trivial task. Having said that, the risk assessments that should be originating in the third-party risk management platform should ideally flow up to the enterprise risk management platform via an application programming interface (API).
This allows the third-party risk management platform to do everything it’s designed to do and manage all the vendors for the enterprise well. It also allows the enterprise risk management platform to get a risk assessment feed that will better inform the organization of the true risk associated with their vendor portfolio.
Third-party risk management platforms can benefit from having enterprise risk management define the organization’s risk appetite and the potential material loss associated with the many other aspects of operations. You should want a third-party risk management system to manage your portfolio of vendors and an enterprise risk management platform to manage the risk of every aspect of operations that isn’t vendor related. Using an API to tie the two together gives you the best of both worlds and give the organization better understanding of their overall risk posture.
Enterprise risk management platforms are not a stand in for third-party risk management platforms. It’s not apples to apples.
Investing in the right vendor management platform and processes has a significant ROI. Download the eBook to find out more.
