When looking for third-party risk management software, it can be easy to get caught up in the details of specific kinds of data and functionality that might be on a shopping list, developed in consultation with stakeholders. And as a result, an organization can lose sight of the bigger picture. It can be helpful to step back and ask some more strategic questions first.
That’s because key “big picture” issues such as data governance, the solution’s agility, and its ability to support an ethics strategy, among others, will determine the overall success of your organization’s third-party risk management (TPRM) program. These “big picture” issues will also underpin the software’s capacity to meet today’s TPRM challenges, such as rapid regulatory change, increased connectivity and complexity and poor third party data governance, for example.
Below are our Top Ten Big Questions for TPRM technology. They are designed to help organizations think more strategically about how they are approaching the purchase of TPRM software, whether it is for the first time, or to replace a legacy system. Addressing these “big picture” issues is vital for a successful TPRM implementation. Here are the ten top strategic questions organizations should ask:
- Current Program Maturity: What is the current state of your third-party risk management program? Does the software meet your current needs and can it easily adapt and scale as your program evolves?
- Data Governance: Does the software support robust data governance, providing a secure, single source of truth? Today’s TPRM technology needs to have data governance at the heart of the solution. The solution needs to be able to maintain high data quality standards, and keep the data safe. Access to data should be controlled by role, so that the right stakeholders are able to work with the data they need. Strong data governance enables everyone who engages in TPRM to trust the information they are receiving for the decisions they need to make.
- Risk Intelligence Partnerships: Is the software vendor engaged with risk intelligence/data partners to support the screening, enhanced due diligence, and ongoing monitoring requirements of your program? The external data that TPRM software can now utilize is becoming richer every year. This data can provide deep insights into potential third parties, and flag issues in existing relationships. However, the external data that an organization uses in its TPRM software must be high quality and itself abide by data governance standards. A TPRM platform that already has data partners in place can save an organization time and resources, as the data partners are already vetted. If an organization already has its own data partners, then the software should be equally able to work with those.
- Data Integration: How does the software vendor integrate internal and external data sources to generate insights? Is it simple, or does it require heavy lifting? When bringing together internal and external data, the devil is always in the detail. Many vendors say they can do this, glitch-free. However, it is important to obtain specific information about how this is achieved. Improperly aligned data can lead to mis-perceptions and poor decisions. On the other hand, being able to bring together internal and external data properly can generate rich insights into the relative strengths, and weaknesses, of the third parties that the organization is choosing to engage with.
- User Adoption: How does the user interface support adoption across the organization, including business units? Ease of use is critically important in TPRM programs due to the range of stakeholders that need to interface with the system. A poor-quality UI – no matter how good the functionality is – will hurt adoption, particularly in the business. TPRM software UIs should be intuitive to work within and provide dashboards and reports that convey the information they contain in an engaging way. It can be a good idea to explore the UI of TPRM software from a business user case perspective, before purchasing, to better understand how well it will support the organization’s TPRM cultural goals.
- Regulatory Change Management: Can the software support regulatory change management? Is it easy to adapt integrations and workflows - or does it require a lot of heavy lifting and expense? In today’s TPRM ecosystem, regulatory obligations are constantly evolving, as are industry standards. Whether it’s new sanctions, emerging modern slavery rules, or industry-related third-party risk management demands, every year seems to produce a wide range of new requirements. Staying on top of these using manual processes is almost impossible today in an organization of any complexity. So it’s important to understand how the software can support regulatory change, for example, with the addition of fresh data sources, creation of new workflows and assessments, and the adjustment of risk scores. Adaptable software can significantly reduce the resources and costs associated with managing regulatory change.
- Customization: Can the software create workflows, forms, alerts, and other elements without requiring coding? Will it adapt to anything that regulatory change and business change requires of it? Many of the challenges that face organizations around TPRM today can be overcome with more agility and flexibility. So, software solutions that require coding for workflows, forms, alerts and other elements simply cannot be adapted fast enough to cope with events like regulatory change, a new business unit, or emerging risks. Individuals in key roles must be able to easily create workflows, forms and more with just a few clicks. Otherwise, TPRM risks being viewed as limiting the ability of the business to evolve.
- Reporting and Dashboards: Do the dashboards and reporting provide a comprehensive view of the third-party risk landscape for compliance, business units, and senior management? Can you see everything you need? When preparing to review TPRM software, it’s a good idea to consider in advance what kind of data you want stakeholders to have access to, what kinds of charts and reports they will need to make decisions? Then have the vendor demonstrate how those dashboards and reports can be created. Often, experienced vendors may have suggestions about how to improve on the organization’s ideas for dashboards and reports as well, based on the practices they have encountered.
- Vendor Partnership: Is the software vendor a strategic partner offering continuous support, expert knowledge, and the ability to evolve with your needs? Will you get all the help you need? Your organization’s relationship with the software vendor will be one of the most important third-party relationships it has. Sometimes vendors have deep expertise in the technology they sell but do not have the necessary TPRM domain experience to be a true partner. Other vendors focus only on the installation and reduce their engagement after that. TPRM is a rapidly evolving space, so it’s important to be working with a vendor that is structured to support organizations over time.
- Future Scalability: Is the TPRM software capable of scaling to support future needs such as regulatory changes, business strategy shifts, or structural adjustments? Third-party risk management is no longer just about the financial viability of the vendor and the vendor’s ability to deliver as contracted. Today TPRM involves connecting with areas of ethics such as gifts & entertainment, conflicts of interest, and more. Having TPRM software that is designed to support the organization’s overall ethics strategy helps to entrench an ethics culture by supporting processes and making it easier to discover and share insights.
Thinking strategically about TPRM to begin with and asking “big picture” questions can help your organization understand if the software vendor is aligned to both its needs and its desired outcomes. Once this is ascertained, it is easier to visualize how your organization and the software vendor might be able to collaborate over time to deliver on your organization’s strategic vision for TPRM, and more broadly, its ethics culture.
For a full guide to buying Third-Party Risk Management software, download the TPRM Buyer’s Guide.
Take a product tour of GAN Integrity’s Third-Party Risk Management solution.