Editor's Note: The following interview with Prevalent's Brad Hibbert was originally published at www.credittoday.net and is reprinted here with permission.
More and more, Credit Managers are telling Credit Today how they are being asked to provide supplier risk assessments. This should come as no surprise in light of the stress affecting both global and local supply chains along with the advent of sustainability as a management theme.
The emergence of Enterprise Risk Management (ERM), moreover, is spawning new professional disciplines and technologies. Data security is a core issue with IT and service providers, but another focus is on a company's supply chain, and that is where credit analyst skills are needed to assess the financial and operational risks of existing and potential suppliers and service providers.
To get a better understanding of third-party risk management (TPRM) and the role credit executives can play, we spoke with Brad Hibbert, the COO/CSO at Prevalent, a TPRM software solution provider.
Third-Party Risk Management (TPRM) is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers. There are many types of risks within the third-party risk category. These could include security, financial, environmental, and reputational risks. Notably, financial stability and risk of insolvency is a significant component of the third-party risk management lifecycle. While the analytics and considerations of financial insights across TPRM and Credit Analysis are comparative, the focus for TPRM is more operational in nature, as it can affect revenue generating services.
Three separate market categories have emerged when dealing with third party risks – TPRM, supply chain risk management (SCRM), and Compliance Risk Management. These processes look at different aspects of third-party risk specific to job functions – for example, security, procurement, and audit. Often these teams are acting independently using silos of solutions and processes.Historically these processes were performed annually, but the trend now is to continuously assess your third-party risks using a combination of questionnaire-based assessments and ongoing monitoring of public sourced data.
Historically the processes involved with assessing this risk have been disconnected. IT/Security is focusing on security-related risks for IT vendors. Procurement and/or supplier management are focusing on non-IT related risks including financial risk, performance, delivery, geopolitical, and now ESG (Environmental, Social, and Governance). The Legal and Compliance functions are looking at sanctions, politically exposed persons (PEPs), state ownership; and these teams may also look to Security/IT teams to perform controls-based diligence around the controls protecting data and data access and its relation to various regulatory mandates such as the General Data Protection Regulation (GDPR) out of the European Union, New York State Department of Financial Services (NYDFS) 23 NY CRR 500 and so on.
If Credit Managers are deriving risks and risk metrics using standard or proprietary analysis, these risks and insights could be fed back into the TPRM program. Not only can these insights be considered in context of other non-financial risks, but can be used to trigger and enforce consistent risk workflows across internal departments throughout the relationship with the vendor.
If the credit managers are using a separate process and product than the broader TPRM program, the risks and risk scores could be integrated. This would enable these insights to be correlated with other dimensions of risk, could be used to trigger more standardized cross-team risk workflows, and leverage the TPRM program to track mitigation of these risks via interaction with the business and third party themselves through a standardized workflow process.
A lot can happen between periodic, questionnaire-based risk assessments. To complement point-in-time assessments organizations also perform monitoring to have continuous insights into third party risks. Some examples of continuous monitoring feeds include:
For Credit Managers, this level of monitoring certainly does not eliminate the need for traditional financial analysis, but it provides early insights into activities that have a significant downstream impact on the financial and credit standing of a third party. If a company has a history of data breaches, is actively breached, has a massive outage, or is involved in litigation, would you want to be aware of it? All of this information can be collated, summarized, prioritized, and proactively delivered to the appropriate credit managers enabling quicker upfront decisions and for more timely remediation that could include adjustments to credit lines, credit terms, and/or credit insurance.
Harmonizing the TPRM program enables a company to develop a comprehensive third-party risk profile. Teams can leverage these insights through a lens to help them make better risk-based decisions in their job function. In addition to standard prescreening and financial data, TPRM can provide additional insights.
From a cyber perspective a robust TPRM program can provide information on the data breach history and current security hygiene associated with a third party. It can also help answer the question, how well is the third-party protecting themselves. Think of this as an indicator of possible compromise. How many public breach disclosures have they had over the last 10-15 years, how much data was compromised, and what type of data was compromised? A poor breach history could impact an organization's ability to deliver service, pays it bills, or in fact impact its ability to survive. Once onboarded a TPRM solution can automatically monitor your third parties for ongoing data breaches to ensure you have proactive remediation and risk mitigation strategies in place. This information could also be leveraged by credit insurance underwriters to look beyond the standard financial metrics.
From a business reputational perspective, monitoring can also provide continuous insights into business events that could impact a third party's ability to deliver or potentially disrupt service including layoffs, outages, labor disruptions or impact to reputation and brand such as EPA violations, lawsuits, etc. All these events not only can impact an organization's ability to deliver services, but also affect how they pay their bills. This extends to visibility into financial statements, key layoffs, and mergers/acquisitions, which can affect a third-party's future financial status.
Every year we do a TPRM survey and each year non-IT risks increase in importance. Within this cohort we continue to see the interest in Non-IT risk visibility and risk remediation increasing including areas of business reputational and ESG.
Ethical sourcing as a theme is becoming more prominent, to the extent that ESG driven funds are now becoming popular with investors. This is partly driven by the influx of datapoints being shared by organizations to demonstrate alignment to ESG guiding principles, allowing analysis in the sourcing process.
As I see it, the benefits for credit management include a combination of proportionate insight into the business activity, as well as additional financial record visibility, to provide a snapshot of the broader organizational health. Ongoing monitoring can also extend to self-reported events from the organization which otherwise would go amiss.
When the third-party estate is reviewed in aggregate, it offers an additional database of trends and financial variables which can help inform models, and in turn support day-to-day considerations for credit managers. The challenge is getting exposure to this ongoing monitoring dataset and crafting meaningful insights. This requires collaboration and knowledge sharing.
Credit managers can also contribute and support the decision-making centers for third party risk when they are not entwined. The wealth of experience and exposure to financial records can be leveraged to enable and educate those reviewing third party reports, and provide guidance on potential risks and pitfalls.