All risk requires an enterprise-wide perspective.
It is consistently amazing how the conversation about a broad topic like risk is dependent on the individuals involved, and more often than not will generally be focused on specific aspects like contract management, for instance.
In fact, digging deeper into the subject with colleagues and customers, it’s surprising that a majority of what’s been written on risk in a corporate setting narrowly focuses on digital security and compliance in the context of governance, risk and compliance (GRC).
But, as a source-to-pay organization, the question has to be “What about third-party exposure?”
Risk is all around…but where?
A Wall Street Journal survey published a few years ago found that only 30% of respondents said their organization was prepared for risks associated with cyber security. While this level is very low, it is likely that the percentage of third-party compliance is going to be somewhat or significantly lower.
Large organizations (>$10bn in Rev) have this challenge in their direct line of sight with a specific plan to manage risk at all levels of their business. For instance, the role of the Chief Ethics and Compliance Officer (CECO) is to oversee and review all legal technology issues throughout the organization. This most frequently includes providing objective assessments of the company’s compliance to legislation governing the organization’s information technology systems and industry-specific regulations.
However, the mid-market ($1bn to $5bn) does not have as deep pockets for creating this centralized C-level function to manage risk, and thus often leaves risk management to chance by department. In fact, you could argue that for the mid-size organizations, exposure to risk is far bigger since they may have less in working capital resources to weather through a disruptive event.
This is further exacerbated by the fact that each individual within the same organization has a different understanding of risk to the business. Even when looking specifically at third-party risk, by our nature as individuals we tend to consider risk based on reputation first rather than to the security of the organization.
For example, in a food services company a buyer may have much more alignment of third-party risk towards managing cost and quality, and the CPO will be focused on meeting budgeted savings on time in full (OTIF) targets. However, the General Counsel may be focused on overall contractual risks that the third party poses to the business. Where is the corporate alignment?
Close the corporate alignment gaps to shut out risk.
Furthermore, there often tends to be an overdependence on waiting for regulation to drive change in different industries. Risk is measured by compliance to regulations, whereas setting standards of conduct or Corporate Social Responsibility (CSR) can also be a proactive way to differentiate a business from its peers – perhaps even adding another stakeholder that includes HR or ethics to the mix of looking at risk.
Understanding risk is not just about measuring, it’s also about aligning the entire corporation behind some common corporate goals, while making sure they relate to everyday work situations and requirements for different stakeholders.
In this regard, when discussing contract management the conversation often pivots to supplier onboarding and compliance. It is for this reason that adopting a wider definition of risk and performance measurements is only part of the job; it also needs follow-up in the form of contract management in areas such as obligations management and how all these risks are intertwined.
At Determine, we are seeing how third-party risk is evolving with many stakeholders. For us it’s not about solutions such as SIM and CLM in isolation, but rather how integrated technologies need to work together to provide a more holistic picture.
While everyone tends to see risk from their own vantage point (or weak point), the ability to create a holistic view of risk starts with understanding how to establish a common enterprise-wide perspective on data, information and the unique processes that provide the big picture.