“Risk” Is in the Eye of the Beholder
I am still amazed at how the conversation about a broad topic such as risk is dependent on the individual I am speaking with, and more often will just be focused on contract management.
In fact, as I’ve dug deeper into the subject with colleagues and customers, I’ve been surprised that a majority of what’s been written on risk in a corporate setting narrowly focuses on digital security and compliance in the context of governance, risk and compliance (GRC). Working for an organization that is focused on source-to-pay, my question is, What about third-party exposure?
The Wall Street Journal recently published a survey which found that only 30% of respondents said that their organization was prepared for risks associated with cyber security. While this level is very low, it struck me that the percentage of compliance of third parties is going to be somewhat or significantly lower.
Large organizations (>$10bn in Rev) have this challenge in their direct line of sight with a specific plan to manage risk at all levels of their business. For instance, the role of the Chief Ethics and Compliance Officer (CECO) is to oversee and review all legal technology issues throughout the organization. This most frequently includes providing objective assessments of the company’s compliance to legislation governing the organization’s information technology systems and industry-specific regulations.
However, the-mid market ($1bn to $5bn) does not have as deep pockets for creating this centralized C-level function to manage risk, and thus often leaves risk management to chance by department. In fact, you could argue that for the mid-size organizations, exposure to risk is far bigger since they may have less in working capital resources to weather through a disruptive event.
This is further exacerbated by the fact that each individual within the same organization has a different understanding of risk to the business. Even when looking specifically at third-party risk, by our nature, as individuals we tend to consider risk based on reputation first rather than to the security of the organization.
So for example, in a food services company, a buyer may have much more alignment of third- party risk towards managing cost and quality, the CPO will be focused on meeting budgeted savings on time in full (OTIF) targets. However, the General Counsel may be focused on overall contractual risks that the third party poses to the business. Where is the corporate alignment?
Furthermore, there often tends to be an overdependence on waiting for regulation to drive change in different industries. Risk is measured by compliance to regulations, whereas setting standards of conduct or Corporate Social Responsibility (CSR) can also be a proactive way to to differentiate a business from its peers – perhaps even adding another stakeholder that includes HR or ethics to the mix of looking at risk.
So you can see understanding risk is not just about measuring, it’s also about aligning the entire corporation behind some common corporate goals, while making sure they relate to everyday work situations and requirements for different stakeholders.
In this regard, when I am discussing contract management, often the conversation will pivot to supplier onboarding and compliance. It is for this reason that adopting a wider definition of risk and performance measurements is only part of the job; it also needs follow-up in the form of contract management in areas such as obligations management and how all these risks are intertwined.
At Determine, we are seeing how third-party risk is evolving with many stakeholders. For us it’s not about solutions such as SIM and CLM in isolation, but rather how technologies need to work together to provide a more holistic picture. While risk is in the eye of the beholder, the ability to create a holistic view of risk starts with understanding how to establish a common perspective on data, information and the unique processes that provide the big picture.
* Click here to learn more about improving Insights Into Third-Party Risk