What Every Credit Exec Should Know about Third-Party Risk Management

Editor's Note: The following interview with Prevalent's Brad Hibbert was originally published at www.credittoday.net and is reprinted here with permission.

More and more, Credit Managers are telling Credit Today how they are being asked to provide supplier risk assessments. This should come as no surprise in light of the stress affecting both global and local supply chains along with the advent of sustainability as a management theme.

The emergence of Enterprise Risk Management (ERM), moreover, is spawning new professional disciplines and technologies. Data security is a core issue with IT and service providers, but another focus is on a company's supply chain, and that is where credit analyst skills are needed to assess the financial and operational risks of existing and potential suppliers and service providers.

To get a better understanding of third-party risk management (TPRM) and the role credit executives can play, we spoke with Brad Hibbert, the COO/CSO at Prevalent, a TPRM software solution provider.

What should credit managers know about the TPRM process?

Third-Party Risk Management (TPRM) is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers. There are many types of risks within the third-party risk category. These could include security, financial, environmental, and reputational risks. Notably, financial stability and risk of insolvency is a significant component of the third-party risk management lifecycle. While the analytics and considerations of financial insights across TPRM and Credit Analysis are comparative, the focus for TPRM is more operational in nature, as it can affect revenue generating services.

How is TPRM handled in most companies?

Three separate market categories have emerged when dealing with third party risks – TPRM, supply chain risk management (SCRM), and Compliance Risk Management. These processes look at different aspects of third-party risk specific to job functions – for example, security, procurement, and audit. Often these teams are acting independently using silos of solutions and processes.Historically these processes were performed annually, but the trend now is to continuously assess your third-party risks using a combination of questionnaire-based assessments and ongoing monitoring of public sourced data.

What areas of the organization are involved in TPRM?

Historically the processes involved with assessing this risk have been disconnected. IT/Security is focusing on security-related risks for IT vendors. Procurement and/or supplier management are focusing on non-IT related risks including financial risk, performance, delivery, geopolitical, and now ESG (Environmental, Social, and Governance). The Legal and Compliance functions are looking at sanctions, politically exposed persons (PEPs), state ownership; and these teams may also look to Security/IT teams to perform controls-based diligence around the controls protecting data and data access and its relation to various regulatory mandates such as the General Data Protection Regulation (GDPR) out of the European Union, New York State Department of Financial Services (NYDFS) 23 NY CRR 500 and so on.

How best can credit managers help the TPRM team and are there areas beyond organizational or financial risk where credit managers can be of assistance?

If Credit Managers are deriving risks and risk metrics using standard or proprietary analysis, these risks and insights could be fed back into the TPRM program. Not only can these insights be considered in context of other non-financial risks, but can be used to trigger and enforce consistent risk workflows across internal departments throughout the relationship with the vendor.

What are the best ways for Credit Managers to communicate risk factors to the TPRM team?

If the credit managers are using a separate process and product than the broader TPRM program, the risks and risk scores could be integrated. This would enable these insights to be correlated with other dimensions of risk, could be used to trigger more standardized cross-team risk workflows, and leverage the TPRM program to track mitigation of these risks via interaction with the business and third party themselves through a standardized workflow process.

Please expand a bit more on the sources of the data TPRM teams are collecting on suppliers and other vendors.

A lot can happen between periodic, questionnaire-based risk assessments. To complement point-in-time assessments organizations also perform monitoring to have continuous insights into third party risks. Some examples of continuous monitoring feeds include:

• ESG: Environmental, Social and Governance scoring for public companies, offering analyst driven insights into the stance and processes taken by the organization, with annual peer reviews and the EPA ecological violations database.
• Cyber: Criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials — as well as security communities, code repositories, and vulnerability databases.
• Business: Reviews from public websites, company blogs, news articles, and more. This pinpoints any potential events of interest which are being discussed in the broader community, such as financial declarations, mergers, operational changes, and probes.
• Financial: Credit agencies and investigations workflows to pinpoint any financial discrepancies or shell holdings which can impact financial stability.
• Reputational: Localized sanctions and enforcement lists across the globe, including identification of politically exposed persons or companies with whom transactions are currently prohibited.
• Hack & Data Breach: Known data breaches or hacks within the last 10 years, including leaked credentials on public sites which require consideration.

For Credit Managers, this level of monitoring certainly does not eliminate the need for traditional financial analysis, but it provides early insights into activities that have a significant downstream impact on the financial and credit standing of a third party. If a company has a history of data breaches, is actively breached, has a massive outage, or is involved in litigation, would you want to be aware of it? All of this information can be collated, summarized, prioritized, and proactively delivered to the appropriate credit managers enabling quicker upfront decisions and for more timely remediation that could include adjustments to credit lines, credit terms, and/or credit insurance.

How can Cyber-data and Sentiment Data help credit managers?

Harmonizing the TPRM program enables a company to develop a comprehensive third-party risk profile. Teams can leverage these insights through a lens to help them make better risk-based decisions in their job function. In addition to standard prescreening and financial data, TPRM can provide additional insights.

From a cyber perspective a robust TPRM program can provide information on the data breach history and current security hygiene associated with a third party. It can also help answer the question, how well is the third-party protecting themselves. Think of this as an indicator of possible compromise. How many public breach disclosures have they had over the last 10-15 years, how much data was compromised, and what type of data was compromised? A poor breach history could impact an organization's ability to deliver service, pays it bills, or in fact impact its ability to survive. Once onboarded a TPRM solution can automatically monitor your third parties for ongoing data breaches to ensure you have proactive remediation and risk mitigation strategies in place. This information could also be leveraged by credit insurance underwriters to look beyond the standard financial metrics.

From a business reputational perspective, monitoring can also provide continuous insights into business events that could impact a third party's ability to deliver or potentially disrupt service including layoffs, outages, labor disruptions or impact to reputation and brand such as EPA violations, lawsuits, etc. All these events not only can impact an organization's ability to deliver services, but also affect how they pay their bills. This extends to visibility into financial statements, key layoffs, and mergers/acquisitions, which can affect a third-party's future financial status.

Are EPA, ESG and other Environmental Risk Factors emerging as areas of importance?

Every year we do a TPRM survey and each year non-IT risks increase in importance. Within this cohort we continue to see the interest in Non-IT risk visibility and risk remediation increasing including areas of business reputational and ESG.

Ethical sourcing as a theme is becoming more prominent, to the extent that ESG driven funds are now becoming popular with investors. This is partly driven by the influx of datapoints being shared by organizations to demonstrate alignment to ESG guiding principles, allowing analysis in the sourcing process.

What sort of ongoing monitoring is involved and can credit management benefit/contribute to that?

As I see it, the benefits for credit management include a combination of proportionate insight into the business activity, as well as additional financial record visibility, to provide a snapshot of the broader organizational health. Ongoing monitoring can also extend to self-reported events from the organization which otherwise would go amiss.

When the third-party estate is reviewed in aggregate, it offers an additional database of trends and financial variables which can help inform models, and in turn support day-to-day considerations for credit managers. The challenge is getting exposure to this ongoing monitoring dataset and crafting meaningful insights. This requires collaboration and knowledge sharing.

Credit managers can also contribute and support the decision-making centers for third party risk when they are not entwined. The wealth of experience and exposure to financial records can be leveraged to enable and educate those reviewing third party reports, and provide guidance on potential risks and pitfalls.