This month, I’m going to depart a bit from the independent discussions of IT risk and cybersecurity to explore some of the specific ways this blog’s host, DoubleCheck Software, provides tools, resources, and value to companies working to manage their supply chain and partner risk—TPRM (Third Party Risk Management).
The DoubleCheck GRC offers a platform for managing risk, and its product offerings include a module specific to managing third party risk. They also offer a turnkey third-party risk management solution offering an easy to use, cost effective means to understand and manage third-party risk, called DoubleCheck TPRM. This risk management tool incorporates integration points into D&B® Direct[1] Live Business, offering seamless access to identify information linked to financial performance on over 370 million business entities globally. DoubleCheck’s TPRM supports a high-level risk assessment process that walks users through identifying and gathering relevant evidence based on criticality and risk factors, including key D&B® data. Users may license D&B content through D&B® Direct. The program’s process management features direct information to subject matter experts (SME’s) for review. Reporting tools produce clear and demonstrative real-time dashboards and scorecards, making assessment findings and current states straightforward to understand and communicate, leading to informed necessary actions.
I’ve often discussed and recommended a business question approach to reporting and information graphics in particular. Reports should answer business questions that are important to management and the successful operation of its business. In like manner, the titles to graphical displays could be answers to those questions in the form of declarative statements. This sounds straightforward but presumes a few fundamentals. First, that management understands what questions to ask to inform business decisions it must make. Second, the business must be able to gather reliable, accurate data needed to answer those questions in a timely manner. Sometimes, management delivers the all-consuming generality that it needs to “know everything”. I disagree. If you need to know everything, then you don’t know the answer to my first presumption, so you ask for it all in the belief you’ll capture what’s needed, eventually. It’s not a cost effective nor efficient approach. A better test is this: “As a result of knowing “x”, I’m able to take this action “y””! If the x and y cannot be clearly stated, what value would be added by knowing “x”? But if you know, the next question needs to be, “what data is needed to know “x”?” Now you’re getting to something practical and actionable. This is useful. For TPRM, it’s important to know that more data is not necessarily merrier, but the right data is invaluable to your risk management program and its contribution to your business. This is value-based information reporting!
Specifically regarding TPRM, think about the key business questions to answer about a prospective supplier or partner. Are they financially sound? Have they had performance issues in the past? How do they compare to their peers? Can they support our current security and operating requirements? What specific risks will our use of their services create? Can they mitigate them effectively? Will they need to store your data locally in their environment? Will they access your network? Use their equipment or yours? Do they offer any special opportunities or advantages aside from price, delivery, and quality? Are they consistent and reliable? You likely have many more. Each business is unique. Further, to manage third party risk at the program level, these questions would and could be modified to rank your third party portfolio of suppliers, so you can readily identify potentially troubled relationships and address them before they become critical issues. There are also questions about the state of your risk management process, and how well it’s serving to monitor governance of third party risk. Let’s take a look at some DoubleCheck TPRM displays and see what answers are readily available.
Let’s examine Figure 1, the Risk Profile. The numbers on these heat maps are drillable (i.e. click to get more detailed data) which will then display a table of the third parties that fall into that bucket.
Figure 1: Risk Profile; DoubleCheck TPRM
At a glance there’s some very useful information about which suppliers and how many of them represent a critical risk, how many are related to exchanged, stored, or shared client data, and the relative state of your reviews regarding these critical matters. It’s useful to note the Third Party Criticality vs Supplier Risk heatmap in the upper left, and the Highest Risk Third Parties below it are using D&B’s Supplier Risk value, or SER. The Supplier Evaluation Risk (SER) Rating is Dun & Bradstreet’s proprietary scoring system used to assess the probability that a business will seek relief from creditors or cease operations within the next 12 months. SER ratings range from 1 to 9, with 9 indicating the highest risk of failure. The SER Rating predicts the likelihood that a supplier may cease business operations or become inactive over the next 12 month period based on the depth of predictive data attributes available on the business. While it’s calculated as a number ranging from 1-9 it’s represented as a Minor-Low-Medium-High-Extreme here for easier reference on these charts. The close integration of DoubleCheck’s TPRM with D&B services enables and automates this important graphic. These integrated displays support drill down clicking on a section, revealing detailed information to help answer specifics about individual vendors so rated. It helps pinpoint where your critical risk resides, and which vendors participate. The other implicit information offered is context. Are the critical vendors 3 of 20, 3 of 4, or 3 of 200? The implications may be categorically useful to policy, procurement processes and contract management.
The Criticality rating represented in Figures 2 and 3 are generated through TPRM. It represents both potential loss and time-to-replace data for that vendor to our customer. The combined values, represented together here, offer a unique multi-vector representation of potential risk arising through the service of a particular third party.
Figure 2 Criticality Distribution By Company
Figure 3 Criticality Counts By Supplier Risk Rating
D&B notes further that their company data records include Diversity Indicator data, which may be valuable to some companies, particularly if they do business with state or Federal government. This allows report creation that could array your company’s supplier and partner portfolio along such lines as:
- Minority Owned
- Female Owned
- Historically Underutilized
- Veteran Business
One of the most often sought and infrequently delivered features of DoubleCheck’s TPRM is the individual Vendor Scorecard, shown in Figure 4; think of it as a single panel display summarizing all the key information about an individual third party. This detail can be exceptionally useful for procurement, legal, and operations, in addition to risk managers.
Figure 4 Vendor Summary Scorecard
This single vendor summary shows the current risk profile of the third party, review cycles, contact information recommended and remedial actions all in one place. In the future, it may include Diversity Indicators too. The fields provide links to underlying detail and afford a business-centric reference point from which you can explore the current and forthcoming posture of a critical vendor to your business. There are two pieces of useful information based on that Supplier Risk value from D&B. The area plot (Failure Risk Population) displays your entire third party (TP) population, showing counts of TPs in each risk category. The large triangle below the array shows where this particular vendor falls on that same scale. This simple graphic tells you the Supplier risk for this vendor, in the context of where that value falls related to all your other vendors. Many business questions about a third party can be resolved from the information access through this “single entity portal” into the information gathered, assessed, and the state of resulting recommendations to date.
Beyond these included standardized displays are the access to ad hoc reporting through an embedded reporting engine. The normal data gathering associated with third party risk assessment builds a substantial data pile, and the inclusion of financial and other data from D&B® Direct further enriches this cache. Ad hoc reporting tools let you easily create custom analyses to summarize remediations by risk category and third party, build risk assessment calendars that can be shared with prospective SME’s (subject matter experts) so resource scheduling does not disrupt the risk process, and much more.
The DoubleCheck TPRM solution provides a feature rich tool for identifying, assessing, and managing third party risk. It provides the means to answer the key business questions necessary to integrate its features and data with other risk practices across the enterprise. Policy dictates through your processes can easily be modeled using workflow tools. Through easily understood operating panels it offers a straightforward and east-to-learn process configurable to your own practices. Ease of use is a critical requirement for TPRM solutions, one that can sometimes make a difference in participation by small firms or ones with minimal technological resources to spare for such administrative processes. Outward facing resources toward the third party supplier are as important as those offering efficiencies and operating ease within your organization. Further, this module will integrate seamlessly with other platform modules of the DoubleCheck GRC suite so that data shares rather than replicates. Together with its D&B® Direct embedded services, it can assure a single authoritative source for risk information unencumbered by the burdensome needs to oversee complex and expensive data currency and duplication practices. If you are looking for automation tools to assist your TPRM processes, this is a worthy contemporary offering to consider for your company.
[1] This integration includes all current versions of D&B® Direct including D&B® Direct 2.0, and forthcoming D&B® Direct+
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.