TPRM: Third Party Risk Management is Big. Really Big. In fact, as evidenced by recent investments over the past year (Spectrum’s 200M investment in RapidRatings in 2022, Vista Partners acquisition of Resilinc, and now the 1.2B acquisition of Exiger by Carlyle and Insight), it’s HUGE. Actually HUGE! (Not Trump huge. In fact, the exact opposite. 😉 )
Why? The pandemic finally caused the space to wake up and realize not only how significant long-term disruptions are, but how much risk has been embedded in over-extended global supply chains over the last thirty-plus years (thanks to the global sourcing craze started by McKinsey and their ilk in the 90s as a method of “cost savings”, which really just resulted in “spend transference” to big consultancy pockets and the buildup of risk, and risk related debts, in the supply chain that, just like technical debt, always comes due someday). Big corporations have finally realized they need to manage that risk, or at least maintain constant visibility into it, if they want to get the supply they need to just stay in business. (At the end of the day, “cost savings” don’t matter if you don’t actually stay in business, which is what happens when you don’t receive any products to sell. So you need to assure supply first, and then avoid unnecessary cost second — especially since there is no real “savings”, just cost avoidance with improved processes, designs, networks, management, etc.)
As a result, these companies, who were mostly clueless about the risks (sometimes by choice), needed solutions now to at least get insight into the risks so they could plan mitigations, or at least take action when something happened. Since their traditional enterprise / manufacturing resource management, supply chain, source-to-pay, or back-office systems didn’t give them the insight they needed, they finally started to turn to TPRM (and in some case, broader SCRM – Supply Chain Risk Management) systems in a big way.
And that’s great. Until it isn’t. As a result of all of the supply chain failures and the impending disasters they created across supply chains, not just health and defense, governments have started taking action and introducing a lot more regulatory compliance into the mix. This is at the same time they are waking up to the wild west of technology and introducing a lot more regulation into the mix around personal data and use of AI. And with fraud and money laundering seemingly increasing without end, there’s a lot more regulation around partner due diligence. And then there is the reality that the world is heating up (whether you believe in climate change or not), that this heating up is contributing to an extremely substantial increase in natural disasters, that temperature is correlated with carbon and greenhouse gasses (GHG) in the atmosphere, that we are currently producing a lot of carbon and GHG as a species, and while we may not have been entirely responsible for getting here (as there are other factors that cause temperature to naturally rise and fall on a planetary scale — although the changes we’ve seen in the last few decades have historically taken centuries or millennia looking at the geological record), we need to do everything we can to not make it worse (or risk natural disasters on a scale that have not been seen for millennia, and that have sometimes even led to extinction level events in the past). In response to this, countries are making commitments to the Conference of the Parties of the UNFCCC and instituting legislation limiting the carbon you can create (without fines or fees to offset that, presumably fines or fees that will be invested in greener energy options, but we have to admit many governments haven’t thought that far ahead) and the amount of other pollutants you can pump out.
In other words, not only do companies have to worry about more risks than they are aware of, they also have to deal with more regulations than they can easily keep track of (and, when they’re not on the ball, they don’t find out about them until they get a fine) — as well as dedicate way more time than they should gathering the required information for, and filling out, the appropriate reports and filings.
Moreover, and this shouldn’t surprise you, the vast majority of TPRM (and even SCRM-TPRM) systems don’t help with this at all. While they can be configured to detect issues that may represent potential violations, they generally don’t collect the reporting data that is required and typically don’t provide the detailed trickle-down visibility that is needed to verify that key requirements — such as personal data protection, no forced labour, etc. — are truly adhered to throughout the chain.
That’s why many big multi-national organizations, especially those that collect and process personal data, do a lot of global importing or exporting, or deal with extended supply chains and have to comply with extensive privacy regulations AND data protection laws in the finance sector, have to comply with hundreds of sanctions and denied party lists globally (as well as ensure there are no connected beneficial entities on those lists), and/or need visibility down to the source on human rights needs a solution that understands the regulations they are subject to, encodes the data they need to collect and the violations (special types of risk) they need to monitor for, and helps them produce the reports and regulatory filings they need to make.
And the only system that can do this is a Third Party Compliance Management solution, which has some commonality with a Third Party Risk Management solution, but also a lot of differentiation as well. Most organizations won’t know they need such a solution, as they won’t even know that such a solution exists (as there’s not many solutions and not much buzz about them … yet). Hopefully this post will change all that. Even though the solutions are two sides of the same coin, the sides haven’t met yet, and until they do, which could be years (and years and years) away (because no one has really thought about the hard center yet), for many companies, what they really need is a TPCM solution.