It is scary how security breaches have become a normal part of our lives. Recently my mortgage provider disclosed a breach that was caused by a third-party. And as I was applying for complimentary credit monitoring services offered by the mortgage company I couldn’t help but think “what is the best way to make the business world more risk-aware?”
Current corporate risk education includes risk-related training sessions, often offered in an annual pre-recorded session. But is this sufficient? Perhaps putting all new hires through an hour-long training that talks about third-party risks and implications would provide a more robust education? Or better yet, yearly training and attestation for every employee in the organization? Is there a silver bullet?
In my experience as a risk management professional for companies ranging from investment management to healthcare providers, a large portion of my responsibilities is to educate my business partners on what third party risk management is and why it is important. While I have become good at explaining the “what’s" and “why’s”, the delivery of this message can often take a while when one starts taking into account the logistics and resources required to deliver this training across an organization.
The conclusion that I was drawn to, and a solution that quite frankly would work universally and across industries, is better alignment of category management strategy (think of your Procurement and/or Sourcing team) and risk management strategy (think of Vendor risk or Third Party Risk Management team).
Here’s a simple approach on how to start this alignment and give your organization a jump start on improving risk awareness across teams. As a risk manager, I would start with the following:
If you haven’t already, build strong relationships with your Sourcing/Procurement team.
Train Sourcing/Procurement managers (category managers) in your organization on risk management. More importantly, tailor the training for each category such as software spend (higher risk engagements) vs. marketing spend (lower risk engagements).
Ensure Sourcing/Procurement managers have the resources and knowledge to explain to their business partners what risk management is and why it is important.
Establish regular touch-points to review strategic plans for each category and review a pipeline of incoming requests for new third parties.
Monitor and provide reports back to Sourcing/Procurement team with basic stats such as new third parties introduced within their category and associated risks.
While it appears there is no silver bullet for an overhaul of organizational risk culture, I feel that starting small with a targeted audience might be the most effective and efficient way to approach organizational risk awareness. In short, make your category managers your best friends!
If you have any ideas, thoughts, or questions about this topic, I will be happy to hear you out; please contact me at filipets888@gmail.com.
Comments