by Nikolay Filipets
Recently I came across a conversation about the longevity of TPRM risk assessment results. In other words, when does the supplier risk assessment results expire? After a few minutes of discussion with my colleague, we concluded that the risk assessment results expire not too long after the assessment has been completed. This is pretty accurate and to be precise TPRM risk assessment results expire the second an assessment is finalized.
As risk managers we live in the reality where inherent and residual risk ratings drive most of our decisions. Both, as we all know, are point in time assessments that look at a very limited scope of products and/or services provided by a specific supplier. Now don’t take this a wrong way, I do believe it is important to estimate/identify and track both, but at the end of the day we are simply “checking the boxes” on a checklist, looking at “x” number of controls and risks as it is determined under corporate standards and policies.
Having a methodology in a somewhat abstract (at least abstract for everyone who is not a risk manager) field as Risk Management is uber important. However, in setting these frameworks, we are creating boundaries for risk management programs. Creating a limited view or “check in the box” view of risks organizations can be exposed too.
How do we address this situation? My immediate thought is maturing the concept of real risk. What if risk managers introduced and standardized this new measure of risk and included it in their already established methodologies. In my opinion, under real risk we would measure and evaluate all negative events and risks within the supplier environment and continually track them, outside of point in time assessments (sound similar to things we do during business management phase, right?). Events such as day-to-day operational issues, outages, political instability, exposure to pandemics, etc. – the real risk would encompass everything in between point in time assessments as they are outlined in TPRM policy.
Thinking about your Third Party Risk Management Methodology, I urge risk managers to think outside the standard “check in the box” risk management activities. It is extremely important to fulfill TPRM policy requirement, but it is also crucial to see and assess what is happening in the now, in other words track and evaluate the real risk.
If you have any ideas or thoughts about this topic, I will be happy to hear you out. Contact me at filipets888@gmail.com
Comments