Would you rely on data or a process that is only about 30% accurate?
Much like the hit-or-miss nature of Groundhog Day predictions, the business world has its own rituals that don’t always accurately reflect the risks we face.
Traditional third-party risk management practices, such as the use of questionnaires, are an example of this conflict. They have become a customary part of the risk assessment process, yet their effectiveness in accurately predicting and mitigating risks is called into question by teams and suppliers alike. Similarly, risk intelligence can provide highly detailed and more recent information, but the data can be difficult to prioritize and make actionable.
These themes were evident this week at the Marcus Evans Third Party Risk Management and Oversight for Financial Institutions conference in New York City, where executives for some of the largest and most sophisticated financial services in the world converged to discuss insights, strategies, and toolsets for evolving a capability at the epicenter of an increasingly interconnected global operating ecosystem.
“With all the work that has gone on, do you believe risk has really been reduced?
It is more of a factor of not increasing the risk than decreasing the risk.
In spreading services across the world, we continue to concentrate risk in huge suppliers. These are market utilities.
In the financial industry space, we like to reduce the volume of humans and put in systems, for example, to increase the speed of transactions…and with that, I am increasing the risk.
In this race we are not winning yet.”
– Operational Resilience Executive, Financial Services
By adopting methods that offer dynamic, tailored insights such as Microsimulations and Learning Loops, teams can move beyond the shadow of the paper trail to practicing and demonstrating collective resilience. This evolution from ritual to responsive strategy marks a significant shift in navigating the intricacies of modern business relationships, ensuring that risk management practices are grounded in reality rather than tradition.
Third-Party Risk in an Era of Continuous Disruption
“Take the ION outage.
If it impacted you, did you learn from it?
It doesn’t tend to happen. And it’s not because the business doesn’t care, it’s because they don’t have time.
Most people will see things that take time as a tax unless they understand the value to them.
Our tools tell a story to our regulators. Our tools are not easy to use.
To help stakeholders get a sense of the value we are providing, we need to bring the data to life for them.”
-Insurance Third Party Risk Management Executive
In a time of global connectivity and continuous disruption, traditional approaches are falling short. As a result, Financial Services, Insurance, and increasingly, Technology and other sectors that provide critical infrastructure for key services are facing a sea of new scrutiny and oversight on the management of critical third and fourth parties.
Regulations and standards such as the EU’s Digital Operational Resilience Act (DORA), US Interagency Guidance on Third-Party Risk Management, the recently-proposed CFTC Operational Resilience rule, continually evolving global Operational Resilience regulatory requirements, and DFS Part 500 cybersecurity regulations are exemplary of the complex and comprehensive requirements that businesses must address to ensure compliance and protect their operations.
Challenges of Using Questionnaires for Third-Party Risk Management
“100 spitballs does not equal a cannonball.” – Third Party Risk Executive, Financial Services
1. Superficial Insight: Questionnaires often fail to delve into the complexities of a third party’s operations, offering only surface-level insights. This limitation makes it difficult for businesses to fully understand the risks associated with their third-party relationships.
2. Static Nature: The static nature of questionnaires means they are often outdated the moment they are completed. In today’s fast-paced business environment, where risks can emerge and evolve rapidly, relying on information that quickly becomes stale is a significant vulnerability.
3. One-Size-Fits-All Approach: Questionnaires typically adopt a one-size-fits-all approach, which can be problematic. Different third parties may pose unique risks based on their specific services, operational contexts, or the nature of their relationship with the business. A generic questionnaire may miss these nuances, leading to inadequate risk assessments.
4. Low Response Rates and Incomplete Answers: Achieving high response rates and ensuring the completeness and accuracy of the answers can be challenging. Third parties might view questionnaires as burdensome, leading to delays, incomplete answers, or, in some cases, non-compliance.
5. Limited Engagement: Questionnaires do little to foster a sense of collaboration and engagement between the business and their third parties. This missed opportunity for deeper engagement can hinder the development of effective, trust-based risk management strategies.
Microsimulations and Learning Loops: From Rituals to Results
In response to these challenges, many forward-thinking teams are implementing Microsimulations, paired with Learning Loops, as a complement to traditional questionnaire- or third party intelligence-based approaches.
Microsimulations and interactive tabletops are immersive, scenario-based simulations that model the complexities of real-world operations and decision-making processes with third and fourth parties. By simulating a range of possible scenarios, businesses can gain deeper insights into potential risks and vulnerabilities. Microsimulations and interactive tabletops can be tailored to the specific context of each third party, overcoming the limitations of the one-size-fits-all approach inherent in questionnaires.
Learning Loops use an iterative approach to learning and improvement, where insights gained from Microsimulations and interactive tabletops are continuously fed back into the business and its third-party risk management strategies. Learning Loops facilitate an ongoing process of adaptation and enhancement, ensuring that risk management strategies remain relevant and effective in the face of changing circumstances.
Redefining Ready: Benefits of Microsimulations and Learning Loops for Third-Party Risk
“It’s about right-sizing risk management to the third party itself, the needs of the function the third party is providing, and your business.” – Third Party Risk Executive, Financial Services
1. Enhanced Risk Insights: Microsimulations provide a more nuanced understanding of potential risks, offering a dynamic and detailed view that traditional questionnaires cannot match.
2. Dynamic Adaptation: The continuous nature of Learning Loops allows businesses to adapt their risk management strategies in real time, staying ahead of emerging threats and evolving business landscapes.
3. Tailored Approaches: By customizing simulations for each third party, businesses can ensure that their risk management efforts are directly relevant to the specific challenges and risks posed by each relationship.
4. Increased Engagement: This approach fosters a more collaborative and engaging relationship with third parties. By actively involving them in simulations and the subsequent learning processes, businesses can build stronger, trust-based relationships.
5. Strategic Improvement: The insights gained through Microsimulations and Learning Loops can inform strategic decisions, not only improving risk management practices but also enhancing overall business operations and third-party relationships.
Putting it All into Practice: Using Microsimulations and Learning Loops with Third Parties
“Stay ready so you won’t have to get ready.” – Third Party Risk Executive, Insurance
Integrating Microsimulations and Learning Loops into your interactions with third parties can significantly enhance your risk management and collaborative efforts.
Here are 5 practical ways to integrate these tools into your existing processes:
- Supplier Assessment: Incorporate Microsimulations as part of your supplier assessment process to simulate potential risks and scenarios related to your third-party relationships. This allows you to assess and address risks collaboratively while fostering a deeper understanding of your third parties’ operations.
- Onboarding: Implement Microsimulations as part of the onboarding process for new third parties. These simulations can serve as educational tools, helping third parties understand your specific risk management requirements and compliance standards.
- Quarterly Business Reviews (QBRs): During QBRs, use Microsimulations to explore various risk scenarios and contingency plans with third parties. This collaborative approach ensures that both parties are well-prepared for potential disruptions and can make informed decisions.
- Supplier Visits: Utilize Microsimulations to test and validate the information provided by third parties during supplier visits or audits. It serves as a real-time assessment tool to ensure that their practices align with your risk management and compliance standards.
- Continuous Monitoring: Integrate Microsimulations and Learning Loops into your data collection and continuous monitoring processes. This ongoing learning and assessment ensure that risk management strategies evolve in real-time, keeping pace with changing circumstances, and enabling proactive risk mitigation.
By incorporating Microsimulations and Learning Loops into these critical stages of your relationship with third parties, you empower both your organization and your partners to navigate the complexities of modern business relationships with agility, transparency, and confidence.
Springing Forward with Third-Party Risk
As businesses continue to navigate the complexities of third-party risk management, the limitations of traditional questionnaire-based approaches are becoming increasingly apparent. Microsimulations, paired with Learning Loops, offer a promising alternative that can provide deeper insights, foster greater engagement, and enable dynamic adaptation to the rapidly changing business environment. By embracing these innovative tools, businesses can enhance their risk management strategies and build more effective, efficient, and collaborative relationships with their third and fourth parties. This shift not only addresses the immediate challenges of risk management but also contributes to a stronger, more resilient business model for the future.
Author:
Paula Fontana
VP, Global Marketing
iluminr
