The similarities between corporate risk management and pilots might surprise you.
Pilots are risk managers. We have to be. In fact, risk management is one of the topics that the FAA requires instructors to teach student pilots during their training. And our risk processes tend to be pretty effective, which is why flying is very safe. It’s been interesting for me to look at different areas of corporate risk management from a pilot’s perspective over the years.
When student pilots are being taught how to perform new maneuvers in an airplane, the first thing we instructors teach is how to perform something called a “clearing turn.” This is a specific way of turning the airplane, first to the left and then to the right, coupled with a systematic method of observation, so that the pilot can see what’s out there in all directions: to the left, the right, above, below, the rear and the front. We teach this because threats to an airplane (risks) come from all directions. The airplane that could collide with you might be descending from above and behind you. Without taking special precautions, you’d never see it coming. The risk that you don’t see is often the biggest risk of all.
Similarly, it’s important for companies to “look all around” at the third parties that affect them. When companies first start to see the increasingly evident need for developing a third-party risk management (TPRM) program, their immediate thought goes to what is “downstream,” but corporate risk management needs to think bigger than that.
The threats from vendors are first and foremost in most people’s minds. Without a doubt, there are enormous risks there. But a well-designed corporate risk management program can do much more for your company than manage the risks from vendors. It can also assist you in managing issues “upstream,” and in many directions, you might not have considered. Risk is inextricably linked with opportunity, and some of the tools and processes that you put in place to manage the former can help you find and exploit the latter.
For example, ask your information security director or internal audit director about how many requests concerning information security controls they receive from businesses that are “upstream” from you—those to whom you are the vendor. One company I worked with told me when I first asked this question that they received “a few” per year. Then, it became “a dozen or so,” and later that was revised to “a couple dozen.”
It was, at first, hard for them to know just how many requests they received, because some requests came in through information security, while some came in through the business units. A couple came into internal audit. Marketing got some, too. But the most frightening thing was that some of these were answered by different people. Folks in marketing answered questions from companies considering using this company as a vendor. Folks in marketing attested to these companies about information security controls. Mention that to your Chief Counsel, and see what he thinks.
While information security needed to be involved in this process, they probably didn’t have the resources to do so. Some of these questionnaires were 10 questions long and could be filled out in an hour. Some were 20 pages long, requesting all sorts of documentation, and would take 40 or more staff hours to complete. But as much as you need to know about the risks posed by your vendors, your clients need to understand yours. These requests are a legitimate and necessary part of their own corporate risk management and due diligence. This is an important part of information security, but how does one manage it?
A well-designed corporate risk management program can help with this problem; a problem that is only going to get worse as more and more of your clients and prospects start to care about business information security, risk management, and compliance.
When designing a corporate risk management program, consider some of the less obvious benefits that TPRM can produce for your company:
- It can streamline the responses to client and customer requests for risk management and security information. It can oversee the completion of an authorized (and authoritative) “packet” of applicable information that can be quickly be delivered upon request. This can help reduce a significant burden upon your information security, legal, and compliance functions. Your TPRM department knows what TPRM professionals are looking for. Who better to respond to these requests? I can tell you from first-hand experience that this matters. I am often asked to review potential suppliers for our clients. The more your company can assure me about your security, the more favorable my report to my client usually is.
- It can assist in positioning your company as one that cares about information security, risk management, and governance. When other companies are considering yours as a supplier, it can make an enormous difference when you can say, early in the evaluation process: “Yes, we care deeply about governance, risk, compliance, and security. Here is proof that we put our money where our mouth is.” Not only does this ability speak to your security, it also communicates your maturity as an organization in general.
- It can dramatically enhance your ability to use competitor intelligence. This may sound odd, but a critical part of TPRM is supplier monitoring: monitoring the news and other public and private information sources for emerging threats, issues, and risks. Once the system is in place to identify and track this information, it’s very easy to add in non-vendor third parties like your biggest competitors. How valuable would it be to your company to know that your biggest competitor just got hit with an enormous fine for non-compliance with some regulation?
- Similarly, it can assist marketing by using these intelligence and monitoring tools to scan for new opportunities. How valuable would it be to your marketing department to know (on the day it becomes public) that one of your existing clients just acquired a new company, one that might be in immediate need of services that you can provide?
- It can assist your compliance department in communicating to regulators that you (and third parties acting as your agents) are in compliance with all applicable laws and regulations, as well as demonstrating to them your own emphasis on risk management and maintaining a strong control environment.
- It can bolster your Enterprise Risk Management (ERM) function. In many ways, today’s cloud-reliant and technology-driven enterprise can best be viewed as your company “plus”: “plus” your customers, “plus” your suppliers and “plus” their fourth-parties. If you are trying to manage the risks throughout your enterprise, how can you effectively do this without understanding and contextualizing the risks presented by these third parties? Importantly, this isn’t just about large businesses. Small business, more than large ones, are subject to “existential risk.” Poorly managed enterprise risks (of which IT risks and third-party risks are a subset) can put you out of business quickly and entirely.
All of these things are value-adds that can be leveraged by utilizing the expertise and toolset that a well-designed TPRM program will put in place. You may be doing some of these things already, but what if you’re not?
Think of it this way: You look ahead and see your vendors. Many companies stop there; they fixate on one source of risk. But getting the most out of your TPRM program means looking behind you and seeing your clients… then looking to your left and seeing your regulators. To your right, you see your customers.
Each direction you look in has its own risks. But it also has its own opportunities. Having a function dedicated to helping manage those risks can make it much easier to not only accomplish that but also to capitalize on those opportunities as well.
Third-parties include far more than just vendors, and the better you can perform your corporate “clearing turns,” the more responsive and effective your company can be to the associated risks and opportunities. To find out more about establishing best-practice corporate risk management processes with a TPRM program, contact Pivot Point.