TPRM needed in our complex context | by Fiona Gordon

Fiona GordonMonday 10 June 2019 saw a lively and interactive group of delegates gather in Sandton for Bespoke’s inaugural Third Party Risk Management (TPRM) Summit looking to unpack the concept as well as its relationship to a contemporary South Africa, and the fourth industrial revolution (4!R).

Discussions opened with a presentation by best-selling author and internationally acclaimed speaker Billy Selekane (executive chairman of Intelligent Edge). He set the tone for the Summit by highlighting the lack of connection and trust between the public sector (where slow 4IR adaptation and integration persists) and the private sector (where fast 4IR adaptation and integration is crucial), and how this aligns with the differences between “third world” and “first world” operations.

He also discussed the human skills required to manage risk: communication, critical thinking, creativity, and collaboration; particularly in the context of South African as an emerging economy, and one actively engaged in the 4IR. His inputs focused on the importance of managing risk in terms of both brand and culture, primarily through re-skilling, safety protocols regarding bring your own device (BYOD), leaders as coaches, data matrices, convergence, and social media monitoring.

Next Andries Louw, chief director of transversal audit and risk management at the Eastern Cape Provincial Treasury, delved into the challenges of TPRM in a changing regulatory environment. He said that we are not in business to fight about contracts, but rather to serve clients, warning that often contracts don't guarantee the outcome needed to stay in business. Louw highlighted that the right payment environment can incentivise high performance - with a pertinent reminder that “a penalty clause must hurt, not kill”. He therefore focused his inputs around facilitating ‘clever contracting’ for delivery rather than for litigation, explaining that “self-policing contracts formalise collaboration between the buyer and supplier, by agreeing to share risks, rewards and administrative effort”, cautioning that prevention is better than cure.

Amanda Mafuya is the supplier relationship management lead at a joint venture between Flour & Eskom, called Trans Africa Projects. She spoke on managing and mitigating exposure to risk through continuous assessment and evaluation. She highlighted that the areas of vulnerability including the definition of business need, tendering, contracting and supplier relationship management. She also pointed out that areas of vulnerability in supplier organisations need to be considered, and can include: finance, capacity, capability, and business. Mafuya reiterated the importance of engaging across all levels of the supply chain, through processes such as effective business induction, compliance monitoring and cross-functional sourcing teams. Lastly she noted that effective data collection tools are absent in many organisations, and the absence of this information can be detrimental from a risk perspective.

Given that so much of risk management relies on effective collection, processing and utilisation of data, Fabrizio Clorofilla of OneTrust looked at information security in the context of a 4IR world, and what is required for effective TPRM. He shared the sobering statistic that 63% of all data breaches can be linked to third parties. Clorafilla described how many enterprises create an “Excel hell” in their attempts to address their data challenges, and that this can make it difficult to build audit trails, get notifications, involve more people/teams, etc. He suggested companies invest in solutions for managing third party security and privacy that integrate into their existing systems, to avoid redundancy; concluding with the key reminder that offboarding a vendor is as important as onboarding a vendor.

Nombulelo Kambule, senior manager at Deloitte SA, built on these ideas, sharing research indicates that 41% of organisations do not actively monitor third parties based on their risk profile, and 49% of organisations lack integrated processes, technology and real-time management of information for TPRM – and therefore the importance of building a strong TPR assurance programme. Kambule noted that different models are emerging for ongoing monitoring, including the use of ‘utility models’. She recommended a principles-based approach, requiring consistency, proportionality, oversight, resilience, criticality, accountability, engagement with the full third party lifecycle and holistic risk assessment.

TPRMS2019 Workshop Group Image 2
Head of sourcing risk and governance at Absa South Africa, Tshiamo Makoloane, highlighted some 2019 trends which have a high impact on third parties, including geo-politics, regulations, communications, suppliers (eg information, cyber etc), targets and revenue, and artificial intelligence. He argued that the risk management context is complex, particularly with its professionals acting as the 'change agents' between the third and fourth industrial revolutions, and the need to manage mitigation of risk in this unknown space. To this end, Makoloane offered insights on conceptualising and implementing a TPRM programme. Highlights included discussions of four risk domains but he emphasised all require understanding the context, identifying situations, conducting analysis, including the human element and making a judgement call, evaluating and treating risk. New approaches to treating risk include accepting it, avoiding it, transferring it, reducing it, and sharing it.

For the final item on the programme, TPRM guru Linda Tuck Chapman joined the conversation via video conference from Canada, to deliver the session's keynote address on driving enterprise value through TPRM. She quoted Warren Buffet, saying that "Risk comes from not knowing what you're doing”. Her talk highlighted that the difference between general business risk management and TPRM is about the levels of control: At its basis, the latter is about establishing which of the organisations you're dealing with are the most important to your business, and why; and how best to manage these relationships.

The Kraljic Matrix Segmentation assessment tool was referenced across the day, and can be used to asses financial vs complexity risk; but while measurement of quantitative AND qualitative performance management is important; and contractual compliance audits can be valuable; a number of human-centered insights were offered for engaging with the complex multi-disciplinary environment that is contract management.

It was clear throughout the discussions that this aspect of third party relationships cannot be managed with a one-size-fits all approach, as participants explored in further detail working through case studies during day 2 of the Workshop of the Summit 2019.

Fiona Gordon is a creative entrepreneur and a feature writer for Bespoke's Bulletin -

SSS2019 Strip Banner 270619

Posted on July 18, 2019