As third-party vendors’ use increases, monitoring their risk has become more critical and complex. At the same time, the number of third-party risk management (TPRM) solutions on the market has proliferated, making it hard to keep track.
Mirato simplifies the process of understanding the many TPRM producers with its TPRM Industry Landscape Map. The map places technology vendors into their most relevant categories: data sources, governance, risk and compliance, evidence aggregation, and service provision.
TPRM becomes more challenging in highly regulated industries
TPRM becomes incredibly complex in highly regulated industries, Mirato’s director of financial services for TPRM, Brian Shaw, said. Those requirements increase every year. Boards have increased their focus on managing third-party risk.
Shaw said it is similar to companies’ reference checks on prospective employees. The more responsibilities that an employee has, the deeper you dig.
Now multiply that onus hundreds of times when managing third-party risk, Shaw said. Banks may rely on third parties for 80% of their IT and customer-facing functions. Add up all agents, brokers, managers, and dealers; a big bank could have 70,000 third parties. One large bank has to assess its third parties against 47 different authorities.
“It can be a six-month process to bring a third party on because of all the IT, financial viability, reputation checks, and all these things,” Shaw said.
Amid the automation, manual work and risk remain
While these processes have become more automated, plenty of manual work remains. Financial services companies can spend millions of dollars hiring people to do this work. And when humans are involved, there are inconsistencies, fluctuating objectivity, and a lack of process integrity.
Mirato uses natural language processing and artificial intelligence to read TPRM documentation and shorten processing times from months to weeks and from weeks to days. That allows institutions to more rapidly onboard revenue-generating partners, improve process integrity, and produce a reliable audit trail.
TPRM was in dire need of improvement, Mirato CMO Daniel Ravner added. Even though the risk is complicated and ever-evolving, how it is addressed hasn’t changed.
Mirato’s solution is to add a layer or engine to existing TPRM tools.
“What Salesforce is to customer management, what Google did for marketing, we want to do for TPRM,” Ravner said.
Factors to consider when developing a TPRM strategy
Because financial institutions have more responsibilities to regulators, many workplace automation tools that provide scores are insufficient.
“Banks have to look at the score of the third party,” Shaw explained. “Are they financially viable or on a bad actors’ list? Are there any terrorists among their executives and board?”
That is only the first step, he cautioned. What level of service is the third party providing? The answer dictates how deep the assessment runs. Banks also have to prove their process to regulators.
Good or bad, companies will have some third-party process, Shaw said. What Mirato does is enhance those existing processes and reduce manual contributions.
He added that many institutions do not have the resources to monitor third-party risk adequately. That forces choices like managing the obvious high risks and leaving second and third-tier risks unaddressed. Some companies ask their third parties to self-report.
Ravner said existing TPRM maps are either too complicated to be useful or are behind paywalls. To simplify the graphic, companies were placed in the cluster they are most known for
“We’re looking at the documents and the data that define the evidence that supports if you can bring the third party on and if you want to still do business with them before comparing that against your ruleset,” he explained. “Nobody’s doing that.
“The point of the map is to give a visual, immediate sense of who the different players are (in TPRM) and what they do within the space.”
Mirato recently published five TPRM trends to watch for in 2022. Read our story here.