The effective identification, assessment and management of third-party risks are necessary for a healthy business operation and are a regulatory requirement for many industries. Still, the lack of skilled employees is a severe issue for many third-party risk management (TPRM) programs. As new regulations develop, there’s an emphasis on ensuring that organizations have sufficient staffing to manage their third-party risks effectively. Sufficiency isn’t just about the number of employees; it’s also about the level of those employees’ TPRM skills and expertise.
Issues with Understaffing
There are issues that arise with understaffing. Here are two big ones to be aware of:
- Underperformance: An understaffed TPRM program is likely to underperform against many of its objectives. The truth is that on any given day, there’s a lot to be done, reviewed, managed, escalated or documented by a third-party risk manager. Time is not an infinite resource, and priorities must shift, which inevitably means some part of the process isn’t getting the appropriate attention. The work piles up and less urgent tasks get pushed to the bottom of the list. Delayed tasks eventually become past due, and the program isn’t working well or even working at all.
- Example: Suppose a critical vendor has declining performance that the first line vendor owner hasn't managed. Furthermore, the TPRM manager still hasn’t had time to review the vendor performance report because he or she is working with several stakeholders to ensure the onboarding of a critical vendor which has multiple fourth parties that are also considered critical. With time and attention needed in many other areas, a vendor with poor performance may slip under the radar and cause significant issues down the road.
- Delayed risk reviews: Due to insufficient subject matter expert (SME) bandwidth, annual risks reviews may be delayed because of making room for new vendor due diligence. The longer annual risk reviews are delayed, the higher the risk that new and emerging risks go undetected until there is a severe issue such as an information security breach, insufficient or expired vendor insurance coverage, untested business continuity or regulatory violation.
- Example: Consider the situation where a risk review for a critical vendor is delayed because the TPRM staff is overwhelmed with other tasks. Because of this delay, the staff fails to notice that this vendor’s business continuity plan wasn’t tested which can cause major problems if there’s a business disrupting event.
No matter what the situation or reason, when there aren’t enough resources to ensure third-party risk management is working effectively, there are real impacts on the organization.
Considerations for Staffing a TPRM Team
There is no suggested ideal size or structure for a TPRM team. However, to determine the correct number of resources to support third-party risk management, one should consider the complexity of the organizational structure, the number of vendors under the management and how the work is performed.
It may also be helpful to ask the following questions:
- What is the number of high-risk and critical vendors? These types of vendors may require more attention with frequent reviews and assessments.
- Are there a lot of time-consuming, manual processes? It may take the same person more time and effort to complete a process that otherwise might be automated. Also, consider if these processes are prone to errors.
- Are tasks and responsibilities aligned to those with the appropriate skill level, expertise and authority to handle them? For example, suppose the most senior third-party risk manager spends all their time with data entry and other administrative tasks. There will likely be less time to devote to more strategic and value-added activities such as collaborating with a first-line vendor owner to develop vendor service level agreements or ensuring the proper remediation of material issues.
- Are stakeholders held accountable for their TPRM responsibilities? If the first-line vendor owners don’t provide adequate oversight over their vendors, then consider whether this responsibility falls to someone from the TPRM team. If so, then TPRM will need many more people to perform work not intended for them.
- Is the business growing and adding more vendors or is the TPRM workload stable and predictable? Many of us know that there's no such thing as a slow season in TPRM and that workloads vary. Suppose the business is expanding and the subsequent outsourcing to vendors is also growing. In that case, it makes sense that you will need more resources to manage it all.
Even when processes are automated, tasks are undertaken by individuals with the appropriate skill level and the first line is held accountable, the workload still may be more than your current team can effectively manage.
How Many People Are Enough?
There’s no magic number, however we recommend the following as a guideline to calculate full-time employees (FTEs). As a general rule of thumb, this will be appropriate if you’re using an automated platform, with about 10-15% of your total vendor portfolio consisting of critical or high-risk vendors that require annual risk assessments and a great deal of ongoing due diligence. This formula will vary based on the type of organization you have and should consider the factors mentioned above:
- 1-3 FTEs for up to 300 vendors
- 3-5 FTEs for up to 500 vendors
- 1 additional FTE for every 200 vendors beyond that
Keep in mind that there must be at least one senior member on this team that has the experience and skill (5+ years) to set the standards for TPRM, prioritize work, work across stakeholder groups to solve issues and train more junior team members.
Benefits of Outsourcing TPRM
If your organization isn't ready or resourced to add additional FTEs, there are other options. Outsourcing portions of the TPRM process isn’t only possible, but is an excellent way to add capacity without adding FTEs. Many companies offer third-party risk management services. In many cases, outsourcing processes like due diligence may make more financial sense than adding staff. By purchasing these services on a per case basis, you’re only paying for the time and services you need when you need them while receiving high-quality services from certified experts. This strategy removes the need for recruiting and training FTEs.
From a budgetary perspective, it’s often easier to secure funds for services vs. FTEs. If this is true in your organization, it might be time to look into outsourcing. One caveat, though, your organization is always responsible for the risk, so it makes sense to research your options thoroughly and ensure credentialed or certified experts provide the TPRM services.
Every organization has different resource needs when it comes to third-party risk management. However, when the work required to protect your organization and its customers from third-party risk while staying within regulatory guidelines isn’t achievable, it’s a problem that needs attention and action. Whether you decide to staff a TPRM team fully or outsource portions, or even the entire TPRM process, a healthy and fully functioning TPRM process is necessary.