The front-line staff who manage vendor relationships are uniquely positioned to spot problems before they escalate, yet many organizations fail to leverage this advantage. Gartner’s Chris Audet explores the psychological and structural barriers that prevent relationship owners from reporting concerns and maps out a comprehensive approach to turn these critical team members into proactive risk management partners.
In today’s rapidly evolving business landscape, third-party relationships have become indispensable. They accelerate growth, drive innovation and provide the competitive edge needed to thrive in a global market.
At the same time, these relationships also introduce an array of risks that can potentially jeopardize an organization’s reputation, financial stability and operational continuity. Recent Gartner data found a concerning trend: Nearly all third-party relationship owners annually identify red flags in third-party engagements but only about half report these concerns to compliance teams.
Compliance teams must empower relationship owners to play a more active role in third-party risk management (TPRM). Relationship owners are on the front lines of third-party interactions. They are the first to observe discrepancies, inefficiencies or potential misconduct. Their unique vantage point allows them to identify risks that might not be immediately apparent to compliance teams. By empowering them to share insights more effectively, organizations can significantly enhance their TPRM capabilities.
Barriers to effective communication
The previously mentioned internal Gartner survey of about 1,000 third-party relationship owners observed several areas where relationship owners were commonly failing to disclose red flags to compliance teams.
Relationship owners who observed and reliably shared red flags in each category
- Change to third-party risk landscape: 51%
- Change to third-party risk profile: 52%
- Change to scope of third-party relationship: 52%
- Material inaccurate information from third party: 53%
- Third-party failure to implement agreed risk mitigation: 54%
- Third-party risk event: 62%
This reluctance to report can be attributed to three main factors:
Confidence in identifying red flags: Some relationship owners may lack the confidence to accurately identify and assess the severity of red flags. This can be addressed through targeted training and communication efforts that equip them with the necessary skills and knowledge.
Objectivity in prioritizing issues: Relationship owners often develop close ties with third parties, which can cloud their judgment. This affinity may lead them to downplay concerns to protect their relationships. Relationship owners may feel obligated to shield third parties from internal scrutiny, while others fear that involving compliance might harm these relationships.
Perceived value in sharing information: Relationship owners may not see the immediate benefits of sharing information with compliance teams. Instead, they may perceive the process as cumbersome or fear that it will not lead to meaningful action or action that may endanger their personal objectives.
Mitigate barriers to alleviate bias and strengthen transparency
Relationship owner bias is a common but complex tendency to show partiality toward a third party. Positive traits like frequent communication, trust and rapport can inadvertently lead to a reluctance to talk about issues. When relationship owners prioritize the needs of third parties over their organizations, risks can proliferate unchecked. To mitigate this, use training and ongoing conversations between relationship owners and their managers.
To enhance third-party risk management, organizations must foster a broad culture of transparency and collaboration. This includes four components that rely on training and ongoing communication between relationship owners and leadership.
- Training and education: Provide relationship owners with the tools and knowledge to confidently identify and report red flags. This includes workshops, seminars and regular updates on emerging risks and compliance requirements.
- Open communication channels: Establish clear and accessible channels for relationship owners to report concerns. This could involve regular check-ins, anonymous reporting mechanisms and a supportive environment that encourages open dialogue.
- Recognition and incentives: Acknowledge and reward relationship owners who proactively identify and report risks. This not only reinforces positive behavior but also underscores the value of their contributions to the organization’s risk management efforts.
- Leadership support: Ensure that senior leaders champion the importance of third-party risk management and demonstrate a commitment to addressing concerns raised by relationship owners.
Aligning with strategic goals while managing risk
Effective TPRM aligns with an organization’s strategic goals by safeguarding its reputation, ensuring compliance with regulatory standards and maintaining operational resilience. By empowering relationship owners to play a more active role in this process, organizations can mitigate risks more effectively and capitalize on the benefits of third-party engagements.
Heads of enterprise risk management (ERM) and compliance leaders face the daunting task of prioritizing third-party risks based on enterprise risk priorities. With an increased reliance on third parties, the majority of executive risk committee members now consider third-party risk a priority and have heightened expectations of ERM in this regard. However, a minority of ERM leaders feel capable of prioritizing and taking action to present third-party risks to the risk committee.
A complex matrix of functions and business units identifies, manages, assesses or responds to third-party risks. This compartmentalized approach can lead to blindspots as business units manage risks from a functional perspective, rather than an enterprise one. To address this, a tool that prioritizes third-party risks by residual risk score can be invaluable. It allows ERM and compliance leaders to analyze TPRM at the enterprise level, providing actionable insights to support the risk committee’s decision-making.
Relationship owners are the unsung heroes of third-party risk management. Their unique position allows them to identify potential risks early — but only if they are empowered to do so. By addressing the barriers to communication and fostering a culture of transparency, organizations can enhance their risk management capabilities and align with strategic goals. As the business landscape continues to evolve, the role of relationship owners will become increasingly critical in navigating the complexities of third-party engagements. By prioritizing effective communication and collaboration, organizations can turn potential risks into opportunities for growth and innovation.