Revamping Third-Party Risk Management: Insights from Andrew Morton
Introduction to TPRM Challenges
When Andrew Morton stepped into his role as Head of IT Governance, Risk, and Compliance (GRC) at Chemist Warehouse (CW Retail), he found the company’s third-party risk management (TPRM) approach in disarray. The existing system was largely dependent on spreadsheets, standardized questionnaires, and a one-size-fits-all method to assess vendors, irrespective of their specific risk profiles. For Morton, an ISO 27001 Lead Auditor with a keen eye for detail in security reports, this presented a clear opportunity for transformation.
The Need for a Risk-Based Approach
“From day one, it was evident our TPRM framework was misaligned with our needs,” Morton shared during a discussion. The existing processes lacked consistency, were reactive rather than proactive, and failed to provide a solid foundation. Morton recognized the necessity to shift the focus toward a scalable, risk-based model that aligned with industry benchmarks, ultimately providing the leadership team with a trustworthy vendor ecosystem.
Core Design Decisions for TPRM
Establishing Vendor Tiering
One of the critical changes Morton emphasized was vendor tiering. “Understanding which vendors are crucial is foundational,” he remarked. Without this knowledge, resource allocation becomes inefficient. High-risk vendors require thorough examinations, while low-risk partners can be managed with less intensive scrutiny. This tiered approach not only optimizes resources but also keeps the engagement between the business and risk management positive.
Implementing Adaptive Questionnaires
Next on Morton’s priority list were adaptive questionnaires. These allow for deeper exploration of vendor risks only when certain indicators trigger concern. By avoiding a blanket approach, the company can scale effectively without alienating vendors with irrelevant inquiries.
Utilizing Independent Assurance Reports
Morton also highlighted the importance of independent assurance reports, such as SOC 2 and ISO 27001 certifications. “These reports provide a solid baseline of confidence concerning a vendor’s controls,” he stated. They enable teams to focus on real risk areas rather than spending time on redundant assessments.
Gaining Fourth-Party Visibility
Morton’s strategy also extends beyond first-level vendors. “We need to understand our vendors’ vendors,” he noted. By focusing one layer deep on critical sub-processors, Morton ensures that the same rigorous standards applied internally are mirrored downstream. His minimum requirements include understanding who these sub-processors are, the regions they operate in, and the types of data they handle.
Effective Vendor Onboarding
Onboarding challenges are prevalent in TPRM, especially with a growing number of vendors. Morton advocates for a risk-tiered model that allows different levels of scrutiny based on vendor classification. “This process prevents bottlenecks and keeps the business moving,” he explained. Low-risk vendors undergo a lightweight assessment, while those deemed critical receive more detailed evaluations, striking the right balance between speed and thoroughness.
Listening to the Executive Team
Morton emphasizes that metrics tied directly to business exposure resonate more with executives than mere operational details. He found success in showcasing the percentage of critical vendors with outstanding high-severity issues rather than focusing on the number of questionnaires completed. This risk-centric language helps to communicate the impact of TPRM initiatives effectively.
Beyond Simple Compliance
Approaching assurance reports with scrutiny remains paramount for Morton. “I never accept certification at face value. It’s vital to understand the scope, exclusions, and any major non-conformities,” he asserted. This comprehensive review ensures that the assurance reports truly align with the organization’s needs and offers genuine protection.
Collaborating Across Departments
Morton acknowledges that effective TPRM requires collaboration between procurement, legal, and operational teams. By creating a flowchart that outlines roles and responsibilities, Chemist Warehouse ensures alignment across departments, reinforcing a unified approach to risk management.
Preparing for the Future of GRC
Looking ahead, Morton envisions GRC evolving into a more automated discipline, supported by AI for routine tasks. He believes that this transition will enable teams to allocate more time to strategic risk decisions rather than administrative tasks.
Final Insights
Through his experience, Andrew Morton underscores the importance of a risk-based framework in TPRM, emphasizing resource allocation, stakeholder engagement, and strategic metrics. His insights offer valuable lessons for organizations aiming to refine their third-party risk management strategies in an evolving landscape.
