Our guest blog on third-party risk is presented by Argos Risk, an SAI360 technology partner.
There are four "gaps" to manage in Third-Party Risk Management (TPRM) – people, processes, tools, and knowledge. Of these, the most challenging to conquer is knowledge. Specifically, many organizations lack insight into the current state and stability of their key vendor relationships.
In the fall of 2020, while the pandemic raged and the economy suffered through wild swings, vendor-related decisions were made based on information from 2019. The reason? Organizations were still relying solely on annual reviews and point-in-time reports to perform vendor due diligence.
During this time, the team at Argos Risk received a call from a procurement officer whose organization had suffered through multiple operational interruptions because of issues related to their vendors. The officer vented, "I don't understand it; we did everything by the book. The folders we have on our vendors are overflowing with information. Why can't we see these vendor failures coming?”
While impressive in volume, the vendor folders were outdated, ignored, or misunderstood. For example, while they collected audited financials, no one on the vendor management team could effectively interpret them.
To conquer the knowledge gap, modern vendor management programs leverage technology, automation, analytics, and risk-based scores to maintain internal vendor risk profiles based on the most readily available information.
The three most common sins in vendor management are:
- The expectation is that an employee with hope, a good attitude, and an excel spreadsheet can create and manage a modern vendor management program.
- Ignoring independent sources and relying only on the vendor to provide all the information considered in due diligence.
- Employing a “one size fits all” mentality when vetting and managing vendors.
If one industry can conquer procedural frameworks and regulatory compliance, it is healthcare. However, like with any new program, there is a learning curve. If your organization is looking to build a vendor management program built on best practices, numerous frameworks are available. The National Institute of Standards and Technology (NIST) provides frameworks that apply to most industries.
What are the day-to-day TPRM challenges in healthcare?
The breadth and frequency at which data must be collected, analyzed, and interpreted has reached the point where it cannot be effectively done manually. On any mission-critical vendor or vendor with access to patient data, you need to assess and monitor the vendor's financial stability, compliance status, legal exposure, consumer/patient complaints, cyber network security, and much more.
The epitome of this challenge is sanctions checking. Currently, the U.S., NATO, and Russia are exchanging sanctions, which could affect the vendors with which you can legally do business. Under normal circumstances, a Russian-owned company may not get a second look in due diligence, but now…?
FYI, this is the problem we solve for our subscribers. The Argos Risk platform ingests data from trusted, vetted sources to build risk profiles that measure these and other key areas.
Most vendors are small, privately held companies, and they are not under any obligation to disclose any information to outside parties. However, healthcare organizations are more likely to do business with those vendors who understand the regulatory burden and provide information and resources that help expedite the vetting process.
Making informed decisions about healthcare partners
How have healthcare organizations typically made decisions about partners and vendors? By recommendation, cost, availability, proximity?
It depends on the type of relationship associated with the third party. If an organization is looking for a commodity-type product, then the criteria for picking the supplier will be more heavily weighted toward price, availability, and speed of delivery. For a higher-valued, strategic purchase, let's say a new MRI machine, the criteria will shift to product quality, service programs, educational support, etc.
However, one of the strongest influencers in selecting a vendor or partner is a recommendation from a trusted source, such as a fellow professional. The danger in these recommendations is that the prospective vendor may enter the due diligence process with an implied “seal of approval” and not be vetted as carefully as others.
Risk-based scoring and leveraging independent sources of information will help protect the organization in these cases.
What was the impact of the pandemic?
From a third-party risk management standpoint, everything has become more intense. In 2020, over 75% of businesses suffered an interruption in operations either due to COVID-19 or issues with third parties. The financial impact of the average interruption was $100 million. This has played a major role in risk management, evolving from being viewed as a bureaucratic burden to a critical part of business resiliency strategy.
For the consumer, the most significant change is the rise and acceptance of telemedicine. However, the practice of providers contracting these services to outside firms has exposed severe weaknesses in third-party vetting. While this practice is relatively new, we already have major fraud cases originating from poorly vetted providers, and regulators have taken notice.
What is the financial impact for healthcare organizations?
Everything in healthcare is large, the stakes, the consequences, and the money. Let's talk about fraud. When referencing banking fraud, the money is usually measured in thousands; in ransomware attacks, it's in hundreds of thousands; and when talking about healthcare fraud, especially fraud involving third parties, those numbers are often in the hundreds of millions of dollars.
How TPRM in healthcare differs from other verticals
It's a combination of the heavily regulated environment, the fact that a vendor may influence a person's health, and the amount of money involved. In other industries, when you hear “that’s the way we’ve always done it,” it is usually used as a justification for taking a shortcut or not using a recommended best practice. In healthcare, there is a danger of the opposite happening; an intense practice, suitable for one class of vendor, is applied globally across a portfolio, and you wind up with an IT vendor being vetted in the same manner as a drug manufacturer.
It's essential to manage the vendor relationship in relation to that vendor's operational role.