In today’s highly automated business operations there is an abundance of software tools to help organizations more effectively manage their business processes with fewer resources. The Contract Lifecycle Management (CLM) space is certainly one in which solutions abound to help manage the contract lifecycle. A similar statement could be made about the wide variety of Third-Party Risk Management (TPR) solutions available in the marketplace. CLM and TPR tend to be treated as separate, siloed functions as one domain is not contingent on the other in most organizations. However, there is a strong business case to be made that they should be operationally integrated.
Although many definitions exist, CLM is simply a process of creating, executing, and proactively managing the relationship between an organization and one or more third parties to ensure the fulfillment of commitments made by each party.
While there are multiple dimensions to CLM and multiple types of contracts, most contracts follow a similar lifecycle:
TPR may not be as common a phrase today as CLM may be. However, TPR is the overarching process of managing an organization’s Governance, Risk, and Compliance (commonly referred to as GRC). As with CLM, TPR is multi-dimensional in that it can encompass many different aspects of risk management depending on the specific operating parameters within a specific organization. This would include an onboarding/due diligence process that might include the internal review and analysis at least some of the following aspect of a Third Party:
Specific industries will place more emphasis on some areas (e.g. financials, money laundering, politically exposed people, etc.) more than other industries based on regulatory demands. Other industries may need to place more emphasis on brand reputation and corporate culture when considering a contractual relationship with a third-party. See also “Preparing for Third Party Risk Management” for more information on setting up a TPR program.
Over the past 20 years, there has been an explosion of software solutions tailored to separately address CLM and TPR requirements. A Google search will quickly find well over a hundred Contract Lifecycle Management products in the marketplace. A search for Third-Party Risk Management tools will provide even more results; although, there is a broader spectrum of risk management tools compared to contract management.
It would seem logical to bring these two processes together to ensure the continuity and the effectiveness of due diligence prior to contract signing. Additionally, it is critical to ensure the ongoing monitoring of the higher risk third-parties to ensure they continue to meet the standards and practices formalized in the relationship.
Undertaking defined levels of due diligence based on a calculated risk score can drive varying levels of compliance reviews to ensure you know who your third parties are, and documenting the results, before engaging in the contract process. It is much better to know that you have properly vetted the third-party before investing any time building and negotiating the contract.
Once the contract has been executed it is critical to your organization’s brand and reputation to perform regular checks on the third party to ensure they are living up to expectations. The frequency of these checks will be predicated on the level of risk presented by the relationship.
The success of the combined TPR and CLM process can be achieved very easily by using the right tools and some simple procedures. Here is a high-level view of the steps:
For some types of contracts where the risk level is low, there generally isn’t a need to spend a lot of effort in onboarding activities. But having a consistent approach to determine what the contractual relationship will be and determining the risk level is just a sound business practice. The process doesn’t need to be cumbersome or onerous. The start of the process is as simple as answering some basic questions and letting the system drive the required steps to ensure corporate policies and procedures are followed and at the same time provide a full audit trail. Being able to prove that you have an effective and adaptable risk management program will go a long way to complying with the ever-changing and demanding regulatory world organizations operate in today.
Copyright © Symfact 2018